extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-10 06:49:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-04-13 15:28:32 +00:00
parent ed0bbce737
commit 16906234c8
109 changed files with 29372 additions and 31361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Lrp/etc/shorewall/common.def
View File

@ -16,10 +16,10 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j REJECT run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p tcp --dport 135 -j reject
############################################################################ ############################################################################
# UPnP # UPnP

9
Lrp/etc/shorewall/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

48
Lrp/usr/share/shorewall/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -1665,16 +1675,16 @@ check_config() {
determine_interfaces determine_interfaces
determine_hosts determine_hosts
echo "Validating policy file..."
validate_policy
echo "Validating rules file..." echo "Validating rules file..."
rules=`find_file rules` rules=`find_file rules`
strip_file rules $rules strip_file rules $rules
process_rules process_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "Configuration Validated" echo "Configuration Validated"
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
# #
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# #
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface` if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done

30
Lrp/usr/share/shorewall/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
# #
# Strip comments and blank lines from a file and place the result in the # Strip comments and blank lines from a file and place the result in the
# temporary directory # temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2 [ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else else
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.1 1.4.2

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.1 1.4.2

16
STABLE/changelog.txt
View File

@ -1,9 +1,15 @@
Changes since 1.4.0 Changes since 1.4.1
1. Implement NONE policy. 1. Re-order steps in the 'check' command so that the policy file is
checked before the rules file.
2. Never create rules for <iface>:<subnet> to itself. 2. Create an intermediate chain for input from zones defined in terms
of specific hosts or networks.
3. Always allow intrazone traffic. 3. Fixed common.def to use 'reject' rather than 'REJECT'.
4. Correct building of ECN interface list under ash. 4. Added support for INCLUDE directive in all files.
5. Made traceroute -I work.
6. Add 'routeback' interface and host attribute.

1327
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

233
STABLE/documentation/Install.htm
View File

@ -15,139 +15,148 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the <a <p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b><br>
Before attempting installation, I strongly urge you to read and print a
copy of the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart
Guide</a> for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note1: </b>Some SuSE users have encountered a problem whereby <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm is installed. If this happens, simply use the --nodeps option to rpm
(rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br> diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps This may be worked around by using the --nodeps option of rpm (rpm -ivh
&lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
NETWORK CONNECTIVITY.</b></font></li> RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball <p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then <li>If you are using <a href="http://www.suse.com">SuSe</a> then
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li> match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be <li>If the install script was unable to configure Shorewall to
started automatically at boot, see <a be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
or and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p> new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., Beta RPMs installed, you must use the "--oldpackage" option to rpm
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
the iproute package. Unfortunately, some distributions call this package iproute2 on the iproute package. Unfortunately, some distributions call this package
which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;). </p> --nodeps &lt;shorewall rpm&gt;). </p>
</li> </li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
<li>Restart the firewall (shorewall restart).</li> <li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
@ -163,33 +172,33 @@ rule forms that are no longer supported under 1.4 (you must use the new
details. </p> details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li> directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then <li>If you are using<a href="http://www.suse.com"> SuSe</a> then
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li> <li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering <a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br> installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
@ -201,12 +210,14 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</ul> </ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

3060
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

687
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -12,484 +12,507 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>. If you are running Shorewall 1.3, please see <a
<a href="#DMZ"></a><br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <a href="#DMZ"></a><br>
alt="Caution" align="middle"> <img border="0" src="images/j0213519.gif" width="60"
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> height="60" alt="Caution" align="middle">
<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <br>
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
run as a transparent proxy as described at <a &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
in the local zone, that zone must be defined ONLY by its interface -- no or in the local zone, that zone must be defined ONLY by its interface
/etc/shorewall/hosts file entries. That is because the packets being routed -- no /etc/shorewall/hosts file entries. That is because the packets being
to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
/etc/shorewall/conf file<br> /etc/shorewall/conf file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li> DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests EXCEPT
EXCEPT those to your those to your own
own http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid
proxy running on the firewall and listening on port 3128. Squid transparent proxy running on the firewall and listening on port
will of course require access to remote web servers.<br> 3128. Squid will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<tr> <td><b>ACTION</b></td>
<td><b>ACTION</b></td> <td><b>SOURCE</b></td>
<td><b>SOURCE</b></td> <td><b>DEST</b></td>
<td><b>DEST</b></td> <td><b> PROTO</b></td>
<td><b> PROTO</b></td> <td><b>DEST<br>
<td><b>DEST<br> PORT(S)</b></td>
PORT(S)</b></td> <td><b>SOURCE<br>
<td><b>SOURCE<br> PORT(S)</b></td>
PORT(S)</b></td> <td><b>ORIGINAL<br>
<td><b>ORIGINAL<br> DEST</b></td>
DEST</b></td> </tr>
<tr>
</tr> <td>REDIRECT</td>
<tr> <td>loc</td>
<td>REDIRECT</td> <td>3128</td>
<td>loc</td> <td>tcp</td>
<td>3128</td> <td>www</td>
<td>tcp</td> <td> -<br>
<td>www</td> </td>
<td> -<br> <td>!206.124.146.177</td>
</td> </tr>
<td>!206.124.146.177</td> <tr>
</tr> <td>ACCEPT</td>
<tr> <td>fw</td>
<td>ACCEPT</td> <td>net</td>
<td>fw</td> <td>tcp</td>
<td>net</td> <td>www</td>
<td>tcp</td> <td> <br>
<td>www</td> </td>
<td> <br> <td> <br>
</td> </td>
<td> <br> </tr>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running
192.168.1.3. It is assumed that web access is already enabled from the local on 192.168.1.3. It is assumed that web access is already enabled from the
zone to the internet.<br> local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
<br> upgrade to Shorewall 1.4.2 or later.<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> </li>
<tbody> <li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top">ZONE<br>
</b></td> </td>
<td valign="top"><b>DESTINATION<br> <td valign="top">INTERFACE<br>
</b></td> </td>
<td valign="top"><b>POLICY<br> <td valign="top">BROADCAST<br>
</b></td> </td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top">OPTIONS<br>
</b></td> </td>
<td valign="top"><b>BURST PARAMETERS<br> </tr>
</b></td> <tr>
</tr> <td valign="top">loc<br>
<tr> </td>
<td valign="top">loc<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">detect<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top"><b>routeback</b><br>
</td> </td>
<td valign="top"><br> </tr>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li> </li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ
is eth1 and your local interface is eth2.<br> interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote> </blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">MARK<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DESTINATION<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTOCOL<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">PORT<br> <td valign="top">PORT<br>
</td> </td>
<td valign="top">CLIENT PORT<br> <td valign="top">CLIENT PORT<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">PORT<br>
PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT PORT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">202:P<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">net<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top">-<br>
</td>
<td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote> </blockquote>
</blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>In /etc/shorewall/rules, you will need:</li>
command to be executed after networking has come up<br>
</ul>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<a <font size="2">2003 Thomas M. Eastep.</font></a><br>
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

839
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -13,186 +13,152 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br> treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as objects. The ip utility does provide for interaction addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled </i>and labels with ifconfig in that it allows addresses to be <i>labeled </i>and labels
may take the form of ipconfig virtual interfaces.<br> may take the form of ipconfig virtual interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0" Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br> is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow "-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br> them to be used in the /etc/shorewall/interfaces file.<br>
<br> <br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces. The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br> the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">fw:206.124.146.178<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br> file:<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">loc:192.168.1.3<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>SNAT</h3> <h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br> from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br> <br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -206,7 +172,7 @@ file:<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
@ -218,51 +184,42 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
<h3>STATIC NAT</h3> ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, 1.3.14, Shorewall can actually create the "label" (virtual interface) so
you would have the following in /etc/shorewall/nat:<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>EXTERNAL<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>INTERFACE<br> <td valign="top"><b>SUBNET<br>
</b></td> </b></td>
<td valign="top"><b>INTERNAL<br> <td valign="top"><b>ADDRESS<br>
</b></td> </b></td>
<td valign="top"><b>ALL INTERFACES<br> </tr>
</b></td> <tr>
<td valign="top"><b>LOCAL<br> <td valign="top">eth0:0<br>
</b></td> </td>
</tr> <td valign="top">eth1<br>
<tr> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0<br> </tr>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall <h3>STATIC NAT</h3>
1.3.14, Shorewall can actually create the "label" (virtual interface) so If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
that you can see the created address using ifconfig. In addition to setting you would have the following in /etc/shorewall/nat:<br>
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE <br>
column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -282,7 +239,7 @@ file:<br>
<tr> <tr>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">192.168.1.3<br> <td valign="top">192.168.1.3<br>
</td> </td>
@ -295,252 +252,115 @@ file:<br>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you Shorewall can create the alias (additional address) for you if you set
simply qualify the local zone with the internal IP address.<br> ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
<br> 1.3.14, Shorewall can actually create the "label" (virtual interface) so
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. that you can see the created address using ifconfig. In addition to setting
192.168.1.3.<br> ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
<br> column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>EXTERNAL<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>INTERNAL<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>ALL INTERFACES<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>LOCAL<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> </tr>
</b></td> <tr>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top">206.124.146.178<br>
</b></td> </td>
</tr> <td valign="top">eth0:0<br>
<tr> </td>
<td valign="top">ACCEPT<br> <td valign="top">192.168.1.3<br>
</td> </td>
<td valign="top">net<br> <td valign="top">no<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">no<br>
</td> </td>
<td valign="top">tcp<br> </tr>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple
configured on a LAN segment. This technique does not provide for any security subnetworks configured on a LAN segment. This technique does not provide
between the subnetworks if the users of the systems have administrative for any security between the subnetworks if the users of the systems have
privileges because in that case, the users can simply manipulate their system's administrative privileges because in that case, the users can simply manipulate
routing table to bypass your firewall/router. Nevertheless, there are cases their system's routing table to bypass your firewall/router. Nevertheless,
where you simply want to consider the LAN segment itself as a zone and allow there are cases where you simply want to consider the LAN segment itself
your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br> subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
@ -558,18 +378,55 @@ specify the <b>multi</b> option.<br>
</td> </td>
<td valign="top">192.168.1.255,192.168.20.255<br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td> </td>
<td valign="top">Note 1:<br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br> <br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -577,7 +434,9 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
<td valign="top"><b>HOSTS<br> <td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td> </b></td>
<td valign="top"><b>OPTIONS<br> <td valign="top"><b>OPTIONS<br>
</b></td> </b></td>
@ -585,15 +444,47 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top"><br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td> </td>
</tr> </tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -601,21 +492,131 @@ specify the <b>multi</b> option.<br>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br> <br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a <blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

