extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-04-13 15:28:32 +00:00
parent ed0bbce737
commit 16906234c8
109 changed files with 29372 additions and 31361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Lrp/etc/shorewall/common.def
View File

@ -16,10 +16,10 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 139 -j REJECT
run_iptables -A common -p tcp --dport 445 -j REJECT
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP

9
Lrp/etc/shorewall/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

46
Lrp/usr/share/shorewall/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface"
fi
fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done
eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in
maclist|-)
;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
@ -1665,16 +1675,16 @@ check_config() {
determine_interfaces
determine_hosts
echo "Validating policy file..."
validate_policy
echo "Validating rules file..."
rules=`find_file rules`
strip_file rules $rules
process_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR
echo "Configuration Validated"
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
#
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done
[ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done
for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi
done
done

30
Lrp/usr/share/shorewall/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock
}
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else
> $TMP_DIR/$1
fi

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.1
1.4.2

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.1
1.4.2

16
STABLE/changelog.txt
View File

@ -1,9 +1,15 @@
Changes since 1.4.0
Changes since 1.4.1
1. Implement NONE policy.
1. Re-order steps in the 'check' command so that the policy file is
checked before the rules file.
2. Never create rules for <iface>:<subnet> to itself.
2. Create an intermediate chain for input from zones defined in terms
of specific hosts or networks.
3. Always allow intrazone traffic.
3. Fixed common.def to use 'reject' rather than 'REJECT'.
4. Correct building of ECN interface list under ash.
4. Added support for INCLUDE directive in all files.
5. Made traceroute -I work.
6. Add 'routeback' interface and host attribute.

