extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-04-13 15:28:32 +00:00
parent ed0bbce737
commit 16906234c8
109 changed files with 29372 additions and 31361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Lrp/etc/shorewall/common.def
View File

@ -16,10 +16,10 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j REJECT run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p tcp --dport 135 -j reject
############################################################################ ############################################################################
# UPnP # UPnP

9
Lrp/etc/shorewall/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

46
Lrp/usr/share/shorewall/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -1665,16 +1675,16 @@ check_config() {
determine_interfaces determine_interfaces
determine_hosts determine_hosts
echo "Validating policy file..."
validate_policy
echo "Validating rules file..." echo "Validating rules file..."
rules=`find_file rules` rules=`find_file rules`
strip_file rules $rules strip_file rules $rules
process_rules process_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "Configuration Validated" echo "Configuration Validated"
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
# #
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# #
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done

30
Lrp/usr/share/shorewall/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
# #
# Strip comments and blank lines from a file and place the result in the # Strip comments and blank lines from a file and place the result in the
# temporary directory # temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2 [ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else else
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.1 1.4.2

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.1 1.4.2

16
STABLE/changelog.txt
View File

@ -1,9 +1,15 @@
Changes since 1.4.0 Changes since 1.4.1
1. Implement NONE policy. 1. Re-order steps in the 'check' command so that the policy file is
checked before the rules file.
2. Never create rules for <iface>:<subnet> to itself. 2. Create an intermediate chain for input from zones defined in terms
of specific hosts or networks.
3. Always allow intrazone traffic. 3. Fixed common.def to use 'reject' rather than 'REJECT'.
4. Correct building of ECN interface list under ash. 4. Added support for INCLUDE directive in all files.
5. Made traceroute -I work.
6. Add 'routeback' interface and host attribute.

351
STABLE/documentation/FAQ.htm
View File

@ -34,7 +34,8 @@
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td
width="100%">
@ -50,6 +51,10 @@
</table> </table>
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="file:///Z:/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guides</a>. <br>
</h1>
<h1>PORT FORWARDING<br> <h1>PORT FORWARDING<br>
</h1> </h1>
@ -68,9 +73,9 @@
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p> port forwarding</a></p>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect <p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
to port 1022</b> on my firewall and have the <b>firewall forward the connection <b>connect to port 1022</b> on my firewall and have the <b>firewall forward
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br> the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p> </p>
<h1><b>DNS and PORT FORWARDING/NAT<br> <h1><b>DNS and PORT FORWARDING/NAT<br>
@ -107,7 +112,8 @@ as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p> of my firewall and it showed 100s of ports as
open!!!!</a></p>
<h1>CONNECTION PROBLEMS</h1> <h1>CONNECTION PROBLEMS</h1>
@ -142,16 +148,16 @@ as 'closed' rather than 'blocked'.</b> Why?</a></p>
</p> </p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b> <p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses in Shorewall log messages <b>so long</b>? I thought MAC addresses were
were only 6 bytes in length.</a><b><br> only 6 bytes in length.</a><b><br>
</b></p> </b></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br> all over my console</b> making it unusable!<br>
</a></p> </a></p>
<b>17</b>. <a <b>17</b>. <a
href="#faq17">How do I find out <b>why this traffic is</b> href="#faq17">How do I find out <b>why this traffic is</b> getting
getting <b>logged?</b></a><br> <b>logged?</b></a><br>
<b><br> <b><br>
21. </b><a href="#faq21">I see these <b>strange log entries 21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?</a><br> </b>occasionally; what are they?</a><br>
@ -207,24 +213,24 @@ support?</a></p>
</h1> </h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me and it has an internel web server that allows
to configure/monitor it but as expected if I enable me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also blocks <b> rfc1918 blocking</b> for my eth0 interface, it also
the <b>cable modems web server</b></a>.</p> blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 IP addresses, my ISP's DHCP server has an RFC
address. If I enable RFC 1918 filtering on my external 1918 address. If I enable RFC 1918 filtering on my
interface, <b>my DHCP client cannot renew its lease</b>.</a></p> external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br> <h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1> </h1>
<b>18.</b> <a href="#faq18">Is there any <b>18.</b> <a href="#faq18">Is there any
way to use <b>aliased ip addresses</b> with Shorewall, and way to use <b>aliased ip addresses</b> with Shorewall,
maintain separate rulesets for different IPs?</a><br> and maintain separate rulesets for different IPs?</a><br>
<h1>MISCELLANEOUS<br> <h1>MISCELLANEOUS<br>
</h1> </h1>
@ -232,8 +238,8 @@ way to use <b>aliased ip addresses</b> with Shorewall, and
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br> but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br> <br>
<b>20. </b><a href="#faq20">I have <b>20. </b><a href="#faq20">I have
just set up a server. <b>Do I have to change Shorewall to just set up a server. <b>Do I have to change Shorewall to allow
allow access to my server from the internet?</b></a><br> access to my server from the internet?</b></a><br>
<br> <br>
<b>24. </b><a href="#faq24">How can I <b>allow conections</b> <b>24. </b><a href="#faq24">How can I <b>allow conections</b>
to let's say the ssh port only<b> from specific IP Addresses</b> to let's say the ssh port only<b> from specific IP Addresses</b>
@ -244,15 +250,15 @@ allow access to my server from the internet?</b></a><br>
<hr> <hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've my my personal PC with IP address 192.168.1.5.
looked everywhere and can't find how to do it.</h4> I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a <p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of do port forwarding under Shorewall. The format
a port-forwarding rule to a local system is as follows:</p> of a port-forwarding rule to a local system is as follows:</p>
<blockquote> <blockquote>
@ -387,8 +393,8 @@ DEST.</b></u></td>
</table> </table>
</blockquote> </blockquote>
Finally, if you need to forward a range of ports, in the PORT Finally, if you need to forward a range of ports, in the
column specify the range as <i>low-port</i>:<i>high-port</i>.<br> PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4> but it doesn't work</h4>
@ -404,8 +410,8 @@ to test from inside your firewall (no, that won't work
-- see <a href="#faq2">FAQ #2</a>).</li> -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more <li>You have a more
basic problem with your local system such as an incorrect basic problem with your local system such as an incorrect
default gateway configured (it should be set to the IP address default gateway configured (it should be set to the IP
of your firewall's internal interface).</li> address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br> <li>Your ISP is blocking that particular port inbound.<br>
</li> </li>
@ -420,19 +426,19 @@ default gateway configured (it should be set to the IP address
<ul> <ul>
<li>As root, type "iptables -t <li>As root, type "iptables
nat -Z". This clears the NetFilter counters in the nat -t nat -Z". This clears the NetFilter counters in the
table.</li> nat table.</li>
<li>Try to connect to the redirected <li>Try to connect to the redirected
port from an external host.</li> port from an external host.</li>
<li>As root type "shorewall show <li>As root type "shorewall
nat"</li> show nat"</li>
<li>Locate the appropriate DNAT <li>Locate the appropriate DNAT
rule. It will be in a chain called <i>&lt;source zone&gt;</i>_dnat rule. It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li> ('net_dnat' in the above examples).</li>
<li>Is the packet count in the <li>Is the packet count in the
first column non-zero? If so, the connection request first column non-zero? If so, the connection request is
is reaching the firewall and is being redirected to the server. reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default default gateway setting on the server (the server's default
gateway should be the IP address of the firewall's interface gateway should be the IP address of the firewall's interface
@ -512,8 +518,8 @@ DEST.</b></u></td>
</div> </div>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local (IP 130.151.100.69) to system 192.168.1.5 in my
network. External clients can browse http://www.mydomain.com local network. External clients can browse http://www.mydomain.com
but internal clients can't.</h4> but internal clients can't.</h4>
@ -527,8 +533,8 @@ DEST.</b></u></td>
there's nothing between that server and your other internal there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated you can put your server in a DMZ such that it is isolated
from your local systems - assuming that the Server can be located from your local systems - assuming that the Server can be
near the Firewall, of course :-)</li> located near the Firewall, of course :-)</li>
<li>The accessibility <li>The accessibility
problem is best solved using <a problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
@ -543,10 +549,10 @@ from your local systems - assuming that the Server can be located
<p align="left">If you insist on an IP solution to the accessibility problem <p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your rather than a DNS solution, then assuming that
external interface is eth0 and your internal interface your external interface is eth0 and your internal
is eth1 and that eth1 has IP address 192.168.1.254 with interface is eth1 and that eth1 has IP address 192.168.1.254
subnet 192.168.1.0/24, in /etc/shorewall/rules, add:</p> with subnet 192.168.1.0/24, in /etc/shorewall/rules, add:</p>
<div align="left"> <div align="left">
@ -595,9 +601,9 @@ DEST.</b></u></td>
<div align="left"> <div align="left">
<p align="left">That rule only works of course if you have a static external <p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and IP address. If you have a dynamic IP address
are running Shorewall 1.3.4 or later then include this and are running Shorewall 1.3.4 or later then include
in /etc/shorewall/init:</p> this in /etc/shorewall/init:</p>
</div> </div>
@ -653,8 +659,8 @@ DEST.</b></u></td>
<div align="left"> <div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time client to automatically restart Shorewall each
that you get a new IP address.</p> time that you get a new IP address.</p>
</div> </div>
@ -667,8 +673,8 @@ DEST.</b></u></td>
<p align="left"><b>Answer: </b>This is another problem that is best solved <p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using the and internal clients to access a NATed host using
host's DNS name.</p> the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from <p align="left">Another good way to approach this problem is to switch from
@ -677,8 +683,8 @@ Z have non-RFC1918 addresses and can be accessed externally
and internally using the same address. </p> and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z <p align="left">If you don't like those solutions and prefer routing all
traffic through your firewall then:</p> Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br> <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
@ -772,15 +778,18 @@ traffic through your firewall then:</p>
id="AutoNumber3" width="369"> id="AutoNumber3" width="369">
<tbody> <tbody>
<tr> <tr>
<td width="93"><u><b>INTERFACE <td
</b></u></td> width="93"><u><b>INTERFACE </b></u></td>
<td width="31"><u><b>SUBNET</b></u></td> <td
width="31"><u><b>SUBNET</b></u></td>
<td <td
width="120"><u><b>ADDRESS</b></u></td> width="120"><u><b>ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td width="93">eth2</td> <td
<td width="31">192.168.2.0/24</td> width="93">eth2</td>
<td
width="31">192.168.2.0/24</td>
<td <td
width="120"> <br> width="120"> <br>
</td> </td>
@ -804,29 +813,29 @@ traffic through your firewall then:</p>
<p align="left"><b>Answer: </b>There is an <a <p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting. tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a solution Look <a href="http://linux-igd.sourceforge.net">here</a> for a
for MSN IM but be aware that there are significant security risks solution for MSN IM but be aware that there are significant security
involved with this solution. Also check the Netfilter mailing risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p> </p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as to check my firewall and it shows some ports
'closed' rather than 'blocked'. Why?</h4> as 'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port always rejects connection requests on TCP port
113 rather than dropping them. This is necessary to 113 rather than dropping them. This is necessary
prevent outgoing connection problems to services that use to prevent outgoing connection problems to services that
the 'Auth' mechanism for identifying requesting users. Shorewall use the 'Auth' mechanism for identifying requesting users.
also rejects TCP ports 135, 137 and 139 as well as UDP ports Shorewall also rejects TCP ports 135, 137 and 139 as well
137-139. These are ports that are used by Windows (Windows as UDP ports 137-139. These are ports that are used by Windows
<u>can</u> be configured to use the DCE cell locator on port (Windows <u>can</u> be configured to use the DCE cell locator
135). Rejecting these connection requests rather than dropping on port 135). Rejecting these connection requests rather than dropping
them cuts down slightly on the amount of Windows chatter on LAN segments them cuts down slightly on the amount of Windows chatter on LAN
connected to the Firewall. </p> segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably <p align="left">If you are seeing port 80 being 'closed', that's probably
@ -840,10 +849,10 @@ involved with this solution. Also check the Netfilter mailing
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port as back from your firewall then it reports the port
open. If you want to see which UDP ports are really open, as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart temporarily change your net-&gt;all policy to REJECT,
Shorewall and do the nmap UDP scan again.</p> restart Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
@ -856,8 +865,8 @@ involved with this solution. Also check the Netfilter mailing
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist. <p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br> <br>
b) Be sure that the first b) Be sure that the
command in the file is ". /etc/shorewall/common.def"<br> first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following c) Add the following
to /etc/shorewall/common </p> to /etc/shorewall/common </p>
@ -877,15 +886,15 @@ to /etc/shorewall/common </p>
and how do I change the destination?</h4> and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
(see "man openlog") and you get to choose the log level (again, see "man facility (see "man openlog") and you get to choose the log level (again,
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
href="Documentation.htm#Rules">rules</a>. The destination for messaged and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to When you have changed /etc/syslog.conf, be sure
restart syslogd (on a RedHat system, "service syslog restart"). to restart syslogd (on a RedHat system, "service syslog
</p> restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages <p align="left">By default, older versions of Shorewall ratelimited log messages
@ -925,8 +934,8 @@ log all messages, set: </p>
</p> </p>
</blockquote> </blockquote>
I personnaly use Logwatch. It emails me I personnaly use Logwatch. It emails me
a report each day from my various systems with each report a report each day from my various systems with each report summarizing
summarizing the logged activity on the corresponding system. the logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
@ -956,15 +965,16 @@ get logged twice, they are corrupted. I solve this problem by using
an /etc/shorewall/common file like this:<br> an /etc/shorewall/common file like this:<br>
<blockquote> <blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre> <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
</blockquote> </blockquote>
The above file is also include in all of my sample configurations The above file is also include in all of my sample configurations
available in the <a href="shorewall_quickstart_guide.htm">Quick Start available in the <a href="shorewall_quickstart_guide.htm">Quick
Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br> Start Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in <h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only Shorewall log messages so long? I thought MAC addresses were only 6
6 bytes in length.</h4> bytes in length.</h4>
What is labeled as the MAC address in a Shorewall log message is What is labeled as the MAC address in a Shorewall log message is
actually the Ethernet frame header. IT contains:<br> actually the Ethernet frame header. IT contains:<br>
@ -991,10 +1001,10 @@ that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into <p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in /etc/shorewall/routestopped' a safe state whereby only those hosts listed in
are activated. If you want to totally open up your /etc/shorewall/routestopped' are activated. If you
firewall, you must use the 'shorewall clear' command. want to totally open up your firewall, you must use the 'shorewall
</p> clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
@ -1048,9 +1058,9 @@ that command work?</h4>
<div align="left"> <div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net <p align="left"><b>Answer: </b>The above output is perfectly normal. The
zone is defined as all hosts that are connected through eth0 and the local Net zone is defined as all hosts that are connected through eth0 and the
zone is defined as all hosts connected through eth1</p> local zone is defined as all hosts connected through eth1</p>
</div> </div>
@ -1083,14 +1093,14 @@ that command work?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the (<a href="http://www.cityofshoreline.com">the
city where I live</a>) and "Fire<u>wall</u>". The full city where I live</a>) and "Fire<u>wall</u>". The
name of the product is actually "Shoreline Firewall" but "Shorewall" full name of the product is actually "Shoreline Firewall" but "Shorewall"
is must more commonly used.</p> is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem <h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me and it has an internal web server that allows
to configure/monitor it but as expected if I enable me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet one), rfc1918 blocking for my eth0 interface (the internet one),
it also blocks the cable modems web server.</h4> it also blocks the cable modems web server.</h4>
@ -1101,8 +1111,9 @@ that command work?</h4>
rfc1918 addresses?</p> rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier <p align="left"><b>Answer: </b>If you are running a version of Shorewall
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p> earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left"> <div align="left">
@ -1153,10 +1164,10 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left">Note: If you add a second IP address to your external firewall <p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you interface to correspond to the modem address, you
must also make an entry in /etc/shorewall/rfc1918 for that must also make an entry in /etc/shorewall/rfc1918 for
address. For example, if you configure the address 192.168.100.2 that address. For example, if you configure the address
on your firewall, then you would add two entries to /etc/shorewall/rfc1918: 192.168.100.2 on your firewall, then you would add two entries
<br> to /etc/shorewall/rfc1918: <br>
</p> </p>
@ -1203,10 +1214,10 @@ on your firewall, then you would add two entries to /etc/shorewal
<div align="left"> <div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
1918 filtering on my external interface, my DHCP client cannot renew its RFC 1918 filtering on my external interface, my DHCP client cannot renew
lease.</h4> its lease.</h4>
</div> </div>
@ -1222,9 +1233,9 @@ lease.</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when things with eyes and what those computers will "see" when
are working properly. That aside, the most common causes things are working properly. That aside, the most common
of this problem are:</p> causes of this problem are:</p>
<ol> <ol>
@ -1250,8 +1261,8 @@ lease.</h4>
<p align="left">The DNS settings on the local systems are wrong or the <p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and user is running a DNS server on the firewall
hasn't enabled UDP and TCP port 53 from the firewall and hasn't enabled UDP and TCP port 53 from the firewall
to the internet.</p> to the internet.</p>
</li> </li>
@ -1284,8 +1295,8 @@ destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The <li><b>rfc1918</b> - The
source address is listed in /etc/shorewall/rfc1918 with source address is listed in /etc/shorewall/rfc1918
a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all </b>- <b>&lt;zone&gt;2all</b> or <b>all2all </b>-
@ -1297,8 +1308,8 @@ a <b>logdrop </b>target -- see <a
<li><b>&lt;zone1&gt;2&lt;zone2&gt; <li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and </b>to <b>&lt;zone2&gt;</b> that specifies a log level
this packet is being logged under that policy or this packet and this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that includes matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li> a log level.</li>
<li><b>&lt;interface&gt;_mac</b> <li><b>&lt;interface&gt;_mac</b>
@ -1310,27 +1321,27 @@ packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li> <a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The <li><b>badpkt </b>- The
packet is being logged under the <b>dropunclean</b> packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> <a href="Documentation.htm#Interfaces">interface option</a> as
as specified in the <b>LOGUNCLEAN </b>setting in <a specified in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The <li><b>blacklst</b> - The
packet is being logged because the source IP is blacklisted packet is being logged because the source IP is blacklisted
in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li> </a>file.</li>
<li><b>newnotsyn </b>- The <li><b>newnotsyn </b>-
packet is being logged because it is a TCP packet that The packet is being logged because it is a TCP packet
is not part of any current connection yet it is not a syn packet. that is not part of any current connection yet it is not a
Options affecting the logging of such packets include <b>NEWNOTSYN syn packet. Options affecting the logging of such packets include
</b>and <b>LOGNEWNOTSYN </b>in <a <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> <li><b>INPUT</b> or <b>FORWARD</b>
- The packet has a source IP address that isn't in any - The packet has a source IP address that isn't in any
of your defined zones ("shorewall check" and look at the of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li> IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is <li><b>logflags </b>- The packet
being logged because it failed the checks implemented by is being logged because it failed the checks implemented
the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface by the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
option</a>.<br> option</a>.<br>
</li> </li>
@ -1339,11 +1350,12 @@ the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different with Shorewall, and maintain separate rulesets for
IPs?</h4> different IPs?</h4>
<b>Answer: </b>Yes. See <a <b>Answer: </b>Yes. See <a
href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>. href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4> but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes You probably haven't set TC_ENABLED=Yes
@ -1352,13 +1364,13 @@ the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from to change Shorewall to allow access to my server from the
the internet?</b><br> internet?</b><br>
</h4> </h4>
Yes. Consult the <a Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
you used during your initial setup for information about how to set used during your initial setup for information about how to set up
up rules for your server.<br> rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br> what are they?<br>
@ -1380,50 +1392,50 @@ you used during your initial setup for information about how to set
and Masquerade), there are a lot of broken implementations. That is and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.<br> what you are seeing with these messages.<br>
<br> <br>
Here is my interpretation of what is happening Here is my interpretation of what is
-- to confirm this analysis, one would have to have packet happening -- to confirm this analysis, one would have to
sniffers placed a both ends of the connection.<br> have packet sniffers placed a both ends of the connection.<br>
<br> <br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent a UDP DNS query to 192.0.2.3 and your DNS server tried sent a UDP DNS query to 192.0.2.3 and your DNS server tried
to send a response (the response information is in the brackets to send a response (the response information is in the brackets
-- note source port 53 which marks this as a DNS reply). When the -- note source port 53 which marks this as a DNS reply). When the
response was returned to to 206.124.146.179, it rewrote the destination response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
longer had a connection on UDP port 2857. This causes a port unreachable had a connection on UDP port 2857. This causes a port unreachable
(type 3, code 3) to be generated back to 192.0.2.3. As this packet (type 3, code 3) to be generated back to 192.0.2.3. As this packet
is sent back through 206.124.146.179, that box correctly changes the is sent back through 206.124.146.179, that box correctly changes the
source address in the packet to 206.124.146.179 but doesn't reset source address in the packet to 206.124.146.179 but doesn't reset the
the DST IP in the original DNS response similarly. When the ICMP DST IP in the original DNS response similarly. When the ICMP reaches
reaches your firewall (192.0.2.3), your firewall has no record of having your firewall (192.0.2.3), your firewall has no record of having sent
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
related to anything that was sent. The final result is that the packet to anything that was sent. The final result is that the packet gets
gets logged and dropped in the all2all chain. I have also seen cases logged and dropped in the all2all chain. I have also seen cases where
where the source IP in the ICMP itself isn't set back to the external the source IP in the ICMP itself isn't set back to the external IP of
IP of the remote NAT gateway; that causes your firewall to log and drop the remote NAT gateway; that causes your firewall to log and drop the
the packet out of the rfc1918 chain because the source IP is reserved packet out of the rfc1918 chain because the source IP is reserved by RFC
by RFC 1918.<br> 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I I want to <b>run when Shorewall starts.</b> Which file do I
put them in?</h4> put them in?</h4>
You can place these commands in one of You can place these commands in one
the <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. of the <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be Be sure that you look at the contents of the chain(s) that you will be
modifying with your commands to be sure that the commands will modifying with your commands to be sure that the commands will
do what they are intended. Many iptables commands published in do what they are intended. Many iptables commands published in HOWTOs
HOWTOs and other instructional material use the -A command which and other instructional material use the -A command which adds the
adds the rules to the end of the chain. Most chains that Shorewall rules to the end of the chain. Most chains that Shorewall constructs
constructs end with an unconditional DROP, ACCEPT or REJECT rule and end with an unconditional DROP, ACCEPT or REJECT rule and any rules
any rules that you add after that will be ignored. Check "man iptables" that you add after that will be ignored. Check "man iptables" and look
and look at the -I (--insert) command.<br> at the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4> web site?</h4>
The Shorewall web site is almost font neutral (it The Shorewall web site is almost font neutral
doesn't explicitly specify fonts except on a few pages) so the (it doesn't explicitly specify fonts except on a few pages) so
fonts you see are largely the default fonts configured in your browser. the fonts you see are largely the default fonts configured in your
If you don't like them then reconfigure your browser.<br> browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4> the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
@ -1446,15 +1458,16 @@ a colon and a list of the host/subnet addresses as a comma-separated
<br> <br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br> <font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br> <br>
<font size="2">Last updated 3/22/2003 - <a href="support.htm">Tom <font size="2">Last updated 4/8/2003 - <a href="support.htm">Tom
Eastep</a></font> Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