463
STABLE/documentation/download.htm
View File

@ -17,59 +17,55 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the .tgz
.tgz packages below.</p> packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that store
store init scripts in /etc/init.d and that include chkconfig init scripts in /etc/init.d and that include chkconfig or
or insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file
might also want to download the .tgz so you will have a copy (you might also want to download the .tgz so you will have a
of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Unstable Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i> module
module (.tgz)</li> (.tgz)</li>
</ul> </ul>
@ -77,21 +73,21 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory which
can be obtained using the following command:<br> can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip shorewall-<i>version</i>.noarch.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory <li>TARBALL - "tar -ztf shorewall-<i>version</i>.tgz"
name will contain the version)</li> (the directory name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li> </li>
@ -100,340 +96,86 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<p>Once you have verified the version, check the <font <p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have if there are updates that apply to the version that you have
downloaded.</p> downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates <p><b></b></p>
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote> <p><b>Download Sites:</b></p>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a <td> <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
@ -443,14 +185,15 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there Shorewall component. There's no guarantee that what you find there
will work at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a <p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

268
STABLE/documentation/errata.htm
View File

@ -2,19 +2,14 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
@ -24,15 +19,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -40,82 +32,100 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p> rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li> href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove response rather than the more appropriate TCP RST response. This problem
/etc/shorewall/ecn or you can install <a is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -124,140 +134,122 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level
while this <a specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 RedHat iptables</h3>
and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5
of iptables, you will need to specify the --oldpackage option version of iptables, you will need to specify the --oldpackage
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with <p>The iptables 1.2.7 release of iptables has made an incompatible
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or
<li>if you are running </li>
Shorewall 1.3.6 you may install <li>if you are running
<a Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will
in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 - <p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

180
STABLE/documentation/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -25,109 +19,101 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tmeastep
at hp dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A or MX
record in DNS.</li> record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the list
list subscribers whose MTAs are bouncing all shorewall.net mail. As subscribers whose MTAs are bouncing all shorewall.net mail. As one list
one list subscriber wrote to me privately "These e-mail admin's need to subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
get a <i>(explitive deleted)</i> life instead of trying to rid the planet deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
of HTML based e-mail". Nevertheless, to allow subscribers to receive list Nevertheless, to allow subscribers to receive list posts as must as possible,
posts as must as possible, I have now configured the list server at shorewall.net I have now configured the list server at shorewall.net to strip all HTML
to strip all HTML from outgoing posts. This means that HTML-only posts from outgoing posts. This means that HTML-only posts will be bounced by
will be bounced by the list server.<br> the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i> than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -160,22 +143,21 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
<h2 align="left"><font color="#ff0000">Please do not try to download the entire entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't won't stand the traffic. If I catch you, you will be blacklisted.<br>
stand the traffic. If I catch you, you will be blacklisted.<br> </font></h2>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
@ -195,12 +177,12 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -212,30 +194,30 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -245,12 +227,12 @@ list may be found at <a
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -270,26 +252,23 @@ list may be found at <a
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
password reminder, or change your subscription options enter reminder, or change your subscription options enter your subscription
your subscription email address:". Enter your email address email address:". Enter your email address in the box and
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -298,12 +277,13 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a <p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

476
STABLE/documentation/seattlefirewall_index.htm
View File

@ -2,370 +2,246 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td
<tr> width="100%" height="90">
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
</div> href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</div>
</td>
</tr>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody> <tr>
<td
<tr> width="90%">
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br> Software Foundation.<br>
<br>
<br> This program is
distributed in the hope that it will be useful,
This program is distributed but WITHOUT ANY WARRANTY; without even the
in the hope that it will be useful, but implied warranty of MERCHANTABILITY or FITNESS
WITHOUT ANY WARRANTY; without even the implied FOR A PARTICULAR PURPOSE. See the GNU General
warranty of MERCHANTABILITY or FITNESS FOR Public License for more details.<br>
A PARTICULAR PURPOSE. See the GNU General Public License <br>
for more details.<br> You should have
received a copy of the GNU General Public
<br> License along with this program; if
not, write to the Free Software Foundation,
You should have received Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
</a>Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2> <h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b><br>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 </p>
and removes additional warts.<br>
<br> <p><b>    Problems Corrected:</b></p>
<b>Problems Corrected:</b><br>
<ol> <blockquote>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), <ol>
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn <li>TCP connection requests rejected out of the <b>common</b> chain
file is empty. That problem has been corrected so that ECN disabling rules are now properly rejected with TCP RST; previously, some of these requests
are only added if there are entries in /etc/shorewall/ecn.</li> were rejected with an ICMP port-unreachable response.</li>
</ol> <li>'traceroute -I' from behind the firewall previously timed out
<b>New Features:</b><br> on the first hop (e.g., to the firewall). This has been worked around.</li>
<blockquote>Note: In the list that follows, the term <i>group </i>refers </ol>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be </blockquote>
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br> <p><b>    New Features:</b></p>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br> <blockquote>
</blockquote> <ol>
You can use the "shorewall check" command to see the groups associated with <li>Where an entry in the/etc/shorewall/hosts file specifies a
each of your zones.<br> particular host or network, Shorewall now creates an intermediate chain for
</blockquote> handling input from the related zone. This can substantially reduce the number
<ol> of rules traversed by connections requests from such zones.<br>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than <br>
one group<i> </i>then if there is no explicit Z to Z policy and there are </li>
no rules governing traffic from Z to Z then Shorewall will permit all traffic <li>Any file may include an INCLUDE directive. An INCLUDE directive
between the groups in the zone.</li> consists of the word INCLUDE followed by a file name and causes the contents
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules of the named file to be logically included into the file containing the INCLUDE.
to handle traffic from a group to itself.</li> File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is or in an alternate configuration directory if one has been specified for the
specified from Z1 to Z2:</li> command. <br>
</ol>  <br>
<ul>    Examples:<br>
<li>There may be no rules created that govern connections from Z1    shorewall/params.mgmt:<br>
to Z2.</li>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
<li>Shorewall will not create any infrastructure to handle traffic    TIME_SERVERS=4.4.4.4<br>
from Z1 to Z2.</li>    BACKUP_SERVERS=5.5.5.5<br>
</ul>    ----- end params.mgmt -----<br>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion  <br>
of how these changes may affect your configuration.<br>  <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><b></b></p>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
<td
</td> width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
<td width="88" </tr>
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</center>
</center> </div>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td width="100%"
<tr>
<td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p>
</a></p> <p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br> <br>
</body> </body>
</html> </html>

561
STABLE/documentation/sourceforge_index.htm
View File

@ -2,450 +2,247 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td
<tr> width="100%" height="90">
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><br>
href="http://www.sf.net"> </a></h1> <a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small>Shorewall 1.2 Site here<br>
</small></small></small></font></a>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
</h1>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody> <tr>
<td
<tr> width="90%">
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on
a standalone GNU/Linux system.</p>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
Software Foundation.<br> GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program
This program is distributed is distributed in the hope that it will
in the hope that it will be useful, but be useful, but WITHOUT ANY WARRANTY; without
WITHOUT ANY WARRANTY; without even the implied even the implied warranty of MERCHANTABILITY
warranty of MERCHANTABILITY or FITNESS FOR or FITNESS FOR A PARTICULAR PURPOSE. See the
A PARTICULAR PURPOSE. See the GNU General Public GNU General Public License for more details.<br>
License for more details.<br> <br>
You should have
<br> received a copy of the GNU General Public
License along with this program; if
You should have received not, write to the Free Software Foundation,
a copy of the GNU General Public License Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
</a>Jacques and Eric Wolzak have a LEAF (router/firewall/gateway
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution called <i>Bering</i> that features
called <i>Bering</i> that features Shorewall-1.3.14 and Kernel-2.4.20. You can
Shorewall-1.3.14 and Kernel-2.4.20. You can find find their work at: <a
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
</b> </b>
<h2><b>News</b></h2>
<b> </b>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p> </b><br>
<b> </b>
<ul>
</ul>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</p> </p>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers <p><b>    Problems Corrected:</b></p>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br> <blockquote>
eth2:192.168.1.0/24<br> <ol>
eth3:192.0.2.123<br> <li>TCP connection requests rejected out of the <b>common</b> chain
</blockquote> are now properly rejected with TCP RST; previously, some of these requests
You can use the "shorewall check" command to see the groups associated with were rejected with an ICMP port-unreachable response.</li>
each of your zones.<br> <li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote> </blockquote>
<ol> <p><b>    New Features:</b></p>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul> <blockquote>
<li>There may be no rules created that govern connections from Z1 <ol>
to Z2.</li> <li>Where an entry in the/etc/shorewall/hosts file specifies a
<li>Shorewall will not create any infrastructure to handle traffic particular host or network, Shorewall now creates an intermediate chain for
from Z1 to Z2.</li> handling input from the related zone. This can substantially reduce the number
</ul> of rules traversed by connections requests from such zones.<br>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion <br>
of how these changes may affect your configuration. </li>
<p><a href="News.htm">More News</a></p> <li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
</center>
</center> </div>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td width="100%"
<tr>
<td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body> </body>
</html> </html>