351
STABLE/documentation/FAQ.htm
View File

@ -34,7 +34,8 @@
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td
width="100%">
@ -50,6 +51,10 @@
</table>
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="file:///Z:/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guides</a>. <br>
</h1>
<h1>PORT FORWARDING<br>
</h1>
@ -68,9 +73,9 @@
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect
to port 1022</b> on my firewall and have the <b>firewall forward the connection
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
<b>connect to port 1022</b> on my firewall and have the <b>firewall forward
the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p>
<h1><b>DNS and PORT FORWARDING/NAT<br>
@ -107,7 +112,8 @@ as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
of my firewall and it showed 100s of ports as
open!!!!</a></p>
<h1>CONNECTION PROBLEMS</h1>
@ -142,16 +148,16 @@ as 'closed' rather than 'blocked'.</b> Why?</a></p>
</p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses
were only 6 bytes in length.</a><b><br>
in Shorewall log messages <b>so long</b>? I thought MAC addresses were
only 6 bytes in length.</a><b><br>
</b></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a
href="#faq17">How do I find out <b>why this traffic is</b>
getting <b>logged?</b></a><br>
href="#faq17">How do I find out <b>why this traffic is</b> getting
<b>logged?</b></a><br>
<b><br>
21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?</a><br>
@ -207,24 +213,24 @@ support?</a></p>
</h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me
to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also blocks
the <b>cable modems web server</b></a>.</p>
and it has an internel web server that allows
me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also
blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918
address. If I enable RFC 1918 filtering on my external
interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC
1918 address. If I enable RFC 1918 filtering on my
external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1>
<b>18.</b> <a href="#faq18">Is there any
way to use <b>aliased ip addresses</b> with Shorewall, and
maintain separate rulesets for different IPs?</a><br>
way to use <b>aliased ip addresses</b> with Shorewall,
and maintain separate rulesets for different IPs?</a><br>
<h1>MISCELLANEOUS<br>
</h1>
@ -232,8 +238,8 @@ way to use <b>aliased ip addresses</b> with Shorewall, and
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I have
just set up a server. <b>Do I have to change Shorewall to
allow access to my server from the internet?</b></a><br>
just set up a server. <b>Do I have to change Shorewall to allow
access to my server from the internet?</b></a><br>
<br>
<b>24. </b><a href="#faq24">How can I <b>allow conections</b>
to let's say the ssh port only<b> from specific IP Addresses</b>
@ -244,15 +250,15 @@ allow access to my server from the internet?</b></a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find how to do it.</h4>
my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of
a port-forwarding rule to a local system is as follows:</p>
do port forwarding under Shorewall. The format
of a port-forwarding rule to a local system is as follows:</p>
<blockquote>
@ -387,8 +393,8 @@ DEST.</b></u></td>
</table>
</blockquote>
Finally, if you need to forward a range of ports, in the PORT
column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
Finally, if you need to forward a range of ports, in the
PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
@ -404,8 +410,8 @@ to test from inside your firewall (no, that won't work
-- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more
basic problem with your local system such as an incorrect
default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
default gateway configured (it should be set to the IP
address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -420,19 +426,19 @@ default gateway configured (it should be set to the IP address
<ul>
<li>As root, type "iptables -t
nat -Z". This clears the NetFilter counters in the nat
table.</li>
<li>As root, type "iptables
-t nat -Z". This clears the NetFilter counters in the
nat table.</li>
<li>Try to connect to the redirected
port from an external host.</li>
<li>As root type "shorewall show
nat"</li>
<li>As root type "shorewall
show nat"</li>
<li>Locate the appropriate DNAT
rule. It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li>
<li>Is the packet count in the
first column non-zero? If so, the connection request
is reaching the firewall and is being redirected to the server.
first column non-zero? If so, the connection request is
reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default
gateway should be the IP address of the firewall's interface
@ -512,8 +518,8 @@ DEST.</b></u></td>
</div>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local
network. External clients can browse http://www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my
local network. External clients can browse http://www.mydomain.com
but internal clients can't.</h4>
@ -527,8 +533,8 @@ DEST.</b></u></td>
there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated
from your local systems - assuming that the Server can be located
near the Firewall, of course :-)</li>
from your local systems - assuming that the Server can be
located near the Firewall, of course :-)</li>
<li>The accessibility
problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
@ -543,10 +549,10 @@ from your local systems - assuming that the Server can be located
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your
external interface is eth0 and your internal interface
is eth1 and that eth1 has IP address 192.168.1.254 with
subnet 192.168.1.0/24, in /etc/shorewall/rules, add:</p>
rather than a DNS solution, then assuming that
your external interface is eth0 and your internal
interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, in /etc/shorewall/rules, add:</p>
<div align="left">
@ -595,9 +601,9 @@ DEST.</b></u></td>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and
are running Shorewall 1.3.4 or later then include this
in /etc/shorewall/init:</p>