49
STABLE/documentation/Install.htm
View File

@ -18,6 +18,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
@ -27,7 +28,14 @@
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the <a <p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b><br>
Before attempting installation, I strongly urge you to read and print a
copy of the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart
Guide</a> for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
@ -63,8 +71,8 @@ diagnostic:<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps This may be worked around by using the --nodeps option of rpm (rpm -ivh
&lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
@ -72,8 +80,8 @@ match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
NETWORK CONNECTIVITY.</b></font></li> RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -102,15 +110,15 @@ type "./install.sh /etc/init.d"</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li> match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be <li>If the install script was unable to configure Shorewall to
started automatically at boot, see <a be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
@ -120,23 +128,24 @@ started automatically at boot, see <a
or and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p> new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., Beta RPMs installed, you must use the "--oldpackage" option to rpm
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
the iproute package. Unfortunately, some distributions call this package iproute2 on the iproute package. Unfortunately, some distributions call this package
which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
@ -201,7 +210,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</ul> </ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -212,5 +221,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

1436
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

137
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -34,10 +34,11 @@
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60"
alt="Caution" align="middle"> height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
@ -52,14 +53,14 @@ run as a transparent proxy as described at <a
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
in the local zone, that zone must be defined ONLY by its interface -- no or in the local zone, that zone must be defined ONLY by its interface
/etc/shorewall/hosts file entries. That is because the packets being routed -- no /etc/shorewall/hosts file entries. That is because the packets being
to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
@ -72,22 +73,22 @@ to the Squid server still have their original destination IP addresses.<br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li> DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests EXCEPT
EXCEPT those to your those to your own
own http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid
proxy running on the firewall and listening on port 3128. Squid transparent proxy running on the firewall and listening on port
will of course require access to remote web servers.<br> 3128. Squid will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
@ -95,7 +96,6 @@ EXCEPT those to your
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
@ -107,7 +107,6 @@ EXCEPT those to your
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
@ -131,14 +130,7 @@ EXCEPT those to your
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
@ -147,9 +139,9 @@ EXCEPT those to your
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running
192.168.1.3. It is assumed that web access is already enabled from the local on 192.168.1.3. It is assumed that web access is already enabled from the
zone to the internet.<br> local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
@ -177,12 +169,45 @@ EXCEPT those to your
</blockquote> </blockquote>
<ul> <ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
@ -194,7 +219,6 @@ EXCEPT those to your
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
@ -210,19 +234,12 @@ EXCEPT those to your
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br>
<br> <br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -288,8 +305,8 @@ EXCEPT those to your
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ
is eth1 and your local interface is eth2.<br> interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
@ -402,7 +419,6 @@ EXCEPT those to your
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br>
</blockquote> </blockquote>
<ul> <ul>
@ -432,6 +448,22 @@ EXCEPT those to your
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
@ -476,20 +508,11 @@ EXCEPT those to your
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<a <font size="2">2003 Thomas M. Eastep.</font></a><br>
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

29
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -16,13 +16,10 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
@ -89,7 +86,7 @@ the IP address.<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
@ -345,13 +342,13 @@ file:<br>
</blockquote> </blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple
configured on a LAN segment. This technique does not provide for any security subnetworks configured on a LAN segment. This technique does not provide
between the subnetworks if the users of the systems have administrative for any security between the subnetworks if the users of the systems have
privileges because in that case, the users can simply manipulate their system's administrative privileges because in that case, the users can simply manipulate
routing table to bypass your firewall/router. Nevertheless, there are cases their system's routing table to bypass your firewall/router. Nevertheless,
where you simply want to consider the LAN segment itself as a zone and allow there are cases where you simply want to consider the LAN segment itself
your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
@ -360,6 +357,7 @@ your firewall/router to route between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -424,6 +422,7 @@ In /etc/shorewall/interfaces:<br>
</blockquote> </blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br> 1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br> <h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4> </h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
@ -497,8 +496,9 @@ specify the <b>multi</b> option.<br>
</blockquote> </blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access You want to make these subnetworks into separate zones and control the
between them (the users of the systems do not have administrative privileges).<br> access between them (the users of the systems do not have administrative
privileges).<br>
<br> <br>
In /etc/shorewall/zones:<br> In /etc/shorewall/zones:<br>
<br> <br>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br> that you want to permit.<br>
<br> <br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a <p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -617,5 +617,6 @@ that you want to permit.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

303
STABLE/documentation/download.htm
View File

@ -20,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
@ -29,22 +27,20 @@
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the .tgz
.tgz packages below.</p> packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
@ -53,23 +49,23 @@ at:</p>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that store
store init scripts in /etc/init.d and that include chkconfig init scripts in /etc/init.d and that include chkconfig or
or insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file
might also want to download the .tgz so you will have a copy (you might also want to download the .tgz so you will have a
of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Unstable Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i> module
module (.tgz)</li> (.tgz)</li>
</ul> </ul>
@ -88,9 +84,9 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
point to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip shorewall-<i>version</i>.noarch.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory <li>TARBALL - "tar -ztf shorewall-<i>version</i>.tgz"
name will contain the version)</li> (the directory name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li> </li>
@ -103,266 +99,13 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
downloaded.</p> downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates <p><b></b></p>
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote> <p><b>Download Sites:</b></p>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -430,7 +173,6 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -446,11 +188,12 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a <p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

112
STABLE/documentation/errata.htm
View File

@ -2,19 +2,14 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
@ -27,13 +22,10 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -41,8 +33,6 @@
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -50,22 +40,17 @@
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p> rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
@ -104,10 +89,33 @@ iptables</a></b></li>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
@ -115,7 +123,9 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -127,12 +137,10 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
@ -142,7 +150,6 @@ RedHat released this buggy iptables in RedHat 7.2.
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
@ -150,84 +157,67 @@ download from<font color="#ff6633"> <a
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level
while this <a specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 RedHat iptables</h3>
and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5
of iptables, you will need to specify the --oldpackage option version of iptables, you will need to specify the --oldpackage
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
<p>If you find that rpm complains about a conflict 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
with kernel &lt;= 2.2 yet you have a 2.4 kernel option to rpm.</p>
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with <p>The iptables 1.2.7 release of iptables has made an incompatible
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
@ -239,8 +229,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will
in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -249,16 +239,18 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 - <p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

70
STABLE/documentation/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -29,25 +23,19 @@
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
@ -69,27 +57,25 @@
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tmeastep
at hp dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
@ -114,14 +100,14 @@ record in DNS.</li>
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the list
list subscribers whose MTAs are bouncing all shorewall.net mail. As subscribers whose MTAs are bouncing all shorewall.net mail. As one list
one list subscriber wrote to me privately "These e-mail admin's need to subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
get a <i>(explitive deleted)</i> life instead of trying to rid the planet deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
of HTML based e-mail". Nevertheless, to allow subscribers to receive list Nevertheless, to allow subscribers to receive list posts as must as possible,
posts as must as possible, I have now configured the list server at shorewall.net I have now configured the list server at shorewall.net to strip all HTML
to strip all HTML from outgoing posts. This means that HTML-only posts from outgoing posts. This means that HTML-only posts will be bounced by
will be bounced by the list server.<br> the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -168,10 +151,9 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
<h2 align="left"><font color="#ff0000">Please do not try to download the entire entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't won't stand the traffic. If I catch you, you will be blacklisted.<br>
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
@ -212,9 +194,9 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
@ -271,20 +253,17 @@ to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
password reminder, or change your subscription options enter reminder, or change your subscription options enter your subscription
your subscription email address:". Enter your email address email address:". Enter your email address in the box and
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
@ -298,14 +277,15 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a <p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

396
STABLE/documentation/seattlefirewall_index.htm
View File

@ -2,210 +2,88 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
<td width="100%" width="100%" height="90">
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a </a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
<td width="90%"> width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br> Software Foundation.<br>
<br> <br>
This program is
This program is distributed distributed in the hope that it will be useful,
in the hope that it will be useful, but but WITHOUT ANY WARRANTY; without even the
WITHOUT ANY WARRANTY; without even the implied implied warranty of MERCHANTABILITY or FITNESS
warranty of MERCHANTABILITY or FITNESS FOR FOR A PARTICULAR PURPOSE. See the GNU General
A PARTICULAR PURPOSE. See the GNU General Public License Public License for more details.<br>
for more details.<br>
<br> <br>
You should have
You should have received received a copy of the GNU General Public
a copy of the GNU General Public License License along with this program; if
along with this program; if not, write not, write to the Free Software Foundation,
to the Free Software Foundation, Inc., 675 Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
@ -215,157 +93,155 @@ Software Foundation.<br>
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2> <h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b><br>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 </p>
and removes additional warts.<br>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br> <br>
<b>Problems Corrected:</b><br> </li>
<ol> <li>Any file may include an INCLUDE directive. An INCLUDE directive
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), consists of the word INCLUDE followed by a file name and causes the contents
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn of the named file to be logically included into the file containing the INCLUDE.
file is empty. That problem has been corrected so that ECN disabling rules File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
are only added if there are entries in /etc/shorewall/ecn.</li> or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol> </ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote> </blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br> <p><b></b></p>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td
<td width="88" width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
bgcolor="#4b017c" valign="top" align="center"> <a </td>
href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