362
STABLE/documentation/standalone.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -37,9 +37,9 @@
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
@ -55,19 +55,19 @@
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy you copy a configuration file from your Windows hard drive to a floppy disk,
disk, you must run dos2unix against the copy before using it with Shorewall.</p> you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -76,34 +76,34 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few /etc/shorewall -- for simple setups, you only need to deal with a few of
of these as described in this guide. After you have <a these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
(they will replace files with the same names that were placed in /etc/shorewall to /etc/shorewall (they will replace files with the same names that were
during Shorewall installation)</b>.</p> placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only set of <i>zones.</i> In the one-interface sample configuration, only one
one zone is defined:</p> zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody> </tbody>
</table> </table>
@ -117,10 +117,10 @@ one zone is defined:</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone <li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -132,54 +132,54 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>all<br>
<td>ACCEPT</td> </td>
<td> </td> <td>DROP</td>
<td> </td> <td>info</td>
</tr> <td> </td>
<tr> </tr>
<td>net</td> <tr>
<td>all<br> <td>all</td>
</td> <td>all</td>
<td>DROP</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to
firewall</li> your firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
</ol> </ol>
@ -191,38 +191,38 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your a <b>ppp0</b>. If you connect via a regular modem, your External Interface
External Interface will also be <b>ppp0</b>. If you connect using ISDN, will also be <b>ppp0</b>. If you connect using ISDN, your external interface
your external interface will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that     The Shorewall one-interface sample configuration assumes that the
the external interface is <b>eth0</b>. If your configuration is different, external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that While you are there, you may wish to review the list of options that are
are specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the option
option list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
@ -230,7 +230,7 @@ option list. </p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
@ -240,157 +240,158 @@ option list. </p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address      Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Enabling other Connections</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p> firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file
</p> /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
@ -400,25 +401,26 @@ application uses, see <a href="ports.htm">here</a>.</p>
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p> configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a <p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

686
STABLE/documentation/standalone_fr.html
View File

@ -1,407 +1,469 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
une traduction exacte du texte, mais plutôt à en faire une version exacte du texte, mais plutôt à en faire une version française intelligible
française intelligible par tous (et par moi). Les termes techniques sont par tous (et par moi). Les termes techniques sont la plupart du temps conservés
la plupart du temps conservés sous leur forme originale et mis entre sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
parenthèses car vous pouvez les retrouver dans le reste des dans le reste des documentations ainsi que dans les fichiers de configuration.
documentations ainsi que dans les fichiers de configuration. N?hésitez N?hésitez pas à me contacter afin d?améliorer ce document <a
pas à me contacter afin d?améliorer ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP formidable outil et sa disponibilité)</i><i>.</i></small></p>
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
(écluse) pour un petit réseau est une chose assez simple, si vous pour un petit réseau est une chose assez simple, si vous comprenez les bases
comprenez les bases et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
son utilisation la plus courante :</p> se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
<li>Une seule adresse IP externe</li> <li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
Relay, rtc...</li> rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
présence du programme ip sur votre système de firewall. Sous root, Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
utilisez la commande 'which' pour rechercher le programme :</p> ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
début en effectuant le changements dans votre configuration. Les points, vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
où les changements dans la configuration sont recommandées, sont le changements dans votre configuration. Les points, où les changements dans
signalés par une <img border="0" src="images/BD21298_.gif" width="13" la configuration sont recommandées, sont signalés par une <img
height="13"> .</p> border="0" src="images/BD21298_.gif" width="13" height="13">
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si .</p>
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette <p><img border="0" src="images/j0213519.gif" width="60" height="60">
option sinon vous devez les faire passer par dos2unix avant d'essayer de Si vous éditez vos fichiers de configuration sur un système Windows, vous
les utiliser. De la même manière, si vous copiez un fichier de devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
configuration depuis votre disque dur Windows vers une disquette, vous sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p> De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
Version of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Les Concepts de Shorewall</h2> <h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans alt="">
le répertoire /etc/shorewall -- pour de simples paramétrages, vous Les fichiers de configuration pour Shorewall sont situés dans le répertoire
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez quelques un d'entre eux comme décris dans ce guide. Après avoir <a
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
déjà existant dans /etc/shorewall installés lors de l'installation de vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
Shorewall)</b>.</p> dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
contient des instructions de configuration détaillées et des entrées par physiquement présents sur votre système -- chacun des fichiers contient des
défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
unique interface, une seule zone est définie :</p> <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td> <td><u><b>Description</b></u></td>
</tr> </tr>
<tr> <tr>
<td><b>net</b></td> <td><b>net</b></td>
<td><b>The Internet</b></td> <td><b>The Internet</b></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
<p>Les règles concernant le trafic à autoriser ou à interdire sont - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
exprimées en utilisant les termes de zones.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une zone
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
/etc/shorewall/policy </a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par <li>Vous définissez les exceptions à ces règles de politiques par défaut
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
correspondent, alors la première politique dans /etc/shorewall/policy Si aucune des règles dans ce fichier ne correspondent, alors la première
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
requête est alors comparée par rapport aux règles contenues dans politique est REJECT ou DROP la requête est alors comparée par rapport aux
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive ce fichier).</p>
one-interface a les politiques suivantes :</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td> <td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td> <td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td> <td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td> <td><u><b>LIMIT:BURST</b></u></td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>net</td> <td>net</td>
<td>all<br> <td>all<br>
</td> </td>
<td>DROP</td> <td>DROP</td>
<td>info</td> <td>info</td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>all</td> <td>all</td>
<td>all</td> <td>all</td>
<td>REJECT</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<pre> </pre> <pre> </pre>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
l'Internet</li> <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet votre firewall</li>
vers votre firewall</li> <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
<li>rejeter toutes les autres requêtes de connexion (Shorewall à de cette politique).</li>
besoin de cette politique).</li>
</ol> </ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p> <p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2> <h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL <p align="left">Le firewall possède une seule interface réseau. Lorsque la
(pas un simple modem), l'<i>External Interface</i> (interface externe) connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
externe sera<b> ippp0.</b></p> Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface height="13">
suppose que votre interface externe est <b>eth0</b>. Si votre L'exemple de configuration de Shorewall pour une interface suppose que votre
configuration est différente, vous devrez modifier le fichier d'exemple interface externe est <b>eth0</b>. Si votre configuration est différente,
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
pourriez parcourir la liste d'options qui sont spécifiées pour Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
"-". </p> </p>
</li> </li>
<li> <li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
"dhcp" de la liste d'option. </p> de la liste d'option. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">Adresse IP</h2> <h2 align="left">Adresse IP</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les car les routeurs sur les backbones Internet ne font pas passer les paquets
paquets dont les adresses de destinations sont définies dans la RFC dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez width="13" height="13">
regarder l'adresse de votre interface externe et si elle est comprise Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
dans une des plages précédentes, vous devriez enlever l'option externe et si elle est comprise dans une des plages précédentes, vous devriez
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Permettre d'autres connexions</h2> <h2 align="left">Permettre d'autres connexions</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis <p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
l'Internet vers votre firewall, le format général est :</p> vers votre firewall, le format général est :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
un serveur POP3 sur votre système de firewall :</p> serveur POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>80</td> <td>80</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>110</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une <p align="left">Si vous ne savez pas quel port ou protocole une application
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p> particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
en clair (même pour le login et le mot de passe !). Si vous voulez avoir le login et le mot de passe !). Si vous voulez avoir un accès au shell de
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p> votre firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter height="13">
les autres connexions désirées.</p> A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
</div> désirées.</p>
</div>
<div align="left"> <div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2> <h2 align="left">Lancer et Arrêter son Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure height="13" alt="Arrow">
d'installation </a> configure votre système pour lancer Shorewall au La <a href="Install.htm">procédure d'installation </a> configure votre système
boot du système, mais au début avec la version 1.3.9 de Shorewall le pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
configuration soit finie. Une fois que vous en aurez fini avec la avec que la configuration soit finie. Une fois que vous en aurez fini avec
configuration du firewall, vous pouvez permettre le lancement de la configuration du firewall, vous pouvez permettre le lancement de Shorewall
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
mettre 'startup=1'.</font><br> des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande <p align="left">Le firewall est activé en utilisant la commande "shorewall
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
est stoppé, le routage est autorisé sur les hôtes qui possèdent une routage est autorisé sur les hôtes qui possèdent une entrée dans <a
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
Un firewall qui tourne peut être relancé en utilisant la commande firewall qui tourne peut être relancé en utilisant la commande "shorewall
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
sur votre configuration de Netfilter, utilisez "shorewall clear".</p> de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
firewall depuis Internet, n'essayez pas une commande "shorewall stop" depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
à partir de laquelle vous êtes connectée) dans <a vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
De la même manière, je ne vous recommande pas d'utiliser "shorewall il est plus intéressant de créer une <i><a
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a <p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
<br> M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