IP address. If you have a dynamic IP address
and are running Shorewall 1.3.4 or later then include
this in /etc/shorewall/init:</p>
</div>
@ -653,8 +659,8 @@ DEST.</b></u></td>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time
that you get a new IP address.</p>
client to automatically restart Shorewall each
time that you get a new IP address.</p>
</div>
@ -667,8 +673,8 @@ DEST.</b></u></td>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using the
host's DNS name.</p>
and internal clients to access a NATed host using
the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
@ -677,8 +683,8 @@ Z have non-RFC1918 addresses and can be accessed externally
and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
@ -772,15 +778,18 @@ traffic through your firewall then:</p>
id="AutoNumber3" width="369">
<tbody>
<tr>
<td width="93"><u><b>INTERFACE
</b></u></td>
<td width="31"><u><b>SUBNET</b></u></td>
<td
width="93"><u><b>INTERFACE </b></u></td>
<td
width="31"><u><b>SUBNET</b></u></td>
<td
width="120"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td
width="93">eth2</td>
<td
width="31">192.168.2.0/24</td>
<td
width="120"> <br>
</td>
@ -804,29 +813,29 @@ traffic through your firewall then:</p>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a solution
for MSN IM but be aware that there are significant security risks
involved with this solution. Also check the Netfilter mailing
Look <a href="http://linux-igd.sourceforge.net">here</a> for a
solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as
'closed' rather than 'blocked'. Why?</h4>
to check my firewall and it shows some ports
as 'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port
113 rather than dropping them. This is necessary to
prevent outgoing connection problems to services that use
the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports
137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port
135). Rejecting these connection requests rather than dropping
them cuts down slightly on the amount of Windows chatter on LAN segments
connected to the Firewall. </p>
113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services that
use the 'Auth' mechanism for identifying requesting users.
Shorewall also rejects TCP ports 135, 137 and 139 as well
as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping
them cuts down slightly on the amount of Windows chatter on LAN
segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
@ -840,10 +849,10 @@ involved with this solution. Also check the Netfilter mailing
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port as
open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
back from your firewall then it reports the port
as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT,
restart Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
@ -856,8 +865,8 @@ involved with this solution. Also check the Netfilter mailing
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br>
b) Be sure that the first
command in the file is ". /etc/shorewall/common.def"<br>
b) Be sure that the
first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following
to /etc/shorewall/common </p>
@ -877,15 +886,15 @@ to /etc/shorewall/common </p>
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to
restart syslogd (on a RedHat system, "service syslog restart").
</p>
When you have changed /etc/syslog.conf, be sure
to restart syslogd (on a RedHat system, "service syslog
restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
@ -925,8 +934,8 @@ log all messages, set: </p>
</p>
</blockquote>
I personnaly use Logwatch. It emails me
a report each day from my various systems with each report
summarizing the logged activity on the corresponding system.
a report each day from my various systems with each report summarizing
the logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
@ -956,15 +965,16 @@ get logged twice, they are corrupted. I solve this problem by using
an /etc/shorewall/common file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
</blockquote>
The above file is also include in all of my sample configurations
available in the <a href="shorewall_quickstart_guide.htm">Quick Start
Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
available in the <a href="shorewall_quickstart_guide.htm">Quick
Start Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only
6 bytes in length.</h4>
Shorewall log messages so long? I thought MAC addresses were only 6
bytes in length.</h4>
What is labeled as the MAC address in a Shorewall log message is
actually the Ethernet frame header. IT contains:<br>
@ -991,10 +1001,10 @@ that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
are activated. If you want to totally open up your
firewall, you must use the 'shorewall clear' command.
</p>
a safe state whereby only those hosts listed in
/etc/shorewall/routestopped' are activated. If you
want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
@ -1048,9 +1058,9 @@ that command work?</h4>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
</div>
@ -1083,14 +1093,14 @@ that command work?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the
city where I live</a>) and "Fire<u>wall</u>". The full
name of the product is actually "Shoreline Firewall" but "Shorewall"
city where I live</a>) and "Fire<u>wall</u>". The
full name of the product is actually "Shoreline Firewall" but "Shorewall"
is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me
to configure/monitor it but as expected if I enable
and it has an internal web server that allows
me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet one),
it also blocks the cable modems web server.</h4>
@ -1101,8 +1111,9 @@ that command work?</h4>
rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left">
@ -1153,10 +1164,10 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you
must also make an entry in /etc/shorewall/rfc1918 for that
address. For example, if you configure the address 192.168.100.2
on your firewall, then you would add two entries to /etc/shorewall/rfc1918:
<br>
must also make an entry in /etc/shorewall/rfc1918 for
that address. For example, if you configure the address