497
STABLE/documentation/sourceforge_index.htm
View File

@ -2,450 +2,247 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
<td width="100%" width="100%" height="90">
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><br>
href="http://www.sf.net"> </a></h1> <a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small>Shorewall 1.2 Site here<br>
</small></small></small></font></a>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
<td width="90%"> width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone system, a multi-function gateway/router/server or on
GNU/Linux system.</p> a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
Software Foundation.<br> GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program
This program is distributed is distributed in the hope that it will
in the hope that it will be useful, but be useful, but WITHOUT ANY WARRANTY; without
WITHOUT ANY WARRANTY; without even the implied even the implied warranty of MERCHANTABILITY
warranty of MERCHANTABILITY or FITNESS FOR or FITNESS FOR A PARTICULAR PURPOSE. See the
A PARTICULAR PURPOSE. See the GNU General Public GNU General Public License for more details.<br>
License for more details.<br>
<br> <br>
You should have
You should have received received a copy of the GNU General Public
a copy of the GNU General Public License License along with this program; if
along with this program; if not, write not, write to the Free Software Foundation,
to the Free Software Foundation, Inc., 675 Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
</a>Jacques and Eric Wolzak have a LEAF (router/firewall/gateway
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can
their work at: <a find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
</b> </b>
<h2><b>News</b></h2>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>
<b> </b> <b> </b>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<ul>
</ul>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</p> </p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol> <ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), <li>TCP connection requests rejected out of the <b>common</b> chain
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file are now properly rejected with TCP RST; previously, some of these requests
is empty. That problem has been corrected so that ECN disabling rules are were rejected with an ICMP port-unreachable response.</li>
only added if there are entries in /etc/shorewall/ecn.</li> <li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol> </ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol> <ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than <li>Where an entry in the/etc/shorewall/hosts file specifies a
one group<i> </i>then if there is no explicit Z to Z policy and there are particular host or network, Shorewall now creates an intermediate chain for
no rules governing traffic from Z to Z then Shorewall will permit all traffic handling input from the related zone. This can substantially reduce the number
between the groups in the zone.</li> of rules traversed by connections requests from such zones.<br>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules <br>
to handle traffic from a group to itself.</li> </li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is <li>Any file may include an INCLUDE directive. An INCLUDE directive
specified from Z1 to Z2:</li> consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol> </ol>
</blockquote>
<ul> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<li>There may be no rules created that govern connections from Z1 <b> </b>
to Z2.</li> <p><b><a href="News.htm">More News</a></b></p>
<li>Shorewall will not create any infrastructure to handle traffic <b> </b>
from Z1 to Z2.</li> <h2><b> </b></h2>
</ul> <b> </b>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion <h1 align="center"><b><a href="http://www.sf.net"><img
of how these changes may affect your configuration. align="left" alt="SourceForge Logo"
<p><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

66
STABLE/documentation/standalone.htm
View File

@ -61,8 +61,8 @@
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy you copy a configuration file from your Windows hard drive to a floppy disk,
disk, you must run dos2unix against the copy before using it with Shorewall.</p> you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -77,21 +77,21 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few /etc/shorewall -- for simple setups, you only need to deal with a few of
of these as described in this guide. After you have <a these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
(they will replace files with the same names that were placed in /etc/shorewall to /etc/shorewall (they will replace files with the same names that were
during Shorewall installation)</b>.</p> placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only set of <i>zones.</i> In the one-interface sample configuration, only one
one zone is defined:</p> zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -132,8 +132,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -177,8 +177,8 @@ has the following policies:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to
firewall</li> your firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
@ -191,21 +191,21 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your a <b>ppp0</b>. If you connect via a regular modem, your External Interface
External Interface will also be <b>ppp0</b>. If you connect using ISDN, will also be <b>ppp0</b>. If you connect using ISDN, your external interface
your external interface will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that     The Shorewall one-interface sample configuration assumes that the
the external interface is <b>eth0</b>. If your configuration is different, external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that While you are there, you may wish to review the list of options that are
are specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
@ -214,8 +214,8 @@ are specified for the interface. Some hints:</p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the option
option list. </p> list. </p>
</li> </li>
</ul> </ul>
@ -284,8 +284,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -327,8 +327,8 @@ on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
@ -384,7 +384,8 @@ application uses, see <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -425,5 +426,6 @@ Thomas M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

362
STABLE/documentation/standalone_fr.html
View File

@ -1,14 +1,19 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
@ -18,75 +23,91 @@
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
une traduction exacte du texte, mais plutôt à en faire une version exacte du texte, mais plutôt à en faire une version française intelligible
française intelligible par tous (et par moi). Les termes techniques sont par tous (et par moi). Les termes techniques sont la plupart du temps conservés
la plupart du temps conservés sous leur forme originale et mis entre sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
parenthèses car vous pouvez les retrouver dans le reste des dans le reste des documentations ainsi que dans les fichiers de configuration.
documentations ainsi que dans les fichiers de configuration. N?hésitez N?hésitez pas à me contacter afin d?améliorer ce document <a
pas à me contacter afin d?améliorer ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP formidable outil et sa disponibilité)</i><i>.</i></small></p>
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
(écluse) pour un petit réseau est une chose assez simple, si vous pour un petit réseau est une chose assez simple, si vous comprenez les bases
comprenez les bases et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
son utilisation la plus courante :</p> se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
<li>Une seule adresse IP externe</li> <li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
Relay, rtc...</li> rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
présence du programme ip sur votre système de firewall. Sous root, Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
utilisez la commande 'which' pour rechercher le programme :</p> ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
début en effectuant le changements dans votre configuration. Les points, vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
où les changements dans la configuration sont recommandées, sont le changements dans votre configuration. Les points, où les changements dans
signalés par une <img border="0" src="images/BD21298_.gif" width="13" la configuration sont recommandées, sont signalés par une <img
height="13"> .</p> border="0" src="images/BD21298_.gif" width="13" height="13">
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si .</p>
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette <p><img border="0" src="images/j0213519.gif" width="60" height="60">
option sinon vous devez les faire passer par dos2unix avant d'essayer de Si vous éditez vos fichiers de configuration sur un système Windows, vous
les utiliser. De la même manière, si vous copiez un fichier de devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
configuration depuis votre disque dur Windows vers une disquette, vous sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p> De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
Version of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Les Concepts de Shorewall</h2> <h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans alt="">
le répertoire /etc/shorewall -- pour de simples paramétrages, vous Les fichiers de configuration pour Shorewall sont situés dans le répertoire
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez quelques un d'entre eux comme décris dans ce guide. Après avoir <a
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
déjà existant dans /etc/shorewall installés lors de l'installation de vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
Shorewall)</b>.</p> dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
contient des instructions de configuration détaillées et des entrées par physiquement présents sur votre système -- chacun des fichiers contient des
défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
unique interface, une seule zone est définie :</p> <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
@ -98,30 +119,39 @@ unique interface, une seule zone est d
<td><b>net</b></td> <td><b>net</b></td>
<td><b>The Internet</b></td> <td><b>The Internet</b></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
<p>Les règles concernant le trafic à autoriser ou à interdire sont - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
exprimées en utilisant les termes de zones.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une zone
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
/etc/shorewall/policy </a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par <li>Vous définissez les exceptions à ces règles de politiques par défaut
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
correspondent, alors la première politique dans /etc/shorewall/policy Si aucune des règles dans ce fichier ne correspondent, alors la première
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
requête est alors comparée par rapport aux règles contenues dans politique est REJECT ou DROP la requête est alors comparée par rapport aux
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive ce fichier).</p>
one-interface a les politiques suivantes :</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
@ -159,80 +189,95 @@ one-interface a les politiques suivantes :</p>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<pre> </pre> <pre> </pre>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
l'Internet</li> <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet votre firewall</li>
vers votre firewall</li> <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
<li>rejeter toutes les autres requêtes de connexion (Shorewall à de cette politique).</li>
besoin de cette politique).</li>
</ol> </ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p> <p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2> <h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL <p align="left">Le firewall possède une seule interface réseau. Lorsque la
(pas un simple modem), l'<i>External Interface</i> (interface externe) connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
externe sera<b> ippp0.</b></p> Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface height="13">
suppose que votre interface externe est <b>eth0</b>. Si votre L'exemple de configuration de Shorewall pour une interface suppose que votre
configuration est différente, vous devrez modifier le fichier d'exemple interface externe est <b>eth0</b>. Si votre configuration est différente,
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
pourriez parcourir la liste d'options qui sont spécifiées pour Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
"-". </p> </p>
</li> </li>
<li> <li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
"dhcp" de la liste d'option. </p> de la liste d'option. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">Adresse IP</h2> <h2 align="left">Adresse IP</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les car les routeurs sur les backbones Internet ne font pas passer les paquets
paquets dont les adresses de destinations sont définies dans la RFC dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez width="13" height="13">
regarder l'adresse de votre interface externe et si elle est comprise Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
dans une des plages précédentes, vous devriez enlever l'option externe et si elle est comprise dans une des plages précédentes, vous devriez
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Permettre d'autres connexions</h2> <h2 align="left">Permettre d'autres connexions</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis <p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
l'Internet vers votre firewall, le format général est :</p> vers votre firewall, le format général est :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -258,14 +303,17 @@ l'Internet vers votre firewall, le format g
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
un serveur POP3 sur votre système de firewall :</p> serveur POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -302,20 +350,24 @@ un serveur POP3 sur votre syst
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une <p align="left">Si vous ne savez pas quel port ou protocole une application
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p> particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
en clair (même pour le login et le mot de passe !). Si vous voulez avoir le login et le mot de passe !). Si vous voulez avoir un accès au shell de
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p> votre firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -341,61 +393,71 @@ un acc
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter height="13">
les autres connexions désirées.</p> A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2> <h2 align="left">Lancer et Arrêter son Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure height="13" alt="Arrow">
d'installation </a> configure votre système pour lancer Shorewall au La <a href="Install.htm">procédure d'installation </a> configure votre système
boot du système, mais au début avec la version 1.3.9 de Shorewall le pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
configuration soit finie. Une fois que vous en aurez fini avec la avec que la configuration soit finie. Une fois que vous en aurez fini avec
configuration du firewall, vous pouvez permettre le lancement de la configuration du firewall, vous pouvez permettre le lancement de Shorewall
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
mettre 'startup=1'.</font><br> des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande <p align="left">Le firewall est activé en utilisant la commande "shorewall
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
est stoppé, le routage est autorisé sur les hôtes qui possèdent une routage est autorisé sur les hôtes qui possèdent une entrée dans <a
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
Un firewall qui tourne peut être relancé en utilisant la commande firewall qui tourne peut être relancé en utilisant la commande "shorewall
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
sur votre configuration de Netfilter, utilisez "shorewall clear".</p> de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
firewall depuis Internet, n'essayez pas une commande "shorewall stop" depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
à partir de laquelle vous êtes connectée) dans <a vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
De la même manière, je ne vous recommande pas d'utiliser "shorewall il est plus intéressant de créer une <i><a
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a <p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

61
STABLE/documentation/support.htm
View File

@ -20,7 +20,8 @@
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td
width="100%">
@ -41,13 +42,14 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are a number
of sources of Shorewall information. Please try these before you post. of sources of Shorewall information. Please try these before you
post.
<ul> <ul>
<li>More than half of the questions posted <li>More than half of the questions posted
on the support list have answers directly accessible from the on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li> </li>
<li> The <a <li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
@ -114,8 +116,8 @@
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what is posted
in your message. Do not leave out any information that appears in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been to be correct, or was mentioned in a previous post. There have
countless posts by people who were sure that some part of their been countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error. configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br> We tend to be skeptics where detail is lacking.<br>
<br> <br>
@ -123,16 +125,16 @@ countless posts by people who were sure that some part of their
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer <strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing for us to help you. Follow good, courteous practices in writing and
and formatting your e-mail. Provide details that we need if you expect formatting your e-mail. Provide details that we need if you expect good
good answers. <em>Exact quoting </em> of error messages, log entries, answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br> command output, and other output is better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li> Please
don't describe your environment and then ask us to send you don't describe your environment and then ask us to send
custom configuration files. We're here to answer your you custom configuration files. We're here to answer
questions but we can't do your job for you.<br> your questions but we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
@ -227,13 +229,15 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>As a general <li>As a general
matter, please <strong>do not edit the diagnostic information</strong> matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive
anyway from information contained in the SMTP headers of your post).<br> them anyway from information contained in the SMTP headers of your
post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
@ -245,8 +249,8 @@ include the message(s) in your post along with a copy of your /etc/shorewall
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have (especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you modified that file) that you think are relevant. If
include /etc/shorewall/rules, please include /etc/shorewall/policy you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
@ -256,8 +260,8 @@ include the message(s) in your post along with a copy of your /etc/shorewall
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post GIFs <li><b>The list server limits posts to 120kb so don't post
of your network layout, etc. to the Mailing GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li> List -- your post will be rejected.</b></li>
</ul> </ul>
@ -286,8 +290,8 @@ plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</e
all shorewall.net mail. As one list subscriber wrote to me privately all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life "These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless, instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I to allow subscribers to receive list posts as must as possible, I have
have now configured the list server at shorewall.net to strip all HTML now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br> from outgoing posts.<br>
</blockquote> </blockquote>
@ -302,20 +306,16 @@ have now configured the list server at shorewall.net to strip all HTML
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF Multi Network Firewall (MNF) and you have not purchased an
license from MandrakeSoft then you can post non MNF-specific Shorewall MNF license from MandrakeSoft then you can post non MNF-specific
questions to the </b><a Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>.<br>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
To Subscribe to the mailing list go to <a To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
@ -331,7 +331,7 @@ Forum</a>.<br>
</p> </p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -341,5 +341,6 @@ Forum</a>.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