309
STABLE/documentation/support.htm
View File

@ -18,9 +18,10 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td
width="100%">
@ -28,9 +29,9 @@
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
@ -39,32 +40,33 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are a number
of sources of Shorewall information. Please try these before you post. of sources of Shorewall information. Please try these before you
post.
<ul> <ul>
<li>More than half of the questions posted <li>More than half of the questions posted
on the support list have answers directly accessible from the on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
</li> Index</a><br>
<li> The <a </li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li> </li>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. a number of tips to help you solve common problems.
</li> </li>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
<li> The Site and Mailing <li> The Site and Mailing
List Archives search facility can locate documents and posts List Archives search facility can locate documents and posts
about similar problems: </li> about similar problems: </li>
</ul> </ul>
@ -80,12 +82,12 @@
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -94,49 +96,49 @@
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" value="htdig"><input </font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives: List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br> type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what is posted
in your message. Do not leave out any information that appears in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been to be correct, or was mentioned in a previous post. There have
countless posts by people who were sure that some part of their been countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error. configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br> We tend to be skeptics where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer <strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing for us to help you. Follow good, courteous practices in writing and
and formatting your e-mail. Provide details that we need if you expect formatting your e-mail. Provide details that we need if you expect good
good answers. <em>Exact quoting </em> of error messages, log entries, answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br> command output, and other output is better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li> Please
don't describe your environment and then ask us to send you don't describe your environment and then ask us to send
custom configuration files. We're here to answer your you custom configuration files. We're here to answer
questions but we can't do your job for you.<br> your questions but we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li> include this information:</li>
</ul> </ul>
@ -144,68 +146,68 @@ don't describe your environment and then ask us to send you
<ul> <ul>
<li>the exact version of Shorewall you are <li>the exact version of Shorewall you are
running.<br> running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li>If your kernel is modularized, the exact
output from<br> output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake <li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br> using the Mandrake installation of Shorewall, please say so.</b><br>
</li> </li>
</ul> </ul>
@ -215,49 +217,51 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection <li><font color="#ff0000"><u><i><big><b>If you are having connection
problems of any kind then:</b></big></i></u></font><br> problems of any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>As a general <li>As a general
matter, please <strong>do not edit the diagnostic information</strong> matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive
anyway from information contained in the SMTP headers of your post).<br> them anyway from information contained in the SMTP headers of your
<br> post).<br>
<strong></strong></li> <br>
<li>Do you see any "Shorewall" messages ("<b><font <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have (especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you modified that file) that you think are relevant. If
include /etc/shorewall/rules, please include /etc/shorewall/policy you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post GIFs <li><b>The list server limits posts to 120kb so don't post
of your network layout, etc. to the Mailing GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li> List -- your post will be rejected.</b></li>
</ul> </ul>
@ -266,30 +270,30 @@ List -- your post will be rejected.</b></li>
The author gratefully acknowleges that the above list was heavily The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> <blockquote>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br> to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life "These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless, instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I to allow subscribers to receive list posts as must as possible, I have
have now configured the list server at shorewall.net to strip all HTML now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br> from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -299,28 +303,24 @@ have now configured the list server at shorewall.net to strip all HTML
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF Multi Network Firewall (MNF) and you have not purchased an
license from MandrakeSoft then you can post non MNF-specific Shorewall MNF license from MandrakeSoft then you can post non MNF-specific
questions to the </b><a Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>.<br>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support To Subscribe to the mailing list go to <a
Forum</a>.<br>
To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
@ -328,16 +328,17 @@ Forum</a>.<br>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

1269
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

1295
STABLE/documentation/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

995
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

1945
STABLE/documentation/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

475
STABLE/documentation/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -19,167 +17,183 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
<p>It is important that you read all of the sections on this page where the <p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running. <br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular You can use the "shorewall check" command to see the groups associated with
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br> each of your zones.<br>
<br> <br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was zone is accepted by default. Previously, traffic from a zone to itself
treated just like any other traffic; any matching rules were applied followed was treated just like any other traffic; any matching rules were applied
by enforcement of the appropriate policy. With 1.4.1 and later versions, followed by enforcement of the appropriate policy. With 1.4.1 and later
unless you have explicit rules for traffic from Z to Z or you have an explicit versions, unless you have explicit rules for traffic from Z to Z or you
Z to Z policy (where "Z" is some zone) then traffic between the groups in have an explicit Z to Z policy (where "Z" is some zone) then traffic between
zone Z will be accepted. If you do have one or more explicit rules for Z the groups in zone Z will be accepted. If you do have one or more explicit
to Z or if you have an explicit Z to Z policy then the behavior is as it rules for Z to Z or if you have an explicit Z to Z policy then the behavior
was in prior versions.</li> is as it was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between <li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li> between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li> rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has <li>If you are currently relying on a implicit policy (one that has
"all" in either the SOURCE or DESTINATION column) to prevent traffic between "all" in either the SOURCE or DESTINATION column) to prevent traffic between
two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
add an explicit DROP or REJECT policy for Z to Z.<br> add an explicit DROP or REJECT policy for Z to Z.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to <li>Beginning with Version 1.4.1, Shorewall will never create rules
deal with traffic from a given group back to itself. The <i>multi</i> interface to deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between two interface option is no longer available so if you want to route traffic between
subnetworks on the same interface then either:</li> two subnetworks on the same interface then either:</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>The subnetworks must be in different zones; or</li> <li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks <li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li> as two groups in a single zone.</li>
</ol> </ol>
</blockquote> </blockquote>
Example 1 -- Two zones:<br> If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Example 2 -- One zone: Example 2 -- One zone:
<blockquote> <blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre> <pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Note that in the second example, we don't need any policy since z-&gt;z Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br> want unlimited access between the two subnetworks.<br>
<br> <br>
Sometimes, you want two separate zones on one interface but you don't want Sometimes, you want two separate zones on one interface but you don't
Shorewall to set up any infrastructure to handle traffic between them. <br> want Shorewall to set up any infrastructure to handle traffic between them.
<br> <br>
Example:<br> <br>
Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved Here, zone z1 is nested in zone z2 and the firewall is not going to be
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you involved in any traffic between these two zones. Beginning with Shorewall
can prevent Shorewall from setting up any infrastructure to handle traffic 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction.  and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br> package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh <br>
--nodeps &lt;shorewall rpm&gt;).<br> This may be worked around by using the --nodeps option of rpm (rpm
<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
If you are upgrading from a version &lt; 1.4.0, then:<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options <li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li> request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
are determined by BOTH the interfaces and hosts files when there are entries contents are determined by BOTH the interfaces and hosts files when there
for the zone in both files.</li> are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no <li value="6">The ALLOWRELATED variable in shorewall.conf is
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default; <li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have <li value="6">The 'firewall', 'functions' and 'version' file
been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul> <ul>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address <li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br> in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li> </li>
</ul> </ul>
@ -190,81 +204,84 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.
will generate rules for sending packets back out the same interface that  Shorewall will generate rules for sending packets back out the same
they arrived on in two cases:</li> interface that they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or
the destination zone. An explicit policy names both zones and does not from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same
the rule must be explicit - it must name the zone in both the SOURCE and then the rule must be explicit - it must name the zone in both the SOURCE
DESTINATION columns.</li> and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
     Beginning in version 1.3.14, Shorewall treats entries in <a height="13">
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change      Beginning in version 1.3.14, Shorewall treats entries in
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
<b>column</b>:<br> change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
or to have SNAT applied.</li> or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface. routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li> applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq with <li>You have one or more entries in /etc/shorewall/masq with
an interface name in the SUBNET (second) column; and</li> an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as
   <br> follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is like <b>Example 2</b>-- What if your current configuration is like
this?<br> this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
    Version 1.3.14 also introduced simplified ICMP echo-request height="13">
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf     Version 1.3.14 also introduced simplified ICMP echo-request
is used to specify that the old (pre-1.3.14) ping handling is to be (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using old handling indefinitely so I urge current users to migrate to using
@ -272,155 +289,149 @@ the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br> handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br> application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version versions &gt;= 1.3.8. Beginning with version 1.3.8,
1.3.8, you must set NEWNOTSYN=Yes in you must set NEWNOTSYN=Yes in your
your /etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef rules in their /etc/shorewall/icmpdef file (creating this
file (creating this file if necessary):</p> file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a
-- you will need to transcribe any backup -- you will need to transcribe
Shorewall configuration changes that any Shorewall configuration changes
you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
obtain the later version from Jacques's obtain the later version from Jacques's site, see additional instructions
site, see additional instructions below.</li> below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
to backup root.lrp !</li> to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need for setting up a two-interface firewall</a> plus you also need
to add the following two Bering-specific rules to /etc/shorewall/rules:</p> to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions your firewall setup slightly under Shorewall versions 1.3.6
1.3.6 and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be -j RETURN # So that the connection tracking table can be
rebuilt<br> rebuilt<br>
                                    # from non-SYN                                     # from
packets after takeover.<br> non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p <font face="Courier">run_iptables -A common
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
rebuild connection<br> to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
longer supported. </p> supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the 'firewall'
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those applications
applications should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 - <p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

40
STABLE/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
# #
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
# #
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface` if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done

30
STABLE/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
# #
# Strip comments and blank lines from a file and place the result in the # Strip comments and blank lines from a file and place the result in the
# temporary directory # temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2 [ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else else
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi

9
STABLE/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

93
STABLE/releasenotes.txt
View File

@ -1,19 +1,90 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
This release introduces incompatibilities with prior releases. See Problems Corrected:
http://www.shorewall.net/upgrade_issues.htm.
Changes are: 1) TCP connection requests rejected out of the common chain are now
properly rejected with TCP RST; previously, some of these requests
were rejeced with an ICMP port-unreachable response.
a) There is now a new NONE policy specifiable in 2) 'traceroute -I' from behind the firewall previously timed out on the
/etc/shorewall/policy. This policy will cause Shorewall to assume that first hop (e.g., to the firewall). This has been worked around.
there will never be any traffic between the source and destination
zones.
b) Shorewall no longer creates rules to govern traffic from an New Features:
interface:subnet to itself.
c) Intra-zone traffic is always accepted now (exception is (b) 1) Where an entry in the/etc/shorewall/hosts file specifies a
above).. Intrazone policies and rules are no longer allowed. particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can
substantially reduce the number of rules traversed by connections
requests from such zones.
2) Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the
contents of the named file to be logically included into the file
containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored.
3) Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that
such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on
individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from
(zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues' for information about how this new option
may affect your configuration.

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.1 %define version 1.4.2
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net> * Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1 - Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net> * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.1 VERSION=1.4.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

4479
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1803
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

230
Shorewall-docs/Install.htm
View File

@ -15,139 +15,147 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the <a <p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to
read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note1: </b>Some SuSE users have encountered a problem whereby <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm is installed. If this happens, simply use the --nodeps option to rpm
(rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br> diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1 <br>
<br> This may be worked around by using the --nodeps option of rpm (rpm -ivh
<br> --nodeps &lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps <br>
&lt;shorewall rpm&gt;).<br> </li>
<br> <li>Edit the <a href="#Config_Files"> configuration files</a> to
</li> match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
<li>Edit the <a href="#Config_Files"> configuration files</a> to SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY RESTORE NETWORK CONNECTIVITY.</b></font></li>
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE <li>Start the firewall by typing "shorewall start"</li>
NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball <p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then <li>If you are using <a href="http://www.suse.com">SuSe</a> then
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li> match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be <li>If the install script was unable to configure Shorewall to
started automatically at boot, see <a be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
or and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p> new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., Beta RPMs installed, you must use the "--oldpackage" option to rpm
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
the iproute package. Unfortunately, some distributions call this package iproute2 on the iproute package. Unfortunately, some distributions call this package
which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;). </p> --nodeps &lt;shorewall rpm&gt;). </p>
</li> </li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
<li>Restart the firewall (shorewall restart).</li> <li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
@ -163,50 +171,52 @@ rule forms that are no longer supported under 1.4 (you must use the new
details. </p> details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li> directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then <li>If you are using<a href="http://www.suse.com"> SuSe</a> then
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li> <li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering <a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br> installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match <p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p> QuickStart Guides</a> contain all of the information you need.</p>
<ul> <ul>
</ul> </ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

91
Shorewall-docs/NAT.htm
View File

@ -16,12 +16,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -29,7 +29,7 @@
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a firewall and configured <p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918) with private IP addresses (those reserved for private use in RFC1918)
@ -41,40 +41,39 @@ I strongly recommend that you read the <a
<p align="center"><strong> <img src="images/staticnat.png" <p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> width="435" height="397">
</strong></p> </strong></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the <p align="left">Static NAT can be used to make the systems with the 10.1.1.*
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If addresses appear to be on the upper (130.252.100.*) subnet. If we assume
we assume that the interface to the upper subnet is eth0, then the following that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
/etc/shorewall/NAT file would make the lower left-hand system appear file would make the lower left-hand system appear to have IP address
to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr> <tr>
<td>130.252.100.18</td> <td><b>EXTERNAL</b></td>
<td>eth0</td> <td><b>INTERFACE</b></td>
<td>10.1.1.2</td> <td><b>INTERNAL</b></td>
<td>yes</td> <td><b>ALL INTERFACES</b></td>
<td>yes</td> <td><b>LOCAL</b></td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.19</td> <td>130.252.100.18</td>
<td>eth0</td> <td>eth0</td>
<td>10.1.1.3</td> <td>10.1.1.2</td>
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody> </tbody>
</table> </table>
@ -83,18 +82,21 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address
example) is (are) not included in any specification in /etc/shorewall/masq example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
is used to specify whether access to the external IP from all firewall to specify whether access to the external IP from all firewall interfaces
interfaces should undergo NAT (Yes or yes) or if only access from the should undergo NAT (Yes or yes) or if only access from the interface in
interface in the INTERFACE column should undergo NAT. If you leave this the INTERFACE column should undergo NAT. If you leave this column empty,
column empty, "Yes" is assumed. The ALL INTERFACES column was added "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p> you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface
that is configured with a single subnetwork -- if your external interface
has addresses in more than one subnetwork, Shorewall can only add addresses
to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined determine whether packets originating on the firewall itself and destined
@ -102,13 +104,14 @@ for the EXTERNAL address are redirected to the internal ADDRESS. If this
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
"Yes" or "yes") then such packets are redirected; otherwise, such packets "Yes" or "yes") then such packets are redirected; otherwise, such packets
are not redirected. The LOCAL column was added in version 1.1.8.</p> are not redirected. The LOCAL column was added in version 1.1.8.</p>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a <p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body> </body>
</html> </html>

2585
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

687
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -12,484 +12,507 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>. If you are running Shorewall 1.3, please see <a
<a href="#DMZ"></a><br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <a href="#DMZ"></a><br>
alt="Caution" align="middle"> <img border="0" src="images/j0213519.gif" width="60"
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> height="60" alt="Caution" align="middle">
<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <br>
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
run as a transparent proxy as described at <a &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
in the local zone, that zone must be defined ONLY by its interface -- no or in the local zone, that zone must be defined ONLY by its interface
/etc/shorewall/hosts file entries. That is because the packets being routed -- no /etc/shorewall/hosts file entries. That is because the packets being
to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
/etc/shorewall/conf file<br> /etc/shorewall/conf file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li> DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests EXCEPT
EXCEPT those to your those to your own
own http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid
proxy running on the firewall and listening on port 3128. Squid transparent proxy running on the firewall and listening on port
will of course require access to remote web servers.<br> 3128. Squid will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<tr> <td><b>ACTION</b></td>
<td><b>ACTION</b></td> <td><b>SOURCE</b></td>
<td><b>SOURCE</b></td> <td><b>DEST</b></td>
<td><b>DEST</b></td> <td><b> PROTO</b></td>
<td><b> PROTO</b></td> <td><b>DEST<br>
<td><b>DEST<br> PORT(S)</b></td>
PORT(S)</b></td> <td><b>SOURCE<br>
<td><b>SOURCE<br> PORT(S)</b></td>
PORT(S)</b></td> <td><b>ORIGINAL<br>
<td><b>ORIGINAL<br> DEST</b></td>
DEST</b></td> </tr>
<tr>
</tr> <td>REDIRECT</td>
<tr> <td>loc</td>
<td>REDIRECT</td> <td>3128</td>
<td>loc</td> <td>tcp</td>
<td>3128</td> <td>www</td>
<td>tcp</td> <td> -<br>
<td>www</td> </td>
<td> -<br> <td>!206.124.146.177</td>
</td> </tr>
<td>!206.124.146.177</td> <tr>
</tr> <td>ACCEPT</td>
<tr> <td>fw</td>
<td>ACCEPT</td> <td>net</td>
<td>fw</td> <td>tcp</td>
<td>net</td> <td>www</td>
<td>tcp</td> <td> <br>
<td>www</td> </td>
<td> <br> <td> <br>
</td> </td>
<td> <br> </tr>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running
192.168.1.3. It is assumed that web access is already enabled from the local on 192.168.1.3. It is assumed that web access is already enabled from the
zone to the internet.<br> local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
<br> upgrade to Shorewall 1.4.2 or later.<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> </li>
<tbody> <li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top">ZONE<br>
</b></td> </td>
<td valign="top"><b>DESTINATION<br> <td valign="top">INTERFACE<br>
</b></td> </td>
<td valign="top"><b>POLICY<br> <td valign="top">BROADCAST<br>
</b></td> </td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top">OPTIONS<br>
</b></td> </td>
<td valign="top"><b>BURST PARAMETERS<br> </tr>
</b></td> <tr>
</tr> <td valign="top">loc<br>
<tr> </td>
<td valign="top">loc<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">detect<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top"><b>routeback</b><br>
</td> </td>
<td valign="top"><br> </tr>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li> </li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ
is eth1 and your local interface is eth2.<br> interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote> </blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">MARK<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DESTINATION<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTOCOL<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">PORT<br> <td valign="top">PORT<br>
</td> </td>
<td valign="top">CLIENT PORT<br> <td valign="top">CLIENT PORT<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">PORT<br>
PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT PORT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">202:P<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">net<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top">-<br>
</td>
<td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote> </blockquote>
</blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>In /etc/shorewall/rules, you will need:</li>
command to be executed after networking has come up<br>
</ul>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<a <font size="2">2003 Thomas M. Eastep.</font></a><br>
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

839
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -13,186 +13,152 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br> treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as objects. The ip utility does provide for interaction addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled </i>and labels with ifconfig in that it allows addresses to be <i>labeled </i>and labels
may take the form of ipconfig virtual interfaces.<br> may take the form of ipconfig virtual interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0" Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br> is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow "-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br> them to be used in the /etc/shorewall/interfaces file.<br>
<br> <br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces. The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br> the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">fw:206.124.146.178<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br> file:<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">loc:192.168.1.3<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>SNAT</h3> <h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br> from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br> <br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -206,7 +172,7 @@ file:<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
@ -218,51 +184,42 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
<h3>STATIC NAT</h3> ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, 1.3.14, Shorewall can actually create the "label" (virtual interface) so
you would have the following in /etc/shorewall/nat:<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>EXTERNAL<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>INTERFACE<br> <td valign="top"><b>SUBNET<br>
</b></td> </b></td>
<td valign="top"><b>INTERNAL<br> <td valign="top"><b>ADDRESS<br>
</b></td> </b></td>
<td valign="top"><b>ALL INTERFACES<br> </tr>
</b></td> <tr>
<td valign="top"><b>LOCAL<br> <td valign="top">eth0:0<br>
</b></td> </td>
</tr> <td valign="top">eth1<br>
<tr> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0<br> </tr>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall <h3>STATIC NAT</h3>
1.3.14, Shorewall can actually create the "label" (virtual interface) so If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
that you can see the created address using ifconfig. In addition to setting you would have the following in /etc/shorewall/nat:<br>
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE <br>
column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -282,7 +239,7 @@ file:<br>
<tr> <tr>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">192.168.1.3<br> <td valign="top">192.168.1.3<br>
</td> </td>
@ -295,252 +252,115 @@ file:<br>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you Shorewall can create the alias (additional address) for you if you set
simply qualify the local zone with the internal IP address.<br> ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
<br> 1.3.14, Shorewall can actually create the "label" (virtual interface) so
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. that you can see the created address using ifconfig. In addition to setting
192.168.1.3.<br> ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
<br> column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>EXTERNAL<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>INTERNAL<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>ALL INTERFACES<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>LOCAL<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> </tr>
</b></td> <tr>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top">206.124.146.178<br>
</b></td> </td>
</tr> <td valign="top">eth0:0<br>
<tr> </td>
<td valign="top">ACCEPT<br> <td valign="top">192.168.1.3<br>
</td> </td>
<td valign="top">net<br> <td valign="top">no<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">no<br>
</td> </td>
<td valign="top">tcp<br> </tr>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple
configured on a LAN segment. This technique does not provide for any security subnetworks configured on a LAN segment. This technique does not provide
between the subnetworks if the users of the systems have administrative for any security between the subnetworks if the users of the systems have
privileges because in that case, the users can simply manipulate their system's administrative privileges because in that case, the users can simply manipulate
routing table to bypass your firewall/router. Nevertheless, there are cases their system's routing table to bypass your firewall/router. Nevertheless,
where you simply want to consider the LAN segment itself as a zone and allow there are cases where you simply want to consider the LAN segment itself
your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br> subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
@ -558,18 +378,55 @@ specify the <b>multi</b> option.<br>
</td> </td>
<td valign="top">192.168.1.255,192.168.20.255<br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td> </td>
<td valign="top">Note 1:<br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br> <br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -577,7 +434,9 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
<td valign="top"><b>HOSTS<br> <td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td> </b></td>
<td valign="top"><b>OPTIONS<br> <td valign="top"><b>OPTIONS<br>
</b></td> </b></td>
@ -585,15 +444,47 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top"><br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td> </td>
</tr> </tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -601,21 +492,131 @@ specify the <b>multi</b> option.<br>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br> <br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a <blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