209
STABLE/documentation/three-interface.htm
View File

@ -20,7 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -39,8 +38,8 @@ basics and follow the documentation.</p>
in one of its more popular configurations:</p> in one of its more popular configurations:</p>
<ul> <ul>
<li>Linux system used as a firewall/router for a small local <li>Linux system used as a firewall/router for a small
network.</li> local network.</li>
<li>Single public IP address.</li> <li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li> <li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, <li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
@ -75,16 +74,15 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly, or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a if you copy a configuration file from your Windows hard drive to a floppy
floppy disk, you must run dos2unix against the copy before using it with disk, you must run dos2unix against the copy before using it with Shorewall.</p>
Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
of dos2unix</a></li> dos2unix</a></li>
</ul> </ul>
@ -93,17 +91,17 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with /etc/shorewall -- for simple setups, you will only need to deal with a
a few of these as described in this guide. After you have <a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the the files to /etc/shorewall (the files will replace files with the same
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p> names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration instructions
instructions and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, set of <i>zones.</i> In the three-interface sample configuration,
@ -144,8 +142,8 @@ the following zone names are used:</p>
<li>You express your default policy for connections from <li>You express your default policy for connections from
one zone to another zone in the<a one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the <li>You define exceptions to those default policies in
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -192,7 +190,6 @@ DROP
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -220,7 +217,6 @@ DROP
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -232,8 +228,8 @@ DROP
to the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall <li>optionally accept all connection requests from the
to the internet (if you uncomment the additional policy)</li> firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
</ol> </ol>
@ -266,9 +262,9 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have computers will be connected to the same switch (note: If you have only
only a single local system, you can connect the firewall directly to a single local system, you can connect the firewall directly to the
the computer using a <i>cross-over </i> cable).</p> computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
@ -294,15 +290,13 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from or if you have a static IP address, you can remove "dhcp" from the
the option list. </p> option list. </p>
</li> </li>
</ul> </ul>
@ -312,16 +306,15 @@ the option list. </p>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
establishing your connection when you dial in (standard modem) or establish your connection when you dial in (standard modem) or establish your PPP
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> connection. In rare cases, your ISP may assign you a<i> static</i> IP
IP address; that means that you configure your firewall's external interface address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access is assigned, it will be shared by all of your systems when you access the
the Internet. You will have to assign your own addresses for your internal Internet. You will have to assign your own addresses for your internal network
network (the local and DMZ Interfaces on your firewall plus your other (the local and DMZ Interfaces on your firewall plus your other computers).
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,8 +334,8 @@ interface's entry in /etc/shorewall/interfaces.</p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
@ -376,7 +369,6 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -408,8 +400,8 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -425,10 +417,10 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
subnet for your local network and if it is in the 10.10.11.0/24 subnet then local network and if it is in the 10.10.11.0/24 subnet then you will need
you will need to select a different RFC 1918 subnet for your DMZ.</b><br> to select a different RFC 1918 subnet for your DMZ.</b><br>
</p> </p>
<p align="left">IP Masquerading (SNAT)</p> <p align="left">IP Masquerading (SNAT)</p>
@ -438,30 +430,28 @@ you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in Translation </i>(NAT). The firewall rewrites the source address in the
the packet to be the address of the firewall's external interface; in packet to be the address of the firewall's external interface; in other
other words, the firewall makes it look as if the firewall itself is words, the firewall makes it look as if the firewall itself is initiating
initiating the connection.  This is necessary so that the destination the connection.  This is necessary so that the destination host will
host will be able to route return packets back to the firewall (remember be able to route return packets back to the firewall (remember that
that packets whose destination address is reserved by RFC 1918 can't packets whose destination address is reserved by RFC 1918 can't be routed
be routed accross the internet). When the firewall receives a return accross the internet). When the firewall receives a return packet, it
packet, it rewrites the destination address back to 10.10.10.1 and rewrites the destination address back to 10.10.10.1 and forwards the
forwards the packet on to local computer 1. </p> packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to <p align="left">On Linux systems, the above process is often referred to as<i>
as<i> IP Masquerading</i> and you will also see the term <i>Source Network IP Masquerading</i> and you will also see the term <i>Source Network Address
Address Translation </i>(SNAT) used. Shorewall follows the convention used Translation </i>(SNAT) used. Shorewall follows the convention used with
with Netfilter:</p> Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -475,8 +465,8 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, your     If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
then you do not need to modify the file provided with the sample. Otherwise, you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p> edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -491,8 +481,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not, change
change them appropriately:<br> them appropriately:<br>
</p> </p>
<ul> <ul>
@ -506,16 +496,16 @@ change them appropriately:<br>
<p align="left">One of your goals will be to run one or more servers on your <p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to is not possible for clients on the internet to connect directly to them.
them. It is rather necessary for those clients to address their connection It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p> the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port Destination Network Address Translation</i> (DNAT). You configure
forwarding using DNAT rules in the /etc/shorewall/rules file.</p> port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules <p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p> is:</p>
@ -544,13 +534,12 @@ them. It is rather necessary for those clients to address their connection
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to <p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
be the same as <i>&lt;port&gt;</i>.</p> the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p> TCP port 80 to that system:</p>
@ -587,7 +576,6 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -598,8 +586,8 @@ be the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local <li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li> systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the following 80. If you have problems connecting to your web server, try the
rule and try connecting to port 5000 (e.g., connect to <a following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li> external IP).</li>
@ -628,14 +616,13 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you want to be able to access your server from the local network using <p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you your external address, then if you have a static external IP you can
can replace the loc-&gt;dmz rule above with:</p> replace the loc-&gt;dmz rule above with:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -660,7 +647,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td><i>&lt;external IP&gt;</i></td> <td><i>&lt;external IP&gt;</i></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -702,7 +688,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td>$ETH0_IP</td> <td>$ETH0_IP</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -718,16 +703,15 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be automatically configured (e.g., the /etc/resolv.conf file will
will be written). Alternatively, your ISP may have given you the IP be written). Alternatively, your ISP may have given you the IP address
address of a pair of DNS <i> name servers</i> for you to manually configure of a pair of DNS <i> name servers</i> for you to manually configure as
as your primary and secondary name servers. It is <u>your</u> responsibility your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one to configure the resolver in your internal systems. You can take one
of two approaches:</p> of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -737,27 +721,25 @@ as your primary and secondary name servers. It is <u>your</u> responsibili
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
name server (which also requires the 'bind' RPM) and for Bering server (which also requires the 'bind' RPM) and for Bering users,
users, there is dnscache.lrp. If you take this approach, you configure there is dnscache.lrp. If you take this approach, you configure your
your internal systems to use the caching name server as their primary internal systems to use the caching name server as their primary (and
(and only) name server. You use the internal IP address of the firewall only) name server. You use the internal IP address of the firewall (10.10.10.254
(10.10.10.254 in the example above) for the name server address if in the example above) for the name server address if you choose to
you choose to run the name server on your firewall. To allow your local run the name server on your firewall. To allow your local systems to
systems to talk to your caching name server, you must open port 53 talk to your caching name server, you must open port 53 (both UDP
(both UDP and TCP) from the local network to the server; you do that and TCP) from the local network to the server; you do that by adding
by adding the rules in /etc/shorewall/rules. </p> the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<p align="left">If you run the name server on the firewall: <p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
@ -807,7 +789,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</p> </p>
@ -866,7 +847,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -913,7 +893,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -921,8 +900,8 @@ by adding the rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy removed if you commented out the line in /etc/shorewall/policy allowing
allowing all connections from the firewall to the internet.</p> all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -962,7 +941,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1003,7 +981,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1047,7 +1024,6 @@ allowing all connections from the firewall to the internet.</p>
<td>from the internet</td> <td>from the internet</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1059,8 +1035,8 @@ allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, look <a href="ports.htm">here</a>.</p> uses, look <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1093,7 +1069,6 @@ application uses, look <a href="ports.htm">here</a>.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1146,7 +1121,6 @@ with Jacques's Shorewall configuration.<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1165,12 +1139,12 @@ with Jacques's Shorewall configuration.<br>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a>
your system to start Shorewall at system boot  but beginning with Shorewall configures your system to start Shorewall at system boot  but beginning
version 1.3.9 startup is disabled so that your system won't try to start with Shorewall version 1.3.9 startup is disabled so that your system
Shorewall before configuration is complete. Once you have completed configuration won't try to start Shorewall before configuration is complete. Once you
of your firewall, you can enable Shorewall startup by removing the file have completed configuration of your firewall, you can enable Shorewall
/etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1205,8 +1179,8 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
configuration</a></i> and test it using the <a and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1230,5 +1204,6 @@ configuration</a></i> and test it using the <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

179
STABLE/documentation/three-interface_fr.html
View File

@ -30,16 +30,16 @@
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n?est Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
exacte du texte, mais plutôt à en faire une version française intelligible traduction exacte du texte, mais plutôt à en faire une version française
par tous (et par moi). Les termes techniques sont la plupart du temps conservés intelligible par tous (et par moi). Les termes techniques sont la plupart
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver du temps conservés sous leur forme originale et mis entre parenthèses car
dans le reste des documentations ainsi que dans les fichiers de configuration. vous pouvez les retrouver dans le reste des documentations ainsi que dans
N?hésitez pas à me contacter afin d?améliorer ce document <a les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son (merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
formidable outil et sa disponibilité).</i></small></p> Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br> <p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,8 +66,8 @@ RTC, ...</li>
height="635"> height="635">
</p> </p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
@ -85,12 +85,12 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
copie avant de l'utiliser avec Shorewall.</p> avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
nom déjà existant dans /etc/shorewall installés lors de l'installation de déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de <p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,15 +144,15 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p> <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p> par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone <li>Vous exprimez les politiques par défaut pour les connexions d'une
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -161,11 +161,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première Si aucune des règles dans ce fichier ne correspondent, alors la première politique
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
politique est REJECT ou DROP la requête est alors comparée par rapport aux est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p> sample a les politiques suivantes :</p>
@ -244,10 +243,10 @@ avoir un acc
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li> <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
votre firewall ou vers votre réseau local</li> vers votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis votre <li>Facultativement accepter toutes les demandes de connexion depuis
firewall et vers Internet (si vous decommentez la politique précédente)</li> votre firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>reject (rejeter) toutes les autres demandes de connexion.</li> <li>reject (rejeter) toutes les autres demandes de connexion.</li>
</ol> </ol>
@ -263,14 +262,14 @@ que vous d
</p> </p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion <p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
votre interface extérieure sera aussi ppp0. Si votre connexion passe par interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p> (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -298,8 +297,8 @@ ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère, que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p> spécifiées pour les interfaces. Quelques trucs :</p>
@ -310,9 +309,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p> remplacer le "detect" dans la seconde colonne par un "-". </p>
</li> </li>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
liste d'option. </p> d'option. </p>
</li> </li>
</ul> </ul>
@ -325,11 +324,11 @@ Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre (modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela provider peu vous assigner une adresse statique (staticIP address); cela signifie
signifie que vous configurez votre interface externe sur votre firewall afin que vous configurez votre interface externe sur votre firewall afin d'utiliser
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe cette adresse de manière permanente. Une fois votre adresse externe assignée,
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet. elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
Vous devrez assigner vos propres adresses à votre réseau local (votre interface devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p> plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
@ -392,9 +391,9 @@ gauche du masque de sous-r
</div> </div>
<div align="left"> <div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la <p align="left">Il est de convention d'assigner à l'interface interne la première
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
précédent) ou la dernière utilisable (10.10.10.254).</p> ou la dernière utilisable (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
@ -411,8 +410,8 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
pointant sur l'adresse IP de l'interface DMZ du firewall. </p> sur l'adresse IP de l'interface DMZ du firewall. </p>
</div> </div>
<p align="left">Cette courte description ne fait que survoler les concepts <p align="left">Cette courte description ne fait que survoler les concepts
@ -437,23 +436,22 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées <p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918. les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Address Translation). Le firewall ré écrit l'adresse source dans le paquet, Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
mots, le firewall fait croire que c'est lui même qui initie la connexion. le firewall fait croire que c'est lui même qui initie la connexion. Ceci
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer est nécessaire afin que l'hôte de destination soit capable de renvoyer les
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
de destination, une adresse réservée par la RFC 1918 ne pourront pas être destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p> 1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de <p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address Masquerading mais vous verrez aussi le terme de Source Network Address Translation
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
:</p>
<ul> <ul>
<li> <li>
@ -508,8 +506,7 @@ RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur, de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -534,8 +531,7 @@ est :</p>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
@ -633,10 +629,10 @@ http://w.x.y.z:5000</a> o
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur <p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
depuis le réseau local en utilisant votre adresse externe, et si vous avez le réseau local en utilisant votre adresse externe, et si vous avez une adresse
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
précédente par :</p> par :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -707,8 +703,8 @@ les
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre <p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p> A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -716,13 +712,13 @@ adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur <p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le (Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous a été écrit). Il arrive que votre provider vous donne une paire d'adresse
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez IP pour les DNS (name servers) afin que vous configuriez manuellement votre
manuellement votre serveur de nom primaire et secondaire. La manière dont serveur de nom primaire et secondaire. La manière dont le DNS est configuré
le DNS est configuré sur votre firewall est de votre responsabilité. Vous sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
pouvez procéder d'une de ses deux façons :</p> de ses deux façons :</p>
<ul> <ul>
<li> <li>
@ -1084,9 +1080,9 @@ particuli
<div align="left"> <div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet <p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
firewall depuis Internet, utilisez SSH :</p> depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1168,10 +1164,10 @@ d'h
</div> </div>
<div align="left"> <div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis <p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1204,5 +1200,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

195
STABLE/documentation/two-interface.htm
View File

@ -12,7 +12,6 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title> <title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -23,8 +22,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -63,19 +60,19 @@ local network.</li>
<p><b>Note however, that the Shorewall configuration produced by Mandrake <p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq" where the rest of this documentation (it has two local zones; "loc" and "masq"
"loc" is empty; this conflicts with this documentation which assumes a single where "loc" is empty; this conflicts with this documentation which assumes
local zone "loc"). We therefore recommend that once you have set up this a single local zone "loc"). We therefore recommend that once you have set
sharing that you uninstall the Mandrake Shorewall RPM and install the one up this sharing that you uninstall the Mandrake Shorewall RPM and install
from the <a href="download.htm">download page</a> then follow the instructions the one from the <a href="download.htm">download page</a> then follow the
in this Guide.</b><br> instructions in this Guide.</b><br>
</p> </p>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> tell if this package is installed by the presence of an <b>ip</b> program
program on your firewall system. As root, you can use the 'which' on your firewall system. As root, you can use the 'which' command
command to check for this program:</p> to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -98,11 +95,12 @@ floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p> Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
of dos2unix</a></li> dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul> </ul>
@ -110,21 +108,22 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the
/etc/shorewall -- for simple setups, you will only need to deal with directory /etc/shorewall -- for simple setups, you will only need to
a few of these as described in this guide. After you have <a deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
/etc/shorewall (these files will replace files with the same name).</b></p> the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration
instructions and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, set of <i>zones.</i> In the two-interface sample configuration, the
the following zone names are used:</p> following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -170,8 +169,8 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li
DROP  the request is first checked against the rules in /etc/shorewall/common DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample <p>The /etc/shorewall/policy file included with the two-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -206,7 +205,6 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -234,7 +232,6 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -262,9 +259,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635"> height="635">
</p> </p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity <p align="left">The firewall has two network interfaces. Where Internet
is through a cable or DSL "Modem", the <i>External Interface</i> will be connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -280,9 +277,9 @@ the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other (eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you computers will be connected to the same hub/switch (note: If you have
have only a single internal system, you can connect the firewall only a single internal system, you can connect the firewall directly
directly to the computer using a <i>cross-over </i> cable).</p> to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
@ -295,20 +292,18 @@ directly to the computer using a <i>cross-over </i> cable).</p>
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes     The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have is <b>eth1</b>. If your configuration is different, you will have to
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list file accordingly. While you are there, you may wish to review the
of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". you can replace the "detect" in the second column with "-".
</p> </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from or if you have a static IP address, you can remove "dhcp" from
the option list. </p> the option list. </p>
@ -326,8 +321,8 @@ establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access is assigned, it will be shared by all of your systems when you access the
the Internet. You will have to assign your own addresses in your internal Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers). network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
@ -347,8 +342,8 @@ IP address of your external interface and if it is one of the above
<div align="left"> <div align="left">
<p align="left">You will want to assign your addresses from the same <i> <p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a a subnet is described using <a
@ -384,7 +379,6 @@ bits from the left of the subnet mask. </p>
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -431,22 +425,22 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
subnet for your local network.</b><br> local network.</b><br>
</p> </p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When forward packets which have an RFC-1918 destination address. When one
one of your local systems (let's assume computer 1) sends a connection of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network request to an internet host, the firewall must perform <i>Network Address
Address Translation </i>(NAT). The firewall rewrites the source address Translation </i>(NAT). The firewall rewrites the source address in
in the packet to be the address of the firewall's external interface; the packet to be the address of the firewall's external interface; in
in other words, the firewall makes it look as if the firewall itself other words, the firewall makes it look as if the firewall itself is
is initiating the connection.  This is necessary so that the destination initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response be routed across the internet so the remote host can't address its response
@ -454,20 +448,18 @@ is initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p> to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to <p align="left">On Linux systems, the above process is often referred to as<i>
as<i> IP Masquerading</i> but you will also see the term <i>Source Network IP Masquerading</i> but you will also see the term <i>Source Network Address
Address Translation </i>(SNAT) used. Shorewall follows the convention used Translation </i>(SNAT) used. Shorewall follows the convention used with
with Netfilter:</p> Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -481,22 +473,22 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, you     If your external firewall interface is <b>eth0</b>,
do not need to modify the file provided with the sample. Otherwise, you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name of edit /etc/shorewall/masq and change the first column to the name
your external interface and the second column to the name of your internal of your external interface and the second column to the name of your
interface.</p> internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in the     If your external IP is static, you can enter it in
third column in the /etc/shorewall/masq entry if you like although the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes processing outgoing packets a little your static IP in column 3 makes processing outgoing packets a little
more efficient.<br> more efficient.<br>
<br> <br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" <img border="0" src="images/BD21298_.gif" width="13"
alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not,
change them appropriately:<br> change them appropriately:<br>
@ -513,12 +505,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly it is not possible for clients on the internet to connect directly to
to them. It is rather necessary for those clients to address their them. It is rather necessary for those clients to address their connection
connection requests to the firewall who rewrites the destination address requests to the firewall who rewrites the destination address to the
to the address of your server and forwards the packet to that server. address of your server and forwards the packet to that server. When
When your server responds, the firewall automatically performs SNAT your server responds, the firewall automatically performs SNAT to rewrite
to rewrite the source address in the response.</p> the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -551,7 +543,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -582,7 +573,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -592,9 +582,9 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul> <ul>
<li>You must test the above rule from a client outside <li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to access computers 1 or 2 or on the firewall). If you want to be able to
your web server using the IP address of your external interface, see access your web server using the IP address of your external interface,
<a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the 80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li> following rule and try connecting to port 5000.</li>
@ -624,7 +614,6 @@ following rule and try connecting to port 5000.</li>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -646,7 +635,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -656,19 +644,18 @@ as your primary and secondary name servers. Regardless of how DNS gets
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall.<i> </i>Red Hat has an RPM for a caching name server firewall.<i> </i>Red Hat has an RPM for a caching name server
(the RPM also requires the 'bind' RPM) and for Bering users, there (the RPM also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name server. systems to use the firewall itself as their primary (and only) name
You use the internal IP address of the firewall (10.10.10.254 in the server. You use the internal IP address of the firewall (10.10.10.254
example above) for the name server address. To allow your local systems in the example above) for the name server address. To allow your
to talk to your caching name server, you must open port 53 (both UDP local systems to talk to your caching name server, you must open port
and TCP) from the local network to the firewall; you do that by adding 53 (both UDP and TCP) from the local network to the firewall; you
the following rules in /etc/shorewall/rules. </p> do that by adding the following rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -705,7 +692,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -751,7 +737,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -791,7 +776,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -831,7 +815,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -875,7 +858,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -888,14 +870,14 @@ your firewall"</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, look <a href="ports.htm">here</a>.</p> uses, look <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If the internet because it uses clear text (even for login!). If you
you want shell access to your firewall from the internet, use SSH:</p> want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -922,7 +904,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -972,7 +953,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -994,8 +974,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once won't try to start Shorewall before configuration is complete. Once you
you have completed configuration of your firewall, you can enable Shorewall have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
@ -1020,8 +1000,8 @@ you have completed configuration of your firewall, you can enable Shorewall
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if stopped. If your local network isn't connected to <b>eth1</b> or if you
you wish to enable access to/from other hosts, change /etc/shorewall/routestopped wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
</div> </div>
@ -1030,8 +1010,8 @@ you wish to enable access to/from other hosts, change /etc/shorewall/rou
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to Also, I don't recommend using "shorewall restart"; it is better to create
create an <i><a href="configuration_file_basics.htm#Configs">alternate an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1044,5 +1024,6 @@ configuration</a></i> and test it using the <a
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

845
STABLE/documentation/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

195
STABLE/documentation/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -22,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
@ -31,7 +27,6 @@
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
@ -40,32 +35,45 @@
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running.<br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with You can use the "shorewall check" command to see the groups associated with
each of your zones.<br> each of your zones.<br>
<br> <br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was zone is accepted by default. Previously, traffic from a zone to itself
treated just like any other traffic; any matching rules were applied followed was treated just like any other traffic; any matching rules were applied
by enforcement of the appropriate policy. With 1.4.1 and later versions, followed by enforcement of the appropriate policy. With 1.4.1 and later
unless you have explicit rules for traffic from Z to Z or you have an explicit versions, unless you have explicit rules for traffic from Z to Z or you
Z to Z policy (where "Z" is some zone) then traffic between the groups in have an explicit Z to Z policy (where "Z" is some zone) then traffic between
zone Z will be accepted. If you do have one or more explicit rules for Z the groups in zone Z will be accepted. If you do have one or more explicit
to Z or if you have an explicit Z to Z policy then the behavior is as it rules for Z to Z or if you have an explicit Z to Z policy then the behavior
was in prior versions.</li> is as it was in prior versions.</li>
</ul> </ul>
@ -86,10 +94,10 @@ add an explicit DROP or REJECT policy for Z to Z.<br>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to <li>Beginning with Version 1.4.1, Shorewall will never create rules
deal with traffic from a given group back to itself. The <i>multi</i> interface to deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between two interface option is no longer available so if you want to route traffic between
subnetworks on the same interface then either:</li> two subnetworks on the same interface then either:</li>
</ul> </ul>
@ -101,6 +109,11 @@ subnetworks on the same interface then either:</li>
</ol> </ol>
</blockquote> </blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br> Example 1 -- Two zones:<br>
<blockquote> <blockquote>
@ -114,18 +127,19 @@ subnetworks on the same interface then either:</li>
traffic is accepted by default. The second technique is preferable if you traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br> want unlimited access between the two subnetworks.<br>
<br> <br>
Sometimes, you want two separate zones on one interface but you don't want Sometimes, you want two separate zones on one interface but you don't
Shorewall to set up any infrastructure to handle traffic between them. <br> want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br> <br>
Example:<br> Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved Here, zone z1 is nested in zone z2 and the firewall is not going to be
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you involved in any traffic between these two zones. Beginning with Shorewall
can prevent Shorewall from setting up any infrastructure to handle traffic 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
@ -143,8 +157,8 @@ and you are using a NONE polciy in the other direction.
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh This may be worked around by using the --nodeps option of rpm (rpm
--nodeps &lt;shorewall rpm&gt;).<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
@ -157,20 +171,20 @@ are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.con
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
are determined by BOTH the interfaces and hosts files when there are entries contents are determined by BOTH the interfaces and hosts files when there
for the zone in both files.</li> are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no <li value="6">The ALLOWRELATED variable in shorewall.conf is
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default; <li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have <li value="6">The 'firewall', 'functions' and 'version' file
been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -190,36 +204,37 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.
will generate rules for sending packets back out the same interface that  Shorewall will generate rules for sending packets back out the same
they arrived on in two cases:</li> interface that they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or
the destination zone. An explicit policy names both zones and does not from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same
the rule must be explicit - it must name the zone in both the SOURCE and then the rule must be explicit - it must name the zone in both the SOURCE
DESTINATION columns.</li> and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
     Beginning in version 1.3.14, Shorewall treats entries in <a height="13">
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change      Beginning in version 1.3.14, Shorewall treats entries in
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
<b>column</b>:<br> change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -243,7 +258,8 @@ an interface name in the SUBNET (second) column; and</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as
follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -261,7 +277,8 @@ this?<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be is used to specify that the old (pre-1.3.14) ping handling is to be
@ -290,38 +307,36 @@ application will need to be changed to reflect this change of location.<br>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version versions &gt;= 1.3.8. Beginning with version 1.3.8,
1.3.8, you must set NEWNOTSYN=Yes in you must set NEWNOTSYN=Yes in your
your /etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef rules in their /etc/shorewall/icmpdef file (creating this
file (creating this file if necessary):</p> file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a
-- you will need to transcribe any backup -- you will need to transcribe
Shorewall configuration changes that any Shorewall configuration changes
you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
obtain the later version from Jacques's obtain the later version from Jacques's site, see additional instructions
site, see additional instructions below.</li> below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
@ -342,30 +357,28 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions your firewall setup slightly under Shorewall versions 1.3.6
1.3.6 and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be -j RETURN # So that the connection tracking table can be
rebuilt<br> rebuilt<br>
                                    # from non-SYN                                     # from
packets after takeover.<br> non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p <font face="Courier">run_iptables -A common
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
rebuild connection<br> to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
@ -375,8 +388,8 @@ rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
longer supported. </p> supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
@ -408,19 +421,17 @@ rebuild connection<br>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the 'firewall'
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those applications
applications should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 - <p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

38
STABLE/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
# #
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# #
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done

30
STABLE/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
# #
# Strip comments and blank lines from a file and place the result in the # Strip comments and blank lines from a file and place the result in the
# temporary directory # temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2 [ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else else
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi

9
STABLE/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

93
STABLE/releasenotes.txt
View File

@ -1,19 +1,90 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
This release introduces incompatibilities with prior releases. See Problems Corrected:
http://www.shorewall.net/upgrade_issues.htm.
Changes are: 1) TCP connection requests rejected out of the common chain are now
properly rejected with TCP RST; previously, some of these requests
were rejeced with an ICMP port-unreachable response.
a) There is now a new NONE policy specifiable in 2) 'traceroute -I' from behind the firewall previously timed out on the
/etc/shorewall/policy. This policy will cause Shorewall to assume that first hop (e.g., to the firewall). This has been worked around.
there will never be any traffic between the source and destination
zones.
b) Shorewall no longer creates rules to govern traffic from an New Features:
interface:subnet to itself.
c) Intra-zone traffic is always accepted now (exception is (b) 1) Where an entry in the/etc/shorewall/hosts file specifies a
above).. Intrazone policies and rules are no longer allowed. particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can
substantially reduce the number of rules traversed by connections
requests from such zones.
2) Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the
contents of the named file to be logically included into the file
containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored.
3) Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that
such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on
individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from
(zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues' for information about how this new option
may affect your configuration.

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.1 %define version 1.4.2
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net> * Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1 - Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net> * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

1919
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

719
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

48
Shorewall-docs/Install.htm
View File

@ -27,7 +27,14 @@
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the <a <p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to
read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
@ -63,8 +70,8 @@ diagnostic:<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps This may be worked around by using the --nodeps option of rpm (rpm -ivh
&lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
@ -72,8 +79,8 @@ match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
NETWORK CONNECTIVITY.</b></font></li> RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -102,15 +109,15 @@ type "./install.sh /etc/init.d"</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li> match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be <li>If the install script was unable to configure Shorewall to
started automatically at boot, see <a be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
@ -120,23 +127,24 @@ started automatically at boot, see <a
or and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p> new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., Beta RPMs installed, you must use the "--oldpackage" option to rpm
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
the iproute package. Unfortunately, some distributions call this package iproute2 on the iproute package. Unfortunately, some distributions call this package
which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
@ -201,7 +209,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</ul> </ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -212,5 +220,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

31
Shorewall-docs/NAT.htm
View File

@ -45,12 +45,11 @@ I strongly recommend that you read the <a
<blockquote> </blockquote> <blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the <p align="left">Static NAT can be used to make the systems with the 10.1.1.*
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If addresses appear to be on the upper (130.252.100.*) subnet. If we assume
we assume that the interface to the upper subnet is eth0, then the following that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
/etc/shorewall/NAT file would make the lower left-hand system appear file would make the lower left-hand system appear to have IP address
to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -83,18 +82,21 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address
example) is (are) not included in any specification in /etc/shorewall/masq example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
is used to specify whether access to the external IP from all firewall to specify whether access to the external IP from all firewall interfaces
interfaces should undergo NAT (Yes or yes) or if only access from the should undergo NAT (Yes or yes) or if only access from the interface in
interface in the INTERFACE column should undergo NAT. If you leave this the INTERFACE column should undergo NAT. If you leave this column empty,
column empty, "Yes" is assumed. The ALL INTERFACES column was added "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p> you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface
that is configured with a single subnetwork -- if your external interface
has addresses in more than one subnetwork, Shorewall can only add addresses
to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined determine whether packets originating on the firewall itself and destined
@ -106,9 +108,10 @@ are not redirected. The LOCAL column was added in version 1.1.8.</p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a <p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body> </body>
</html> </html>

785
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

137
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -34,10 +34,11 @@
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60"
alt="Caution" align="middle"> height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
@ -52,14 +53,14 @@ run as a transparent proxy as described at <a
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
in the local zone, that zone must be defined ONLY by its interface -- no or in the local zone, that zone must be defined ONLY by its interface
/etc/shorewall/hosts file entries. That is because the packets being routed -- no /etc/shorewall/hosts file entries. That is because the packets being
to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
@ -72,22 +73,22 @@ to the Squid server still have their original destination IP addresses.<br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li> DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests EXCEPT
EXCEPT those to your those to your own
own http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid
proxy running on the firewall and listening on port 3128. Squid transparent proxy running on the firewall and listening on port
will of course require access to remote web servers.<br> 3128. Squid will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
@ -95,7 +96,6 @@ EXCEPT those to your
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
@ -107,7 +107,6 @@ EXCEPT those to your
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
@ -131,14 +130,7 @@ EXCEPT those to your
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
@ -147,9 +139,9 @@ EXCEPT those to your
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running
192.168.1.3. It is assumed that web access is already enabled from the local on 192.168.1.3. It is assumed that web access is already enabled from the
zone to the internet.<br> local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
@ -177,12 +169,45 @@ EXCEPT those to your
</blockquote> </blockquote>
<ul> <ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
@ -194,7 +219,6 @@ EXCEPT those to your
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
@ -210,19 +234,12 @@ EXCEPT those to your
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br>
<br> <br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -288,8 +305,8 @@ EXCEPT those to your
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ
is eth1 and your local interface is eth2.<br> interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
@ -402,7 +419,6 @@ EXCEPT those to your
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br>
</blockquote> </blockquote>
<ul> <ul>
@ -432,6 +448,22 @@ EXCEPT those to your
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
@ -476,20 +508,11 @@ EXCEPT those to your
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<a <font size="2">2003 Thomas M. Eastep.</font></a><br>
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

29
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -16,13 +16,10 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
@ -89,7 +86,7 @@ the IP address.<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
@ -345,13 +342,13 @@ file:<br>
</blockquote> </blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple
configured on a LAN segment. This technique does not provide for any security subnetworks configured on a LAN segment. This technique does not provide
between the subnetworks if the users of the systems have administrative for any security between the subnetworks if the users of the systems have
privileges because in that case, the users can simply manipulate their system's administrative privileges because in that case, the users can simply manipulate
routing table to bypass your firewall/router. Nevertheless, there are cases their system's routing table to bypass your firewall/router. Nevertheless,
where you simply want to consider the LAN segment itself as a zone and allow there are cases where you simply want to consider the LAN segment itself
your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
@ -360,6 +357,7 @@ your firewall/router to route between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -424,6 +422,7 @@ In /etc/shorewall/interfaces:<br>
</blockquote> </blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br> 1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br> <h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4> </h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
@ -497,8 +496,9 @@ specify the <b>multi</b> option.<br>
</blockquote> </blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access You want to make these subnetworks into separate zones and control the
between them (the users of the systems do not have administrative privileges).<br> access between them (the users of the systems do not have administrative
privileges).<br>
<br> <br>
In /etc/shorewall/zones:<br> In /etc/shorewall/zones:<br>
<br> <br>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br> that you want to permit.<br>
<br> <br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a <p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -617,5 +617,6 @@ that you want to permit.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

48
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -2,23 +2,17 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base target="main">
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -30,18 +24,12 @@
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
@ -59,8 +47,7 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
@ -73,14 +60,8 @@
<li> <a href="support.htm">Getting <li> <a href="support.htm">Getting
help or Answers to Questions</a><br> help or Answers to Questions</a><br>
</li> </li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -96,22 +77,11 @@ help or Answers to Questions</a><br>
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
@ -124,14 +94,10 @@ Archive</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -140,11 +106,10 @@ Archive</a></li>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font> <font <input type="text" name="words" size="15"></font><font size="-1"> </font>
face="Arial" size="-1"> <input type="hidden" name="format" <font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
@ -152,12 +117,11 @@ Archive</a></li>
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p> href="http://www.shorewall.net" target="_top"> </a></p>
<br>
</body> </body>
</html> </html>

52
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -2,23 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -30,18 +23,12 @@
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="sourceforge_index.htm">Home</a></li> href="sourceforge_index.htm">Home</a></li>
@ -59,8 +46,7 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
@ -72,14 +58,8 @@
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a href="support.htm">Getting
Help or Answers to Questions</a></li> Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -95,25 +75,11 @@ Help or Answers to Questions</a></li>
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
@ -126,29 +92,22 @@ Archive</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <font face="Arial" size="-1"> <input
<input type="text" name="words" size="15"></font><font size="-1"> </font> type="text" name="words" size="15"></font><font size="-1"> </font> <font
<font face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
@ -156,12 +115,11 @@ Archive</a></li>
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

314
Shorewall-docs/download.htm
View File

@ -20,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
@ -29,17 +27,16 @@
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
@ -53,21 +50,21 @@ at:</p>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that store
store init scripts in /etc/init.d and that include chkconfig init scripts in /etc/init.d and that include chkconfig or
or insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file
might also want to download the .tgz so you will have a copy (you might also want to download the .tgz so you will have a copy
of the documentation).</li> of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Unstable Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
@ -75,294 +72,26 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory
can be obtained using the following command:<br> which can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
release of a new version of Shorewall, the links below may to see if there are updates that apply to the version
point to a newer or an older version than is shown below.</p> that you have downloaded.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates <p><b></b></p>
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote> <p><b>Download Sites:</b></p>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -430,7 +159,6 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -446,11 +174,13 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a <p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

112
Shorewall-docs/errata.htm
View File

@ -2,19 +2,14 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
@ -27,13 +22,10 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -41,8 +33,6 @@
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -50,22 +40,17 @@
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p> rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
@ -104,10 +89,33 @@ iptables</a></b></li>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
@ -115,7 +123,9 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -127,12 +137,10 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
@ -142,7 +150,6 @@ RedHat released this buggy iptables in RedHat 7.2.
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
@ -150,84 +157,67 @@ download from<font color="#ff6633"> <a
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level
while this <a specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 RedHat iptables</h3>
and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5
of iptables, you will need to specify the --oldpackage option version of iptables, you will need to specify the --oldpackage
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
<p>If you find that rpm complains about a conflict 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
with kernel &lt;= 2.2 yet you have a 2.4 kernel option to rpm.</p>
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with <p>The iptables 1.2.7 release of iptables has made an incompatible
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
@ -239,8 +229,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will
in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -249,16 +239,18 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 - <p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/ZoneDiagram.png
View File

Binary file not shown.