138
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -2,23 +2,17 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base target="main">
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -26,138 +20,108 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li><a
<li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a href="support.htm">Getting
help or Answers to Questions</a><br> help or Answers to Questions</a><br>
</li> </li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font> <font <input type="text" name="words" size="15"></font><font size="-1"> </font>
face="Arial" size="-1"> <input type="hidden" name="format" <font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p> href="http://www.shorewall.net" target="_top"> </a></p>
<br>
</body> </body>
</html> </html>

144
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -2,23 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main">
<base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -26,142 +19,107 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="sourceforge_index.htm">Home</a></li> href="sourceforge_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li><a
<li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a href="support.htm">Getting
Help or Answers to Questions</a></li> Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <font face="Arial" size="-1"> <input
<input type="text" name="words" size="15"></font><font size="-1"> </font> type="text" name="words" size="15"></font><font size="-1"> </font> <font
<font face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

478
Shorewall-docs/download.htm
View File

@ -17,440 +17,170 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p> .tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that store
store init scripts in /etc/init.d and that include chkconfig init scripts in /etc/init.d and that include chkconfig or
or insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file
might also want to download the .tgz so you will have a copy (you might also want to download the .tgz so you will have a copy
of the documentation).</li> of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Unstable Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory
can be obtained using the following command:<br> which can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
release of a new version of Shorewall, the links below may to see if there are updates that apply to the version
point to a newer or an older version than is shown below.</p> that you have downloaded.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates <p><b></b></p>
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote> <p><b>Download Sites:</b></p>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a <td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there Shorewall component. There's no guarantee that what you find there
will work at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a <p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

268
Shorewall-docs/errata.htm
View File

@ -2,19 +2,14 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
@ -24,15 +19,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -40,82 +32,100 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p> rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li> href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove response rather than the more appropriate TCP RST response. This problem
/etc/shorewall/ecn or you can install <a is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -124,140 +134,122 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level
while this <a specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 RedHat iptables</h3>
and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5
of iptables, you will need to specify the --oldpackage option version of iptables, you will need to specify the --oldpackage
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with <p>The iptables 1.2.7 release of iptables has made an incompatible
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or
<li>if you are running </li>
Shorewall 1.3.6 you may install <li>if you are running
<a Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will
in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 - <p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/ZoneDiagram.png
View File

Binary file not shown.

180
Shorewall-docs/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -25,109 +19,101 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tmeastep
at hp dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A or MX
record in DNS.</li> record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the list
list subscribers whose MTAs are bouncing all shorewall.net mail. As subscribers whose MTAs are bouncing all shorewall.net mail. As one list
one list subscriber wrote to me privately "These e-mail admin's need to subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
get a <i>(explitive deleted)</i> life instead of trying to rid the planet deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
of HTML based e-mail". Nevertheless, to allow subscribers to receive list Nevertheless, to allow subscribers to receive list posts as must as possible,
posts as must as possible, I have now configured the list server at shorewall.net I have now configured the list server at shorewall.net to strip all HTML
to strip all HTML from outgoing posts. This means that HTML-only posts from outgoing posts. This means that HTML-only posts will be bounced by
will be bounced by the list server.<br> the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i> than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -160,22 +143,21 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
<h2 align="left"><font color="#ff0000">Please do not try to download the entire entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't won't stand the traffic. If I catch you, you will be blacklisted.<br>
stand the traffic. If I catch you, you will be blacklisted.<br> </font></h2>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
@ -195,12 +177,12 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -212,30 +194,30 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -245,12 +227,12 @@ list may be found at <a
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -270,26 +252,23 @@ list may be found at <a
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
password reminder, or change your subscription options enter reminder, or change your subscription options enter your subscription
your subscription email address:". Enter your email address email address:". Enter your email address in the box and
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -298,12 +277,13 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a <p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

464
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,385 +2,267 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td
<tr> width="100%" height="90">
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
</div> href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>
<br>
</div>
</td>
</tr>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody> <tr>
<td
<tr> width="90%">
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
Software Foundation.<br> GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program
This program is distributed is distributed in the hope that it will
in the hope that it will be useful, but be useful, but WITHOUT ANY WARRANTY; without
WITHOUT ANY WARRANTY; without even the implied even the implied warranty of MERCHANTABILITY
warranty of MERCHANTABILITY or FITNESS FOR or FITNESS FOR A PARTICULAR PURPOSE. See the
A PARTICULAR PURPOSE. See the GNU General Public GNU General Public License for more details.<br>
License for more details.<br> <br>
You should have
<br> received a copy of the GNU General Public
License along with this program; if
You should have received not, write to the Free Software Foundation,
a copy of the GNU General Public License Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
</a>Jacques and Eric Wolzak have a LEAF (router/firewall/gateway
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution called <i>Bering</i> that features
called <i>Bering</i> that features Shorewall-1.3.14 and Kernel-2.4.20. You can
Shorewall-1.3.14 and Kernel-2.4.20. You can find find their work at: <a
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br> Bering 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2> <h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
<ol> <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Shorewall presentation to GSLUG</a>. The presentation is in HTML format
Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn but was generated from Microsoft PowerPoint and is best viewed using Internet
file is empty. That problem has been corrected so that ECN disabling rules Explorer although Konqueror also seems to work reasonably well. Neither Opera
are only added if there are entries in /etc/shorewall/ecn.</li> or Netscape work well to view the presentation.<br>
</blockquote>
</ol> <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
<b>New Features:</b><br> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<blockquote>Note: In the list that follows, the term <i>group </i>refers <p><b>    Problems Corrected:</b></p>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br> <blockquote>
eth2:192.168.1.0/24<br> <ol>
eth3:192.0.2.123<br> <li>TCP connection requests rejected out of the <b>common</b>
</blockquote> chain are now properly rejected with TCP RST; previously, some of these
You can use the "shorewall check" command to see the groups associated requests were rejected with an ICMP port-unreachable response.</li>
with each of your zones.<br> <li>'traceroute -I' from behind the firewall previously timed
</blockquote> out on the first hop (e.g., to the firewall). This has been worked around.</li>
<ol> </ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more </blockquote>
than one group<i> </i>then if there is no explicit Z to Z policy and there
are no rules governing traffic from Z to Z then Shorewall will permit all
traffic between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create
rules to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE
is specified from Z1 to Z2:</li>
</ol> <p><b>    New Features:</b></p>
<ul> <blockquote>
<li>There may be no rules created that govern connections from <ol>
Z1 to Z2.</li> <li>Where an entry in the/etc/shorewall/hosts file specifies
<li>Shorewall will not create any infrastructure to handle traffic a particular host or network, Shorewall now creates an intermediate chain
from Z1 to Z2.</li> for handling input from the related zone. This can substantially reduce the
number of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for
the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ul> </ol>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion </blockquote>
of how these changes may affect your configuration.<br>
<p><b></b></p>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
<td
</td> width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
<td width="88" </tr>
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
</center>
</center> </div>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td width="100%"
<tr>
<td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

280
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -25,25 +19,22 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
<h2>The Guides</h2> <h2>The Guides</h2>
@ -53,12 +44,12 @@ we must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux <li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li> System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> <li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li> (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
@ -73,80 +64,68 @@ we must all first walk before we can run.<br>
Shorewall than is explained in the single-address guides above.</b></p> Shorewall than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li> href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li> href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a> and Routing</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 <li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li> Address Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li> href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 <li><a
Setting up your Network</a> href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li> href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 <li><a
Static NAT</a></li> href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 <li><a
Rules</a></li> href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 <li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li> DNS</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li> Stopping the Firewall</a></li>
@ -160,150 +139,138 @@ DNS</a></li>
trying to use this documentation directly.</p> trying to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common <li><a href="configuration_file_basics.htm">Common
configuration file features</a> configuration file features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li> href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br> href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations
a test configuration)</a></li> (making a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File <li><a href="Documentation.htm">Configuration File
Reference Manual</a> Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><a href="ECN.html">ECN Disabling by host or
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How subnet</a><br>
to extend Shorewall without modifying Shorewall code through the use of </li>
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
etc.)</li> Scripts</a></font> (How to extend Shorewall without modifying Shorewall
<li><a href="fallback.htm">Fallback/Uninstall</a></li> code through the use of files in /etc/shorewall -- /etc/shorewall/start,
<li><a href="shorewall_firewall_structure.htm">Firewall /etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li> Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel <li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li> Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static <li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li> NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br> Proxy with Shorewall</a><br>
</li> </li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li> behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li> List Creation</a></li>
</ul> </ul>
@ -311,11 +278,12 @@ Proxy with Shorewall</a><br>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 4/112003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