70
Shorewall-docs/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -29,25 +23,19 @@
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
@ -69,27 +57,25 @@
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tmeastep
at hp dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
@ -114,14 +100,14 @@ record in DNS.</li>
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the list
list subscribers whose MTAs are bouncing all shorewall.net mail. As subscribers whose MTAs are bouncing all shorewall.net mail. As one list
one list subscriber wrote to me privately "These e-mail admin's need to subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
get a <i>(explitive deleted)</i> life instead of trying to rid the planet deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
of HTML based e-mail". Nevertheless, to allow subscribers to receive list Nevertheless, to allow subscribers to receive list posts as must as possible,
posts as must as possible, I have now configured the list server at shorewall.net I have now configured the list server at shorewall.net to strip all HTML
to strip all HTML from outgoing posts. This means that HTML-only posts from outgoing posts. This means that HTML-only posts will be bounced by
will be bounced by the list server.<br> the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -168,10 +151,9 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
<h2 align="left"><font color="#ff0000">Please do not try to download the entire entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't won't stand the traffic. If I catch you, you will be blacklisted.<br>
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
@ -212,9 +194,9 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
@ -271,20 +253,17 @@ to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
password reminder, or change your subscription options enter reminder, or change your subscription options enter your subscription
your subscription email address:". Enter your email address email address:". Enter your email address in the box and
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
@ -298,14 +277,15 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a <p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

412
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,53 +2,26 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
<td width="100%" width="100%" height="90">
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a </a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
@ -58,171 +31,71 @@
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>
<br>
</div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
<td width="90%"> width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
Software Foundation.<br> GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program
This program is distributed is distributed in the hope that it will
in the hope that it will be useful, but be useful, but WITHOUT ANY WARRANTY; without
WITHOUT ANY WARRANTY; without even the implied even the implied warranty of MERCHANTABILITY
warranty of MERCHANTABILITY or FITNESS FOR or FITNESS FOR A PARTICULAR PURPOSE. See the
A PARTICULAR PURPOSE. See the GNU General Public GNU General Public License for more details.<br>
License for more details.<br>
<br> <br>
You should have
You should have received received a copy of the GNU General Public
a copy of the GNU General Public License License along with this program; if
along with this program; if not, write not, write to the Free Software Foundation,
to the Free Software Foundation, Inc., 675 Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
</a>Jacques and Eric Wolzak have a LEAF (router/firewall/gateway
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can
their work at: <a find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br> Bering 1.1!!! </b><br>
</p> </p>
@ -232,155 +105,164 @@ Bering 1.1!!! </b><br>
<h2>News</h2> <h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br> <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in HTML format
but was generated from Microsoft PowerPoint and is best viewed using Internet
Explorer although Konqueror also seems to work reasonably well. Neither Opera
or Netscape work well to view the presentation.<br>
</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce the
number of rules traversed by connections requests from such zones.<br>
<br> <br>
<b>Problems Corrected:</b><br> </li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
<ol> consists of the word INCLUDE followed by a file name and causes the contents
<li>When Shorewall 1.4.0 is run under the ash shell (such as on of the named file to be logically included into the file containing the INCLUDE.
Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
file is empty. That problem has been corrected so that ECN disabling rules or in an alternate configuration directory if one has been specified for
are only added if there are entries in /etc/shorewall/ecn.</li> the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ol> </ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</blockquote> </blockquote>
<ol> <p><b></b></p>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more
than one group<i> </i>then if there is no explicit Z to Z policy and there
are no rules governing traffic from Z to Z then Shorewall will permit all
traffic between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create
rules to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE
is specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from
Z1 to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td
<td width="88" width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

70
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -28,20 +22,17 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
@ -82,7 +73,6 @@ we must all first walk before we can run.<br>
<li><a <li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a> and Routing</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
@ -93,34 +83,27 @@ we must all first walk before we can run.<br>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 <li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li> Address Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li> href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 <li><a
Setting up your Network</a> href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
@ -128,20 +111,16 @@ we must all first walk before we can run.<br>
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li> href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 <li><a
Static NAT</a></li> href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 <li><a
Rules</a></li> href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 <li><a href="shorewall_setup_guide.htm#DNS">6.0
@ -165,19 +144,14 @@ trying to use this documentation directly.</p>
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common <li><a href="configuration_file_basics.htm">Common
configuration file features</a> configuration file features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
@ -197,18 +171,15 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations
a test configuration)</a></li> (making a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File <li><a href="Documentation.htm">Configuration File
Reference Manual</a> Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
@ -239,15 +210,16 @@ a test configuration)</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><a href="ECN.html">ECN Disabling by host or
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How subnet</a><br>
to extend Shorewall without modifying Shorewall code through the use of </li>
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
etc.)</li> Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall <li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li> Structure</a></li>
@ -263,13 +235,10 @@ etc.)</li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
@ -290,7 +259,6 @@ Proxy with Shorewall</a><br>
</li> </li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
@ -300,7 +268,6 @@ Proxy with Shorewall</a><br>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li> behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a href="whitelisting_under_shorewall.htm">White
@ -311,11 +278,12 @@ Proxy with Shorewall</a><br>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 4/112003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

392
Shorewall-docs/sourceforge_index.htm
View File

@ -1,322 +1,282 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
<td width="100%" width="100%" height="90">
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><br>
href="http://www.sf.net"> </a></h1> <a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small>Shorewall
1.2 Site here<br>
</small></small></small></font></a>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
<td width="90%"> width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) <p>The Shoreline Firewall, more commonly known as "Shorewall", is
based firewall that can be used on a dedicated firewall a <a href="http://www.netfilter.org">Netfilter</a>
system, a multi-function gateway/router/server or on a standalone (iptables) based firewall that can be used on a dedicated
GNU/Linux system.</p> firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
Software Foundation.<br> GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program
This program is distributed is distributed in the hope that it will
in the hope that it will be useful, but be useful, but WITHOUT ANY WARRANTY; without
WITHOUT ANY WARRANTY; without even the implied even the implied warranty of MERCHANTABILITY
warranty of MERCHANTABILITY or FITNESS FOR or FITNESS FOR A PARTICULAR PURPOSE. See the
A PARTICULAR PURPOSE. See the GNU General Public GNU General Public License for more details.<br>
License for more details.<br>
<br> <br>
You should
have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques </a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can
their work at: <a find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
<h2>News</h2> </b>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <h2><b>News</b></h2>
<b> </b>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p> </b></p>
<p>This release follows up on 1.4.0. It corrects a problem introduced <blockquote> This morning, I gave <a href="GSLUG.htm"
in 1.4.0 and removes additional warts.<br> target="_top">a Shorewall presentation to GSLUG</a>. The presentation
<br> is in HTML format but was generated from Microsoft PowerPoint and is best
<b>Problems Corrected:</b><br> viewed using Internet Explorer although Konqueror also seems to work reasonably
well. Neither Opera or Netscape work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p> </p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol> <ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), <li>TCP connection requests rejected out of the <b>common</b>
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file chain are now properly rejected with TCP RST; previously, some of these requests
is empty. That problem has been corrected so that ECN disabling rules are were rejected with an ICMP port-unreachable response.</li>
only added if there are entries in /etc/shorewall/ecn.</li> <li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol> </ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol> <ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than <li>Where an entry in the/etc/shorewall/hosts file specifies
one group<i> </i>then if there is no explicit Z to Z policy and there are a particular host or network, Shorewall now creates an intermediate chain
no rules governing traffic from Z to Z then Shorewall will permit all traffic for handling input from the related zone. This can substantially reduce
between the groups in the zone.</li> the number of rules traversed by connections requests from such zones.<br>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules <br>
to handle traffic from a group to itself.</li> </li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is <li>Any file may include an INCLUDE directive. An INCLUDE directive
specified from Z1 to Z2:</li> consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the
INCLUDE. File names given in an INCLUDE directive are assumed to reside
in /etc/shorewall or in an alternate configuration directory if one has
been specified for the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ol> </ol>
</blockquote>
<ul> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<li>There may be no rules created that govern connections from Z1 <b> </b>
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
<h4> </h4> width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
<td width="100%" width="100%" style="margin-top: 1px;">
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

66
Shorewall-docs/standalone.htm
View File

@ -61,8 +61,8 @@
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy you copy a configuration file from your Windows hard drive to a floppy disk,
disk, you must run dos2unix against the copy before using it with Shorewall.</p> you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -77,21 +77,21 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few /etc/shorewall -- for simple setups, you only need to deal with a few of
of these as described in this guide. After you have <a these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
(they will replace files with the same names that were placed in /etc/shorewall to /etc/shorewall (they will replace files with the same names that were
during Shorewall installation)</b>.</p> placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only set of <i>zones.</i> In the one-interface sample configuration, only one
one zone is defined:</p> zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -132,8 +132,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -177,8 +177,8 @@ has the following policies:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to
firewall</li> your firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
@ -191,21 +191,21 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your a <b>ppp0</b>. If you connect via a regular modem, your External Interface
External Interface will also be <b>ppp0</b>. If you connect using ISDN, will also be <b>ppp0</b>. If you connect using ISDN, your external interface
your external interface will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that     The Shorewall one-interface sample configuration assumes that the
the external interface is <b>eth0</b>. If your configuration is different, external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that While you are there, you may wish to review the list of options that are
are specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
@ -214,8 +214,8 @@ are specified for the interface. Some hints:</p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the option
option list. </p> list. </p>
</li> </li>
</ul> </ul>
@ -284,8 +284,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -327,8 +327,8 @@ on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
@ -384,7 +384,8 @@ application uses, see <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -425,5 +426,6 @@ Thomas M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

362
Shorewall-docs/standalone_fr.html
View File

@ -1,14 +1,19 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
@ -18,75 +23,91 @@
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
une traduction exacte du texte, mais plutôt à en faire une version exacte du texte, mais plutôt à en faire une version française intelligible
française intelligible par tous (et par moi). Les termes techniques sont par tous (et par moi). Les termes techniques sont la plupart du temps conservés
la plupart du temps conservés sous leur forme originale et mis entre sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
parenthèses car vous pouvez les retrouver dans le reste des dans le reste des documentations ainsi que dans les fichiers de configuration.
documentations ainsi que dans les fichiers de configuration. N?hésitez N?hésitez pas à me contacter afin d?améliorer ce document <a
pas à me contacter afin d?améliorer ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP formidable outil et sa disponibilité)</i><i>.</i></small></p>
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
(écluse) pour un petit réseau est une chose assez simple, si vous pour un petit réseau est une chose assez simple, si vous comprenez les bases
comprenez les bases et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
son utilisation la plus courante :</p> se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
<li>Une seule adresse IP externe</li> <li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
Relay, rtc...</li> rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
présence du programme ip sur votre système de firewall. Sous root, Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
utilisez la commande 'which' pour rechercher le programme :</p> ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
début en effectuant le changements dans votre configuration. Les points, vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
où les changements dans la configuration sont recommandées, sont le changements dans votre configuration. Les points, où les changements dans
signalés par une <img border="0" src="images/BD21298_.gif" width="13" la configuration sont recommandées, sont signalés par une <img
height="13"> .</p> border="0" src="images/BD21298_.gif" width="13" height="13">
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si .</p>
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette <p><img border="0" src="images/j0213519.gif" width="60" height="60">
option sinon vous devez les faire passer par dos2unix avant d'essayer de Si vous éditez vos fichiers de configuration sur un système Windows, vous
les utiliser. De la même manière, si vous copiez un fichier de devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
configuration depuis votre disque dur Windows vers une disquette, vous sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p> De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
Version of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Les Concepts de Shorewall</h2> <h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans alt="">
le répertoire /etc/shorewall -- pour de simples paramétrages, vous Les fichiers de configuration pour Shorewall sont situés dans le répertoire
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez quelques un d'entre eux comme décris dans ce guide. Après avoir <a
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
déjà existant dans /etc/shorewall installés lors de l'installation de vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
Shorewall)</b>.</p> dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
contient des instructions de configuration détaillées et des entrées par physiquement présents sur votre système -- chacun des fichiers contient des
défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
unique interface, une seule zone est définie :</p> <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
@ -98,30 +119,39 @@ unique interface, une seule zone est d
<td><b>net</b></td> <td><b>net</b></td>
<td><b>The Internet</b></td> <td><b>The Internet</b></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
<p>Les règles concernant le trafic à autoriser ou à interdire sont - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
exprimées en utilisant les termes de zones.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une zone
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
/etc/shorewall/policy </a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par <li>Vous définissez les exceptions à ces règles de politiques par défaut
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
correspondent, alors la première politique dans /etc/shorewall/policy Si aucune des règles dans ce fichier ne correspondent, alors la première
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
requête est alors comparée par rapport aux règles contenues dans politique est REJECT ou DROP la requête est alors comparée par rapport aux
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive ce fichier).</p>
one-interface a les politiques suivantes :</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
@ -159,80 +189,95 @@ one-interface a les politiques suivantes :</p>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<pre> </pre> <pre> </pre>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
l'Internet</li> <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet votre firewall</li>
vers votre firewall</li> <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
<li>rejeter toutes les autres requêtes de connexion (Shorewall à de cette politique).</li>
besoin de cette politique).</li>
</ol> </ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p> <p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2> <h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL <p align="left">Le firewall possède une seule interface réseau. Lorsque la
(pas un simple modem), l'<i>External Interface</i> (interface externe) connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
externe sera<b> ippp0.</b></p> Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface height="13">
suppose que votre interface externe est <b>eth0</b>. Si votre L'exemple de configuration de Shorewall pour une interface suppose que votre
configuration est différente, vous devrez modifier le fichier d'exemple interface externe est <b>eth0</b>. Si votre configuration est différente,
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
pourriez parcourir la liste d'options qui sont spécifiées pour Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
"-". </p> </p>
</li> </li>
<li> <li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
"dhcp" de la liste d'option. </p> de la liste d'option. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">Adresse IP</h2> <h2 align="left">Adresse IP</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les car les routeurs sur les backbones Internet ne font pas passer les paquets
paquets dont les adresses de destinations sont définies dans la RFC dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez width="13" height="13">
regarder l'adresse de votre interface externe et si elle est comprise Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
dans une des plages précédentes, vous devriez enlever l'option externe et si elle est comprise dans une des plages précédentes, vous devriez
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Permettre d'autres connexions</h2> <h2 align="left">Permettre d'autres connexions</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis <p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
l'Internet vers votre firewall, le format général est :</p> vers votre firewall, le format général est :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -258,14 +303,17 @@ l'Internet vers votre firewall, le format g
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
un serveur POP3 sur votre système de firewall :</p> serveur POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -302,20 +350,24 @@ un serveur POP3 sur votre syst
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une <p align="left">Si vous ne savez pas quel port ou protocole une application
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p> particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
en clair (même pour le login et le mot de passe !). Si vous voulez avoir le login et le mot de passe !). Si vous voulez avoir un accès au shell de
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p> votre firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -341,61 +393,71 @@ un acc
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter height="13">
les autres connexions désirées.</p> A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2> <h2 align="left">Lancer et Arrêter son Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure height="13" alt="Arrow">
d'installation </a> configure votre système pour lancer Shorewall au La <a href="Install.htm">procédure d'installation </a> configure votre système
boot du système, mais au début avec la version 1.3.9 de Shorewall le pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
configuration soit finie. Une fois que vous en aurez fini avec la avec que la configuration soit finie. Une fois que vous en aurez fini avec
configuration du firewall, vous pouvez permettre le lancement de la configuration du firewall, vous pouvez permettre le lancement de Shorewall
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
mettre 'startup=1'.</font><br> des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande <p align="left">Le firewall est activé en utilisant la commande "shorewall
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
est stoppé, le routage est autorisé sur les hôtes qui possèdent une routage est autorisé sur les hôtes qui possèdent une entrée dans <a
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
Un firewall qui tourne peut être relancé en utilisant la commande firewall qui tourne peut être relancé en utilisant la commande "shorewall
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
sur votre configuration de Netfilter, utilisez "shorewall clear".</p> de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
firewall depuis Internet, n'essayez pas une commande "shorewall stop" depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
à partir de laquelle vous êtes connectée) dans <a vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
De la même manière, je ne vous recommande pas d'utiliser "shorewall il est plus intéressant de créer une <i><a
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a <p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