444
Shorewall-docs/sourceforge_index.htm
View File

@ -1,321 +1,281 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td
<tr> width="100%" height="90">
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><br>
href="http://www.sf.net"> </a></h1> <a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small>Shorewall
1.2 Site here<br>
</small></small></small></font></a>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
</h1>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody> <tr>
<td
<tr> width="90%">
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br> <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br> <p>This program is free software; you can redistribute it and/or modify
it under
the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should
have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
</a>Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution called <i>Bering</i> that features
called <i>Bering</i> that features Shorewall-1.3.14 and Kernel-2.4.20. You can
Shorewall-1.3.14 and Kernel-2.4.20. You can find find their work at: <a
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
<h2>News</h2> </b>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <h2><b>News</b></h2>
<b> </b>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p> </b></p>
<p>This release follows up on 1.4.0. It corrects a problem introduced <blockquote> This morning, I gave <a href="GSLUG.htm"
in 1.4.0 and removes additional warts.<br> target="_top">a Shorewall presentation to GSLUG</a>. The presentation
<br> is in HTML format but was generated from Microsoft PowerPoint and is best
<b>Problems Corrected:</b><br> viewed using Internet Explorer although Konqueror also seems to work reasonably
</p> well. Neither Opera or Netscape work well to view the presentation.</blockquote>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
a host address) accessed through a particular interface. Examples:<br> </b><br>
</p>
<blockquote>eth0:0.0.0.0/0<br> <p><b>    Problems Corrected:</b></p>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol> <blockquote>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than <ol>
one group<i> </i>then if there is no explicit Z to Z policy and there are <li>TCP connection requests rejected out of the <b>common</b>
no rules governing traffic from Z to Z then Shorewall will permit all traffic chain are now properly rejected with TCP RST; previously, some of these requests
between the groups in the zone.</li> were rejected with an ICMP port-unreachable response.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules <li>'traceroute -I' from behind the firewall previously timed
to handle traffic from a group to itself.</li> out on the first hop (e.g., to the firewall). This has been worked around.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul> </ol>
<li>There may be no rules created that govern connections from Z1 </blockquote>
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce
the number of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the
INCLUDE. File names given in an INCLUDE directive are assumed to reside
in /etc/shorewall or in an alternate configuration directory if one has
been specified for the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
</center>
</center> </div>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tbody> <tr>
<td
<tr> width="100%" style="margin-top: 1px;">
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font> <br>
<br>
<br>
</p>
<br> <br>
<br> <br>
</body> </body>

362
Shorewall-docs/standalone.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -37,9 +37,9 @@
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
@ -55,19 +55,19 @@
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy you copy a configuration file from your Windows hard drive to a floppy disk,
disk, you must run dos2unix against the copy before using it with Shorewall.</p> you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -76,34 +76,34 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few /etc/shorewall -- for simple setups, you only need to deal with a few of
of these as described in this guide. After you have <a these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
(they will replace files with the same names that were placed in /etc/shorewall to /etc/shorewall (they will replace files with the same names that were
during Shorewall installation)</b>.</p> placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only set of <i>zones.</i> In the one-interface sample configuration, only one
one zone is defined:</p> zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody> </tbody>
</table> </table>
@ -117,10 +117,10 @@ one zone is defined:</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone <li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -132,54 +132,54 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>all<br>
<td>ACCEPT</td> </td>
<td> </td> <td>DROP</td>
<td> </td> <td>info</td>
</tr> <td> </td>
<tr> </tr>
<td>net</td> <tr>
<td>all<br> <td>all</td>
</td> <td>all</td>
<td>DROP</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to
firewall</li> your firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
</ol> </ol>
@ -191,38 +191,38 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your a <b>ppp0</b>. If you connect via a regular modem, your External Interface
External Interface will also be <b>ppp0</b>. If you connect using ISDN, will also be <b>ppp0</b>. If you connect using ISDN, your external interface
your external interface will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that     The Shorewall one-interface sample configuration assumes that the
the external interface is <b>eth0</b>. If your configuration is different, external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that While you are there, you may wish to review the list of options that are
are specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the option
option list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
@ -230,7 +230,7 @@ option list. </p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
@ -240,157 +240,158 @@ option list. </p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address      Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Enabling other Connections</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p> firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file
</p> /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
@ -400,25 +401,26 @@ application uses, see <a href="ports.htm">here</a>.</p>
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p> configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a <p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

686
Shorewall-docs/standalone_fr.html
View File

@ -1,407 +1,469 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
une traduction exacte du texte, mais plutôt à en faire une version exacte du texte, mais plutôt à en faire une version française intelligible
française intelligible par tous (et par moi). Les termes techniques sont par tous (et par moi). Les termes techniques sont la plupart du temps conservés
la plupart du temps conservés sous leur forme originale et mis entre sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
parenthèses car vous pouvez les retrouver dans le reste des dans le reste des documentations ainsi que dans les fichiers de configuration.
documentations ainsi que dans les fichiers de configuration. N?hésitez N?hésitez pas à me contacter afin d?améliorer ce document <a
pas à me contacter afin d?améliorer ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP formidable outil et sa disponibilité)</i><i>.</i></small></p>
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
(écluse) pour un petit réseau est une chose assez simple, si vous pour un petit réseau est une chose assez simple, si vous comprenez les bases
comprenez les bases et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
son utilisation la plus courante :</p> se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
<li>Une seule adresse IP externe</li> <li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
Relay, rtc...</li> rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
présence du programme ip sur votre système de firewall. Sous root, Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
utilisez la commande 'which' pour rechercher le programme :</p> ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
début en effectuant le changements dans votre configuration. Les points, vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
où les changements dans la configuration sont recommandées, sont le changements dans votre configuration. Les points, où les changements dans
signalés par une <img border="0" src="images/BD21298_.gif" width="13" la configuration sont recommandées, sont signalés par une <img
height="13"> .</p> border="0" src="images/BD21298_.gif" width="13" height="13">
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si .</p>
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette <p><img border="0" src="images/j0213519.gif" width="60" height="60">
option sinon vous devez les faire passer par dos2unix avant d'essayer de Si vous éditez vos fichiers de configuration sur un système Windows, vous
les utiliser. De la même manière, si vous copiez un fichier de devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
configuration depuis votre disque dur Windows vers une disquette, vous sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p> De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
Version of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Les Concepts de Shorewall</h2> <h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans alt="">
le répertoire /etc/shorewall -- pour de simples paramétrages, vous Les fichiers de configuration pour Shorewall sont situés dans le répertoire
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez quelques un d'entre eux comme décris dans ce guide. Après avoir <a
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
déjà existant dans /etc/shorewall installés lors de l'installation de vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
Shorewall)</b>.</p> dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
contient des instructions de configuration détaillées et des entrées par physiquement présents sur votre système -- chacun des fichiers contient des
défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
unique interface, une seule zone est définie :</p> <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td> <td><u><b>Description</b></u></td>
</tr> </tr>
<tr> <tr>
<td><b>net</b></td> <td><b>net</b></td>
<td><b>The Internet</b></td> <td><b>The Internet</b></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
<p>Les règles concernant le trafic à autoriser ou à interdire sont - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
exprimées en utilisant les termes de zones.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une zone
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
/etc/shorewall/policy </a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par <li>Vous définissez les exceptions à ces règles de politiques par défaut
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
correspondent, alors la première politique dans /etc/shorewall/policy Si aucune des règles dans ce fichier ne correspondent, alors la première
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
requête est alors comparée par rapport aux règles contenues dans politique est REJECT ou DROP la requête est alors comparée par rapport aux
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive ce fichier).</p>
one-interface a les politiques suivantes :</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td> <td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td> <td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td> <td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td> <td><u><b>LIMIT:BURST</b></u></td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>net</td> <td>net</td>
<td>all<br> <td>all<br>
</td> </td>
<td>DROP</td> <td>DROP</td>
<td>info</td> <td>info</td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>all</td> <td>all</td>
<td>all</td> <td>all</td>
<td>REJECT</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<pre> </pre> <pre> </pre>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
l'Internet</li> <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet votre firewall</li>
vers votre firewall</li> <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
<li>rejeter toutes les autres requêtes de connexion (Shorewall à de cette politique).</li>
besoin de cette politique).</li>
</ol> </ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p> <p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2> <h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL <p align="left">Le firewall possède une seule interface réseau. Lorsque la
(pas un simple modem), l'<i>External Interface</i> (interface externe) connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
externe sera<b> ippp0.</b></p> Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface height="13">
suppose que votre interface externe est <b>eth0</b>. Si votre L'exemple de configuration de Shorewall pour une interface suppose que votre
configuration est différente, vous devrez modifier le fichier d'exemple interface externe est <b>eth0</b>. Si votre configuration est différente,
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
pourriez parcourir la liste d'options qui sont spécifiées pour Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
"-". </p> </p>
</li> </li>
<li> <li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
"dhcp" de la liste d'option. </p> de la liste d'option. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">Adresse IP</h2> <h2 align="left">Adresse IP</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les car les routeurs sur les backbones Internet ne font pas passer les paquets
paquets dont les adresses de destinations sont définies dans la RFC dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez width="13" height="13">
regarder l'adresse de votre interface externe et si elle est comprise Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
dans une des plages précédentes, vous devriez enlever l'option externe et si elle est comprise dans une des plages précédentes, vous devriez
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Permettre d'autres connexions</h2> <h2 align="left">Permettre d'autres connexions</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis <p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
l'Internet vers votre firewall, le format général est :</p> vers votre firewall, le format général est :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
un serveur POP3 sur votre système de firewall :</p> serveur POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>80</td> <td>80</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>110</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une <p align="left">Si vous ne savez pas quel port ou protocole une application
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p> particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
en clair (même pour le login et le mot de passe !). Si vous voulez avoir le login et le mot de passe !). Si vous voulez avoir un accès au shell de
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p> votre firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter height="13">
les autres connexions désirées.</p> A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
</div> désirées.</p>
</div>
<div align="left"> <div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2> <h2 align="left">Lancer et Arrêter son Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure height="13" alt="Arrow">
d'installation </a> configure votre système pour lancer Shorewall au La <a href="Install.htm">procédure d'installation </a> configure votre système
boot du système, mais au début avec la version 1.3.9 de Shorewall le pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
configuration soit finie. Une fois que vous en aurez fini avec la avec que la configuration soit finie. Une fois que vous en aurez fini avec
configuration du firewall, vous pouvez permettre le lancement de la configuration du firewall, vous pouvez permettre le lancement de Shorewall
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
mettre 'startup=1'.</font><br> des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande <p align="left">Le firewall est activé en utilisant la commande "shorewall
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
est stoppé, le routage est autorisé sur les hôtes qui possèdent une routage est autorisé sur les hôtes qui possèdent une entrée dans <a
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
Un firewall qui tourne peut être relancé en utilisant la commande firewall qui tourne peut être relancé en utilisant la commande "shorewall
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
sur votre configuration de Netfilter, utilisez "shorewall clear".</p> de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
firewall depuis Internet, n'essayez pas une commande "shorewall stop" depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
à partir de laquelle vous êtes connectée) dans <a vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
De la même manière, je ne vous recommande pas d'utiliser "shorewall il est plus intéressant de créer une <i><a
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a <p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
<br> M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