163
Shorewall-docs/support.htm
View File

@ -2,73 +2,57 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are a number
of sources of Shorewall information. Please try these before you post. of sources of Shorewall information. Please try these before you
post.
<ul> <ul>
<li>More than half of the questions posted <li>More than half of the questions
on the support list have answers directly accessible from the posted on the support list have answers directly accessible from
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> the <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li> </li>
<li> The <a <li> The
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
</li> problems. </li>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. a number of tips to help you solve common problems.
</li> </li>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
<li> The Site and
<li> The Site and Mailing Mailing List Archives search facility can locate documents and
List Archives search facility can locate documents and posts posts about similar problems: </li>
about similar problems: </li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2> <h2>Site and Mailing List Archive Search</h2>
<blockquote> <blockquote>
@ -110,29 +94,28 @@
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what is posted
in your message. Do not leave out any information that appears in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been to be correct, or was mentioned in a previous post. There have
countless posts by people who were sure that some part of their been countless posts by people who were sure that some part of
configuration was correct when it actually contained a small error. their configuration was correct when it actually contained a small
We tend to be skeptics where detail is lacking.<br> error. We tend to be skeptics where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're asking
<strong>free</strong> technical support. Any help we offer for <strong>free</strong> technical support. Any help we
is an act of generosity, not an obligation. Try to make it easy offer is an act of generosity, not an obligation. Try to make it
for us to help you. Follow good, courteous practices in writing easy for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries, good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br> command output, and other output is better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li> Please
don't describe your environment and then ask us to send you don't describe your environment and then ask us to send
custom configuration files. We're here to answer your you custom configuration files. We're here to answer
questions but we can't do your job for you.<br> your questions but we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
@ -142,7 +125,6 @@ don't describe your environment and then ask us to send you
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are <li>the exact version of Shorewall you are
running.<br> running.<br>
@ -151,10 +133,8 @@ running.<br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
@ -162,10 +142,8 @@ running.<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
@ -173,10 +151,8 @@ running.<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
@ -184,29 +160,14 @@ running.<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li>If your kernel is modularized, the exact
output from<br> output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br>
</li> </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul> </ul>
@ -222,14 +183,28 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt;
/tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul> </ul>
<li>As a general <li>As a
matter, please <strong>do not edit the diagnostic information</strong> general matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive them
@ -238,47 +213,42 @@ addresses, domain name, etc. These aren't secrets, and concealing
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, you exercise the function that is giving you problems? If so, include
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have (especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you modified that file) that you think are relevant. If
include /etc/shorewall/rules, please include /etc/shorewall/policy you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a color="#009900"><b>shorewall start</b></font>", include a trace
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> (See the <a href="troubleshoot.htm">Troubleshooting</a> section for
section for instructions).<br> instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post GIFs <li><b>The list server limits posts to 120kb so don't post
of your network layout, etc. to the Mailing GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li> List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> <blockquote> A growing number of MTAs serving list subscribers are
A growing number of MTAs serving list subscribers are rejecting rejecting all HTML traffic. At least one MTA has gone so far as to
all HTML traffic. At least one MTA has gone so far as to blacklist blacklist shorewall.net "for continuous abuse" because it has been
shorewall.net "for continuous abuse" because it has been my policy my policy to allow HTML in list posts!!<br>
to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not way to control spam and that the ultimate losers here are not
@ -291,12 +261,9 @@ have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br> from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
@ -306,11 +273,10 @@ Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a> or the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br> Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a> or to the <a
@ -322,17 +288,11 @@ Forum</a>.<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -341,5 +301,8 @@ Forum</a>.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

209
Shorewall-docs/three-interface.htm
View File

@ -20,7 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -39,8 +38,8 @@ basics and follow the documentation.</p>
in one of its more popular configurations:</p> in one of its more popular configurations:</p>
<ul> <ul>
<li>Linux system used as a firewall/router for a small local <li>Linux system used as a firewall/router for a small
network.</li> local network.</li>
<li>Single public IP address.</li> <li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li> <li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, <li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
@ -75,16 +74,15 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly, or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a if you copy a configuration file from your Windows hard drive to a floppy
floppy disk, you must run dos2unix against the copy before using it with disk, you must run dos2unix against the copy before using it with Shorewall.</p>
Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
of dos2unix</a></li> dos2unix</a></li>
</ul> </ul>
@ -93,17 +91,17 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with /etc/shorewall -- for simple setups, you will only need to deal with a
a few of these as described in this guide. After you have <a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the the files to /etc/shorewall (the files will replace files with the same
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p> names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration instructions
instructions and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, set of <i>zones.</i> In the three-interface sample configuration,
@ -144,8 +142,8 @@ the following zone names are used:</p>
<li>You express your default policy for connections from <li>You express your default policy for connections from
one zone to another zone in the<a one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the <li>You define exceptions to those default policies in
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -192,7 +190,6 @@ DROP
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -220,7 +217,6 @@ DROP
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -232,8 +228,8 @@ DROP
to the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall <li>optionally accept all connection requests from the
to the internet (if you uncomment the additional policy)</li> firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
</ol> </ol>
@ -266,9 +262,9 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have computers will be connected to the same switch (note: If you have only
only a single local system, you can connect the firewall directly to a single local system, you can connect the firewall directly to the
the computer using a <i>cross-over </i> cable).</p> computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
@ -294,15 +290,13 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from or if you have a static IP address, you can remove "dhcp" from the
the option list. </p> option list. </p>
</li> </li>
</ul> </ul>
@ -312,16 +306,15 @@ the option list. </p>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
establishing your connection when you dial in (standard modem) or establish your connection when you dial in (standard modem) or establish your PPP
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> connection. In rare cases, your ISP may assign you a<i> static</i> IP
IP address; that means that you configure your firewall's external interface address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access is assigned, it will be shared by all of your systems when you access the
the Internet. You will have to assign your own addresses for your internal Internet. You will have to assign your own addresses for your internal network
network (the local and DMZ Interfaces on your firewall plus your other (the local and DMZ Interfaces on your firewall plus your other computers).
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,8 +334,8 @@ interface's entry in /etc/shorewall/interfaces.</p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
@ -376,7 +369,6 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -408,8 +400,8 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -425,10 +417,10 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
subnet for your local network and if it is in the 10.10.11.0/24 subnet then local network and if it is in the 10.10.11.0/24 subnet then you will need
you will need to select a different RFC 1918 subnet for your DMZ.</b><br> to select a different RFC 1918 subnet for your DMZ.</b><br>
</p> </p>
<p align="left">IP Masquerading (SNAT)</p> <p align="left">IP Masquerading (SNAT)</p>
@ -438,30 +430,28 @@ you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in Translation </i>(NAT). The firewall rewrites the source address in the
the packet to be the address of the firewall's external interface; in packet to be the address of the firewall's external interface; in other
other words, the firewall makes it look as if the firewall itself is words, the firewall makes it look as if the firewall itself is initiating
initiating the connection.  This is necessary so that the destination the connection.  This is necessary so that the destination host will
host will be able to route return packets back to the firewall (remember be able to route return packets back to the firewall (remember that
that packets whose destination address is reserved by RFC 1918 can't packets whose destination address is reserved by RFC 1918 can't be routed
be routed accross the internet). When the firewall receives a return accross the internet). When the firewall receives a return packet, it
packet, it rewrites the destination address back to 10.10.10.1 and rewrites the destination address back to 10.10.10.1 and forwards the
forwards the packet on to local computer 1. </p> packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to <p align="left">On Linux systems, the above process is often referred to as<i>
as<i> IP Masquerading</i> and you will also see the term <i>Source Network IP Masquerading</i> and you will also see the term <i>Source Network Address
Address Translation </i>(SNAT) used. Shorewall follows the convention used Translation </i>(SNAT) used. Shorewall follows the convention used with
with Netfilter:</p> Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -475,8 +465,8 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, your     If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
then you do not need to modify the file provided with the sample. Otherwise, you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p> edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -491,8 +481,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not, change
change them appropriately:<br> them appropriately:<br>
</p> </p>
<ul> <ul>
@ -506,16 +496,16 @@ change them appropriately:<br>
<p align="left">One of your goals will be to run one or more servers on your <p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to is not possible for clients on the internet to connect directly to them.
them. It is rather necessary for those clients to address their connection It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p> the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port Destination Network Address Translation</i> (DNAT). You configure
forwarding using DNAT rules in the /etc/shorewall/rules file.</p> port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules <p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p> is:</p>
@ -544,13 +534,12 @@ them. It is rather necessary for those clients to address their connection
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to <p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
be the same as <i>&lt;port&gt;</i>.</p> the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p> TCP port 80 to that system:</p>
@ -587,7 +576,6 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -598,8 +586,8 @@ be the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local <li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li> systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the following 80. If you have problems connecting to your web server, try the
rule and try connecting to port 5000 (e.g., connect to <a following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li> external IP).</li>
@ -628,14 +616,13 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you want to be able to access your server from the local network using <p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you your external address, then if you have a static external IP you can
can replace the loc-&gt;dmz rule above with:</p> replace the loc-&gt;dmz rule above with:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -660,7 +647,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td><i>&lt;external IP&gt;</i></td> <td><i>&lt;external IP&gt;</i></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -702,7 +688,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td>$ETH0_IP</td> <td>$ETH0_IP</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -718,16 +703,15 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be automatically configured (e.g., the /etc/resolv.conf file will
will be written). Alternatively, your ISP may have given you the IP be written). Alternatively, your ISP may have given you the IP address
address of a pair of DNS <i> name servers</i> for you to manually configure of a pair of DNS <i> name servers</i> for you to manually configure as
as your primary and secondary name servers. It is <u>your</u> responsibility your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one to configure the resolver in your internal systems. You can take one
of two approaches:</p> of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -737,27 +721,25 @@ as your primary and secondary name servers. It is <u>your</u> responsibili
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
name server (which also requires the 'bind' RPM) and for Bering server (which also requires the 'bind' RPM) and for Bering users,
users, there is dnscache.lrp. If you take this approach, you configure there is dnscache.lrp. If you take this approach, you configure your
your internal systems to use the caching name server as their primary internal systems to use the caching name server as their primary (and
(and only) name server. You use the internal IP address of the firewall only) name server. You use the internal IP address of the firewall (10.10.10.254
(10.10.10.254 in the example above) for the name server address if in the example above) for the name server address if you choose to
you choose to run the name server on your firewall. To allow your local run the name server on your firewall. To allow your local systems to
systems to talk to your caching name server, you must open port 53 talk to your caching name server, you must open port 53 (both UDP
(both UDP and TCP) from the local network to the server; you do that and TCP) from the local network to the server; you do that by adding
by adding the rules in /etc/shorewall/rules. </p> the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<p align="left">If you run the name server on the firewall: <p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
@ -807,7 +789,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</p> </p>
@ -866,7 +847,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -913,7 +893,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -921,8 +900,8 @@ by adding the rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy removed if you commented out the line in /etc/shorewall/policy allowing
allowing all connections from the firewall to the internet.</p> all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -962,7 +941,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1003,7 +981,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1047,7 +1024,6 @@ allowing all connections from the firewall to the internet.</p>
<td>from the internet</td> <td>from the internet</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1059,8 +1035,8 @@ allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, look <a href="ports.htm">here</a>.</p> uses, look <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1093,7 +1069,6 @@ application uses, look <a href="ports.htm">here</a>.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1146,7 +1121,6 @@ with Jacques's Shorewall configuration.<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1165,12 +1139,12 @@ with Jacques's Shorewall configuration.<br>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a>
your system to start Shorewall at system boot  but beginning with Shorewall configures your system to start Shorewall at system boot  but beginning
version 1.3.9 startup is disabled so that your system won't try to start with Shorewall version 1.3.9 startup is disabled so that your system
Shorewall before configuration is complete. Once you have completed configuration won't try to start Shorewall before configuration is complete. Once you
of your firewall, you can enable Shorewall startup by removing the file have completed configuration of your firewall, you can enable Shorewall
/etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1205,8 +1179,8 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
configuration</a></i> and test it using the <a and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1230,5 +1204,6 @@ configuration</a></i> and test it using the <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