395
Shorewall-docs/support.htm
View File

@ -2,73 +2,57 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are a number
of sources of Shorewall information. Please try these before you post. of sources of Shorewall information. Please try these before you
post.
<ul> <ul>
<li>More than half of the questions posted <li>More than half of the questions
on the support list have answers directly accessible from the posted on the support list have answers directly accessible from
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> the <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
</li> Index</a><br>
<li> The <a </li>
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. <li> The
</li> <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
problems. </li>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. a number of tips to help you solve common problems.
</li> </li>
<li> The <a
<li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
<li> The Site and
<li> The Site and Mailing Mailing List Archives search facility can locate documents and
List Archives search facility can locate documents and posts posts about similar problems: </li>
about similar problems: </li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2> <h2>Site and Mailing List Archive Search</h2>
<blockquote> <blockquote>
@ -80,12 +64,12 @@
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -94,250 +78,229 @@
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" value="htdig"><input </font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives: List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br> type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what is posted
in your message. Do not leave out any information that appears in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been to be correct, or was mentioned in a previous post. There have
countless posts by people who were sure that some part of their been countless posts by people who were sure that some part of
configuration was correct when it actually contained a small error. their configuration was correct when it actually contained a small
We tend to be skeptics where detail is lacking.<br> error. We tend to be skeptics where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're asking
<strong>free</strong> technical support. Any help we offer for <strong>free</strong> technical support. Any help we
is an act of generosity, not an obligation. Try to make it easy offer is an act of generosity, not an obligation. Try to make it
for us to help you. Follow good, courteous practices in writing easy for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries, good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br> command output, and other output is better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li> Please
don't describe your environment and then ask us to send you don't describe your environment and then ask us to send
custom configuration files. We're here to answer your you custom configuration files. We're here to answer
questions but we can't do your job for you.<br> your questions but we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li> include this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are <li>the exact version of Shorewall you are
running.<br> running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
</ul>
</ul>
<ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li><font color="#ff0000"><u><i><big><b>If you are having connection
output from<br> problems of any kind then:</b></big></i></u></font><br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
</li> 2. Try the connection that is failing.<br>
<li>the exact wording of any <code <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt;
/tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart Guides,
Guides, please indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake <li><b>If you are running Shorewall under Mandrake using the Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br> installation of Shorewall, please say so.<br>
</li> <br>
</b></li>
</ul> </ul>
<li>As a
</ul> general matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
<ul> addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
<ul> anyway from information contained in the SMTP headers of your post).<br>
<li><font color="#ff0000"><u><i><big><b>If you are having connection <br>
problems of any kind then:</b></big></i></u></font><br> <strong></strong></li>
<br> <li>Do you see any "Shorewall" messages ("<b><font
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
</ul>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, you exercise the function that is giving you problems? If so, include
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have (especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you modified that file) that you think are relevant. If
include /etc/shorewall/rules, please include /etc/shorewall/policy you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a color="#009900"><b>shorewall start</b></font>", include a trace
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> (See the <a href="troubleshoot.htm">Troubleshooting</a> section for
section for instructions).<br> instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post GIFs <li><b>The list server limits posts to 120kb so don't post
of your network layout, etc. to the Mailing GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li> List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> <blockquote> A growing number of MTAs serving list subscribers are
A growing number of MTAs serving list subscribers are rejecting rejecting all HTML traffic. At least one MTA has gone so far as to
all HTML traffic. At least one MTA has gone so far as to blacklist blacklist shorewall.net "for continuous abuse" because it has been
shorewall.net "for continuous abuse" because it has been my policy my policy to allow HTML in list posts!!<br>
to allow HTML in list posts!!<br> <br>
<br> I think that blocking all HTML is a Draconian
I think that blocking all HTML is a Draconian way to control spam and that the ultimate losers here are not
way to control spam and that the ultimate losers here are not the spammers but the list subscribers whose MTAs are bouncing
the spammers but the list subscribers whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote to me privately
all shorewall.net mail. As one list subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive deleted)</i> life
"These e-mail admin's need to get a <i>(expletive deleted)</i> life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
instead of trying to rid the planet of HTML based e-mail". Nevertheless, to allow subscribers to receive list posts as must as possible, I
to allow subscribers to receive list posts as must as possible, I
have now configured the list server at shorewall.net to strip all HTML have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br> from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a> or the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br> Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br> Forum</a>.<br>
To Subscribe to the mailing list go to <a To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

1269
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

1295
Shorewall-docs/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

995
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

1945
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

475
Shorewall-docs/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -19,167 +17,183 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
<p>It is important that you read all of the sections on this page where the <p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running. <br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular You can use the "shorewall check" command to see the groups associated with
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br> each of your zones.<br>
<br> <br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was zone is accepted by default. Previously, traffic from a zone to itself
treated just like any other traffic; any matching rules were applied followed was treated just like any other traffic; any matching rules were applied
by enforcement of the appropriate policy. With 1.4.1 and later versions, followed by enforcement of the appropriate policy. With 1.4.1 and later
unless you have explicit rules for traffic from Z to Z or you have an explicit versions, unless you have explicit rules for traffic from Z to Z or you
Z to Z policy (where "Z" is some zone) then traffic between the groups in have an explicit Z to Z policy (where "Z" is some zone) then traffic between
zone Z will be accepted. If you do have one or more explicit rules for Z the groups in zone Z will be accepted. If you do have one or more explicit
to Z or if you have an explicit Z to Z policy then the behavior is as it rules for Z to Z or if you have an explicit Z to Z policy then the behavior
was in prior versions.</li> is as it was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between <li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li> between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li> rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has <li>If you are currently relying on a implicit policy (one that has
"all" in either the SOURCE or DESTINATION column) to prevent traffic between "all" in either the SOURCE or DESTINATION column) to prevent traffic between
two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
add an explicit DROP or REJECT policy for Z to Z.<br> add an explicit DROP or REJECT policy for Z to Z.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to <li>Beginning with Version 1.4.1, Shorewall will never create rules
deal with traffic from a given group back to itself. The <i>multi</i> interface to deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between two interface option is no longer available so if you want to route traffic between
subnetworks on the same interface then either:</li> two subnetworks on the same interface then either:</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>The subnetworks must be in different zones; or</li> <li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks <li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li> as two groups in a single zone.</li>
</ol> </ol>
</blockquote> </blockquote>
Example 1 -- Two zones:<br> If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Example 2 -- One zone: Example 2 -- One zone:
<blockquote> <blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre> <pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Note that in the second example, we don't need any policy since z-&gt;z Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br> want unlimited access between the two subnetworks.<br>
<br> <br>
Sometimes, you want two separate zones on one interface but you don't want Sometimes, you want two separate zones on one interface but you don't
Shorewall to set up any infrastructure to handle traffic between them. <br> want Shorewall to set up any infrastructure to handle traffic between them.
<br> <br>
Example:<br> <br>
Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved Here, zone z1 is nested in zone z2 and the firewall is not going to be
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you involved in any traffic between these two zones. Beginning with Shorewall
can prevent Shorewall from setting up any infrastructure to handle traffic 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction.  and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br> package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh <br>
--nodeps &lt;shorewall rpm&gt;).<br> This may be worked around by using the --nodeps option of rpm (rpm
<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
If you are upgrading from a version &lt; 1.4.0, then:<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options <li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li> request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
are determined by BOTH the interfaces and hosts files when there are entries contents are determined by BOTH the interfaces and hosts files when there
for the zone in both files.</li> are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no <li value="6">The ALLOWRELATED variable in shorewall.conf is
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default; <li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have <li value="6">The 'firewall', 'functions' and 'version' file
been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul> <ul>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address <li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br> in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li> </li>
</ul> </ul>
@ -190,81 +204,84 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.
will generate rules for sending packets back out the same interface that  Shorewall will generate rules for sending packets back out the same
they arrived on in two cases:</li> interface that they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or
the destination zone. An explicit policy names both zones and does not from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same
the rule must be explicit - it must name the zone in both the SOURCE and then the rule must be explicit - it must name the zone in both the SOURCE
DESTINATION columns.</li> and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
     Beginning in version 1.3.14, Shorewall treats entries in <a height="13">
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change      Beginning in version 1.3.14, Shorewall treats entries in
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
<b>column</b>:<br> change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
or to have SNAT applied.</li> or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface. routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li> applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq with <li>You have one or more entries in /etc/shorewall/masq with
an interface name in the SUBNET (second) column; and</li> an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as
   <br> follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is like <b>Example 2</b>-- What if your current configuration is like
this?<br> this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13"
    Version 1.3.14 also introduced simplified ICMP echo-request height="13">
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf     Version 1.3.14 also introduced simplified ICMP echo-request
is used to specify that the old (pre-1.3.14) ping handling is to be (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using old handling indefinitely so I urge current users to migrate to using
@ -272,155 +289,149 @@ the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br> handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br> application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version versions &gt;= 1.3.8. Beginning with version 1.3.8,
1.3.8, you must set NEWNOTSYN=Yes in you must set NEWNOTSYN=Yes in your
your /etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef rules in their /etc/shorewall/icmpdef file (creating this
file (creating this file if necessary):</p> file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a
-- you will need to transcribe any backup -- you will need to transcribe
Shorewall configuration changes that any Shorewall configuration changes
you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
obtain the later version from Jacques's obtain the later version from Jacques's site, see additional instructions
site, see additional instructions below.</li> below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
to backup root.lrp !</li> to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need for setting up a two-interface firewall</a> plus you also need
to add the following two Bering-specific rules to /etc/shorewall/rules:</p> to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions your firewall setup slightly under Shorewall versions 1.3.6
1.3.6 and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be -j RETURN # So that the connection tracking table can be
rebuilt<br> rebuilt<br>
                                    # from non-SYN                                     # from
packets after takeover.<br> non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p <font face="Courier">run_iptables -A common
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
rebuild connection<br> to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
longer supported. </p> supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the 'firewall'
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those applications
applications should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 - <p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>