179
Shorewall-docs/three-interface_fr.html
View File

@ -30,16 +30,16 @@
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n?est Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
exacte du texte, mais plutôt à en faire une version française intelligible traduction exacte du texte, mais plutôt à en faire une version française
par tous (et par moi). Les termes techniques sont la plupart du temps conservés intelligible par tous (et par moi). Les termes techniques sont la plupart
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver du temps conservés sous leur forme originale et mis entre parenthèses car
dans le reste des documentations ainsi que dans les fichiers de configuration. vous pouvez les retrouver dans le reste des documentations ainsi que dans
N?hésitez pas à me contacter afin d?améliorer ce document <a les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son (merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
formidable outil et sa disponibilité).</i></small></p> Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br> <p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,8 +66,8 @@ RTC, ...</li>
height="635"> height="635">
</p> </p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
@ -85,12 +85,12 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
copie avant de l'utiliser avec Shorewall.</p> avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
nom déjà existant dans /etc/shorewall installés lors de l'installation de déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de <p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,15 +144,15 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p> <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p> par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone <li>Vous exprimez les politiques par défaut pour les connexions d'une
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -161,11 +161,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première Si aucune des règles dans ce fichier ne correspondent, alors la première politique
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
politique est REJECT ou DROP la requête est alors comparée par rapport aux est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p> sample a les politiques suivantes :</p>
@ -244,10 +243,10 @@ avoir un acc
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li> <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
votre firewall ou vers votre réseau local</li> vers votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis votre <li>Facultativement accepter toutes les demandes de connexion depuis
firewall et vers Internet (si vous decommentez la politique précédente)</li> votre firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>reject (rejeter) toutes les autres demandes de connexion.</li> <li>reject (rejeter) toutes les autres demandes de connexion.</li>
</ol> </ol>
@ -263,14 +262,14 @@ que vous d
</p> </p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion <p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
votre interface extérieure sera aussi ppp0. Si votre connexion passe par interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p> (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -298,8 +297,8 @@ ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère, que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p> spécifiées pour les interfaces. Quelques trucs :</p>
@ -310,9 +309,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p> remplacer le "detect" dans la seconde colonne par un "-". </p>
</li> </li>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
liste d'option. </p> d'option. </p>
</li> </li>
</ul> </ul>
@ -325,11 +324,11 @@ Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre (modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela provider peu vous assigner une adresse statique (staticIP address); cela signifie
signifie que vous configurez votre interface externe sur votre firewall afin que vous configurez votre interface externe sur votre firewall afin d'utiliser
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe cette adresse de manière permanente. Une fois votre adresse externe assignée,
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet. elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
Vous devrez assigner vos propres adresses à votre réseau local (votre interface devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p> plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
@ -392,9 +391,9 @@ gauche du masque de sous-r
</div> </div>
<div align="left"> <div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la <p align="left">Il est de convention d'assigner à l'interface interne la première
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
précédent) ou la dernière utilisable (10.10.10.254).</p> ou la dernière utilisable (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
@ -411,8 +410,8 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
pointant sur l'adresse IP de l'interface DMZ du firewall. </p> sur l'adresse IP de l'interface DMZ du firewall. </p>
</div> </div>
<p align="left">Cette courte description ne fait que survoler les concepts <p align="left">Cette courte description ne fait que survoler les concepts
@ -437,23 +436,22 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées <p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918. les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Address Translation). Le firewall ré écrit l'adresse source dans le paquet, Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
mots, le firewall fait croire que c'est lui même qui initie la connexion. le firewall fait croire que c'est lui même qui initie la connexion. Ceci
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer est nécessaire afin que l'hôte de destination soit capable de renvoyer les
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
de destination, une adresse réservée par la RFC 1918 ne pourront pas être destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p> 1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de <p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address Masquerading mais vous verrez aussi le terme de Source Network Address Translation
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
:</p>
<ul> <ul>
<li> <li>
@ -508,8 +506,7 @@ RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur, de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -534,8 +531,7 @@ est :</p>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
@ -633,10 +629,10 @@ http://w.x.y.z:5000</a> o
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur <p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
depuis le réseau local en utilisant votre adresse externe, et si vous avez le réseau local en utilisant votre adresse externe, et si vous avez une adresse
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
précédente par :</p> par :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -707,8 +703,8 @@ les
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre <p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p> A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -716,13 +712,13 @@ adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur <p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le (Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous a été écrit). Il arrive que votre provider vous donne une paire d'adresse
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez IP pour les DNS (name servers) afin que vous configuriez manuellement votre
manuellement votre serveur de nom primaire et secondaire. La manière dont serveur de nom primaire et secondaire. La manière dont le DNS est configuré
le DNS est configuré sur votre firewall est de votre responsabilité. Vous sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
pouvez procéder d'une de ses deux façons :</p> de ses deux façons :</p>
<ul> <ul>
<li> <li>
@ -1084,9 +1080,9 @@ particuli
<div align="left"> <div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet <p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
firewall depuis Internet, utilisez SSH :</p> depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1168,10 +1164,10 @@ d'h
</div> </div>
<div align="left"> <div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis <p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1204,5 +1200,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

195
Shorewall-docs/two-interface.htm
View File

@ -12,7 +12,6 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title> <title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -23,8 +22,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -63,19 +60,19 @@ local network.</li>
<p><b>Note however, that the Shorewall configuration produced by Mandrake <p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq" where the rest of this documentation (it has two local zones; "loc" and "masq"
"loc" is empty; this conflicts with this documentation which assumes a single where "loc" is empty; this conflicts with this documentation which assumes
local zone "loc"). We therefore recommend that once you have set up this a single local zone "loc"). We therefore recommend that once you have set
sharing that you uninstall the Mandrake Shorewall RPM and install the one up this sharing that you uninstall the Mandrake Shorewall RPM and install
from the <a href="download.htm">download page</a> then follow the instructions the one from the <a href="download.htm">download page</a> then follow the
in this Guide.</b><br> instructions in this Guide.</b><br>
</p> </p>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> tell if this package is installed by the presence of an <b>ip</b> program
program on your firewall system. As root, you can use the 'which' on your firewall system. As root, you can use the 'which' command
command to check for this program:</p> to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -98,11 +95,12 @@ floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p> Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
of dos2unix</a></li> dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul> </ul>
@ -110,21 +108,22 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the
/etc/shorewall -- for simple setups, you will only need to deal with directory /etc/shorewall -- for simple setups, you will only need to
a few of these as described in this guide. After you have <a deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
/etc/shorewall (these files will replace files with the same name).</b></p> the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration
instructions and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, set of <i>zones.</i> In the two-interface sample configuration, the
the following zone names are used:</p> following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -170,8 +169,8 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li
DROP  the request is first checked against the rules in /etc/shorewall/common DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample <p>The /etc/shorewall/policy file included with the two-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -206,7 +205,6 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -234,7 +232,6 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -262,9 +259,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635"> height="635">
</p> </p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity <p align="left">The firewall has two network interfaces. Where Internet
is through a cable or DSL "Modem", the <i>External Interface</i> will be connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -280,9 +277,9 @@ the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other (eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you computers will be connected to the same hub/switch (note: If you have
have only a single internal system, you can connect the firewall only a single internal system, you can connect the firewall directly
directly to the computer using a <i>cross-over </i> cable).</p> to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
@ -295,20 +292,18 @@ directly to the computer using a <i>cross-over </i> cable).</p>
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes     The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have is <b>eth1</b>. If your configuration is different, you will have to
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list file accordingly. While you are there, you may wish to review the
of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". you can replace the "detect" in the second column with "-".
</p> </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from or if you have a static IP address, you can remove "dhcp" from
the option list. </p> the option list. </p>
@ -326,8 +321,8 @@ establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access is assigned, it will be shared by all of your systems when you access the
the Internet. You will have to assign your own addresses in your internal Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers). network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
@ -347,8 +342,8 @@ IP address of your external interface and if it is one of the above
<div align="left"> <div align="left">
<p align="left">You will want to assign your addresses from the same <i> <p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a a subnet is described using <a
@ -384,7 +379,6 @@ bits from the left of the subnet mask. </p>
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -431,22 +425,22 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
subnet for your local network.</b><br> local network.</b><br>
</p> </p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When forward packets which have an RFC-1918 destination address. When one
one of your local systems (let's assume computer 1) sends a connection of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network request to an internet host, the firewall must perform <i>Network Address
Address Translation </i>(NAT). The firewall rewrites the source address Translation </i>(NAT). The firewall rewrites the source address in
in the packet to be the address of the firewall's external interface; the packet to be the address of the firewall's external interface; in
in other words, the firewall makes it look as if the firewall itself other words, the firewall makes it look as if the firewall itself is
is initiating the connection.  This is necessary so that the destination initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response be routed across the internet so the remote host can't address its response
@ -454,20 +448,18 @@ is initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p> to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to <p align="left">On Linux systems, the above process is often referred to as<i>
as<i> IP Masquerading</i> but you will also see the term <i>Source Network IP Masquerading</i> but you will also see the term <i>Source Network Address
Address Translation </i>(SNAT) used. Shorewall follows the convention used Translation </i>(SNAT) used. Shorewall follows the convention used with
with Netfilter:</p> Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -481,22 +473,22 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, you     If your external firewall interface is <b>eth0</b>,
do not need to modify the file provided with the sample. Otherwise, you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name of edit /etc/shorewall/masq and change the first column to the name
your external interface and the second column to the name of your internal of your external interface and the second column to the name of your
interface.</p> internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in the     If your external IP is static, you can enter it in
third column in the /etc/shorewall/masq entry if you like although the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes processing outgoing packets a little your static IP in column 3 makes processing outgoing packets a little
more efficient.<br> more efficient.<br>
<br> <br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" <img border="0" src="images/BD21298_.gif" width="13"
alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not,
change them appropriately:<br> change them appropriately:<br>
@ -513,12 +505,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly it is not possible for clients on the internet to connect directly to
to them. It is rather necessary for those clients to address their them. It is rather necessary for those clients to address their connection
connection requests to the firewall who rewrites the destination address requests to the firewall who rewrites the destination address to the
to the address of your server and forwards the packet to that server. address of your server and forwards the packet to that server. When
When your server responds, the firewall automatically performs SNAT your server responds, the firewall automatically performs SNAT to rewrite
to rewrite the source address in the response.</p> the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -551,7 +543,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -582,7 +573,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -592,9 +582,9 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul> <ul>
<li>You must test the above rule from a client outside <li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to access computers 1 or 2 or on the firewall). If you want to be able to
your web server using the IP address of your external interface, see access your web server using the IP address of your external interface,
<a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the 80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li> following rule and try connecting to port 5000.</li>
@ -624,7 +614,6 @@ following rule and try connecting to port 5000.</li>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -646,7 +635,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -656,19 +644,18 @@ as your primary and secondary name servers. Regardless of how DNS gets
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall.<i> </i>Red Hat has an RPM for a caching name server firewall.<i> </i>Red Hat has an RPM for a caching name server
(the RPM also requires the 'bind' RPM) and for Bering users, there (the RPM also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name server. systems to use the firewall itself as their primary (and only) name
You use the internal IP address of the firewall (10.10.10.254 in the server. You use the internal IP address of the firewall (10.10.10.254
example above) for the name server address. To allow your local systems in the example above) for the name server address. To allow your
to talk to your caching name server, you must open port 53 (both UDP local systems to talk to your caching name server, you must open port
and TCP) from the local network to the firewall; you do that by adding 53 (both UDP and TCP) from the local network to the firewall; you
the following rules in /etc/shorewall/rules. </p> do that by adding the following rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -705,7 +692,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -751,7 +737,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -791,7 +776,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -831,7 +815,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -875,7 +858,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -888,14 +870,14 @@ your firewall"</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, look <a href="ports.htm">here</a>.</p> uses, look <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If the internet because it uses clear text (even for login!). If you
you want shell access to your firewall from the internet, use SSH:</p> want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -922,7 +904,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -972,7 +953,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -994,8 +974,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once won't try to start Shorewall before configuration is complete. Once you
you have completed configuration of your firewall, you can enable Shorewall have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
@ -1020,8 +1000,8 @@ you have completed configuration of your firewall, you can enable Shorewall
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if stopped. If your local network isn't connected to <b>eth1</b> or if you
you wish to enable access to/from other hosts, change /etc/shorewall/routestopped wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
</div> </div>
@ -1030,8 +1010,8 @@ you wish to enable access to/from other hosts, change /etc/shorewall/rou
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to Also, I don't recommend using "shorewall restart"; it is better to create
create an <i><a href="configuration_file_basics.htm#Configs">alternate an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1044,5 +1024,6 @@ configuration</a></i> and test it using the <a
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

845
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

195
Shorewall-docs/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -22,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
@ -31,7 +27,6 @@
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
@ -40,32 +35,45 @@
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running.<br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with You can use the "shorewall check" command to see the groups associated with
each of your zones.<br> each of your zones.<br>
<br> <br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was zone is accepted by default. Previously, traffic from a zone to itself
treated just like any other traffic; any matching rules were applied followed was treated just like any other traffic; any matching rules were applied
by enforcement of the appropriate policy. With 1.4.1 and later versions, followed by enforcement of the appropriate policy. With 1.4.1 and later
unless you have explicit rules for traffic from Z to Z or you have an explicit versions, unless you have explicit rules for traffic from Z to Z or you
Z to Z policy (where "Z" is some zone) then traffic between the groups in have an explicit Z to Z policy (where "Z" is some zone) then traffic between
zone Z will be accepted. If you do have one or more explicit rules for Z the groups in zone Z will be accepted. If you do have one or more explicit
to Z or if you have an explicit Z to Z policy then the behavior is as it rules for Z to Z or if you have an explicit Z to Z policy then the behavior
was in prior versions.</li> is as it was in prior versions.</li>
</ul> </ul>
@ -86,10 +94,10 @@ add an explicit DROP or REJECT policy for Z to Z.<br>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to <li>Beginning with Version 1.4.1, Shorewall will never create rules
deal with traffic from a given group back to itself. The <i>multi</i> interface to deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between two interface option is no longer available so if you want to route traffic between
subnetworks on the same interface then either:</li> two subnetworks on the same interface then either:</li>
</ul> </ul>
@ -101,6 +109,11 @@ subnetworks on the same interface then either:</li>
</ol> </ol>
</blockquote> </blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br> Example 1 -- Two zones:<br>
<blockquote> <blockquote>
@ -114,18 +127,19 @@ subnetworks on the same interface then either:</li>
traffic is accepted by default. The second technique is preferable if you traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br> want unlimited access between the two subnetworks.<br>
<br> <br>
Sometimes, you want two separate zones on one interface but you don't want Sometimes, you want two separate zones on one interface but you don't
Shorewall to set up any infrastructure to handle traffic between them. <br> want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br> <br>
Example:<br> Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved Here, zone z1 is nested in zone z2 and the firewall is not going to be
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you involved in any traffic between these two zones. Beginning with Shorewall
can prevent Shorewall from setting up any infrastructure to handle traffic 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
@ -143,8 +157,8 @@ and you are using a NONE polciy in the other direction.
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh This may be worked around by using the --nodeps option of rpm (rpm
--nodeps &lt;shorewall rpm&gt;).<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
@ -157,20 +171,20 @@ are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.con
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
are determined by BOTH the interfaces and hosts files when there are entries contents are determined by BOTH the interfaces and hosts files when there
for the zone in both files.</li> are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no <li value="6">The ALLOWRELATED variable in shorewall.conf is
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default; <li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have <li value="6">The 'firewall', 'functions' and 'version' file
been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -190,36 +204,37 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.
will generate rules for sending packets back out the same interface that  Shorewall will generate rules for sending packets back out the same
they arrived on in two cases:</li> interface that they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or
the destination zone. An explicit policy names both zones and does not from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same
the rule must be explicit - it must name the zone in both the SOURCE and then the rule must be explicit - it must name the zone in both the SOURCE
DESTINATION columns.</li> and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
     Beginning in version 1.3.14, Shorewall treats entries in <a height="13">
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change      Beginning in version 1.3.14, Shorewall treats entries in
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
<b>column</b>:<br> change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -243,7 +258,8 @@ an interface name in the SUBNET (second) column; and</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as
follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -261,7 +277,8 @@ this?<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be is used to specify that the old (pre-1.3.14) ping handling is to be
@ -290,38 +307,36 @@ application will need to be changed to reflect this change of location.<br>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version versions &gt;= 1.3.8. Beginning with version 1.3.8,
1.3.8, you must set NEWNOTSYN=Yes in you must set NEWNOTSYN=Yes in your
your /etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef rules in their /etc/shorewall/icmpdef file (creating this
file (creating this file if necessary):</p> file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a
-- you will need to transcribe any backup -- you will need to transcribe
Shorewall configuration changes that any Shorewall configuration changes
you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
obtain the later version from Jacques's obtain the later version from Jacques's site, see additional instructions
site, see additional instructions below.</li> below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
@ -342,30 +357,28 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions your firewall setup slightly under Shorewall versions 1.3.6
1.3.6 and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be -j RETURN # So that the connection tracking table can be
rebuilt<br> rebuilt<br>
                                    # from non-SYN                                     # from
packets after takeover.<br> non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p <font face="Courier">run_iptables -A common
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
rebuild connection<br> to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
@ -375,8 +388,8 @@ rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
longer supported. </p> supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
@ -408,19 +421,17 @@ rebuild connection<br>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the 'firewall'
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those applications
applications should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 - <p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>