192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
@ -1203,10 +1214,10 @@ on your firewall, then you would add two entries to /etc/shorewal
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
</div>
@ -1222,9 +1233,9 @@ lease.</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when things
are working properly. That aside, the most common causes
of this problem are:</p>
with eyes and what those computers will "see" when
things are working properly. That aside, the most common
causes of this problem are:</p>
<ol>
@ -1250,8 +1261,8 @@ lease.</h4>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and
hasn't enabled UDP and TCP port 53 from the firewall
user is running a DNS server on the firewall
and hasn't enabled UDP and TCP port 53 from the firewall
to the internet.</p>
</li>
@ -1284,8 +1295,8 @@ destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The
source address is listed in /etc/shorewall/rfc1918 with
a <b>logdrop </b>target -- see <a
source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all </b>-
@ -1297,8 +1308,8 @@ a <b>logdrop </b>target -- see <a
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet
</b>to <b>&lt;zone2&gt;</b> that specifies a log level
and this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
<li><b>&lt;interface&gt;_mac</b>
@ -1310,27 +1321,27 @@ packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The
packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>
as specified in the <b>LOGUNCLEAN </b>setting in <a
<a href="Documentation.htm#Interfaces">interface option</a> as
specified in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The
packet is being logged because the source IP is blacklisted
in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The
packet is being logged because it is a TCP packet that
is not part of any current connection yet it is not a syn packet.
Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>newnotsyn </b>-
The packet is being logged because it is a TCP packet
that is not part of any current connection yet it is not a
syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b>
- The packet has a source IP address that isn't in any
of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is
being logged because it failed the checks implemented by
the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
<li><b>logflags </b>- The packet
is being logged because it failed the checks implemented
by the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
option</a>.<br>
</li>
@ -1339,11 +1350,12 @@ the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different
IPs?</h4>
with Shorewall, and maintain separate rulesets for
different IPs?</h4>
<b>Answer: </b>Yes. See <a
href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes
@ -1352,13 +1364,13 @@ the <b>tcpflags </b><a href="Documentation.htm#Interfaces">interface
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from
the internet?</b><br>
to change Shorewall to allow access to my server from the
internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
you used during your initial setup for information about how to set
up rules for your server.<br>
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
used during your initial setup for information about how to set up
rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
@ -1380,50 +1392,50 @@ you used during your initial setup for information about how to set
and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.<br>
<br>
Here is my interpretation of what is happening
-- to confirm this analysis, one would have to have packet
sniffers placed a both ends of the connection.<br>
Here is my interpretation of what is
happening -- to confirm this analysis, one would have to
have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent a UDP DNS query to 192.0.2.3 and your DNS server tried
to send a response (the response information is in the brackets
-- note source port 53 which marks this as a DNS reply). When the
response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no
longer had a connection on UDP port 2857. This causes a port unreachable
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
had a connection on UDP port 2857. This causes a port unreachable
(type 3, code 3) to be generated back to 192.0.2.3. As this packet
is sent back through 206.124.146.179, that box correctly changes the
source address in the packet to 206.124.146.179 but doesn't reset
the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be
related to anything that was sent. The final result is that the packet
gets logged and dropped in the all2all chain. I have also seen cases
where the source IP in the ICMP itself isn't set back to the external
IP of the remote NAT gateway; that causes your firewall to log and drop
the packet out of the rfc1918 chain because the source IP is reserved
by RFC 1918.<br>
source address in the packet to 206.124.146.179 but doesn't reset the
DST IP in the original DNS response similarly. When the ICMP reaches
your firewall (192.0.2.3), your firewall has no record of having sent
a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
to anything that was sent. The final result is that the packet gets
logged and dropped in the all2all chain. I have also seen cases where
the source IP in the ICMP itself isn't set back to the external IP of
the remote NAT gateway; that causes your firewall to log and drop the
packet out of the rfc1918 chain because the source IP is reserved by RFC
1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I
put them in?</h4>
You can place these commands in one of
the <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
You can place these commands in one
of the <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be
modifying with your commands to be sure that the commands will
do what they are intended. Many iptables commands published in
HOWTOs and other instructional material use the -A command which
adds the rules to the end of the chain. Most chains that Shorewall
constructs end with an unconditional DROP, ACCEPT or REJECT rule and
any rules that you add after that will be ignored. Check "man iptables"
and look at the -I (--insert) command.<br>
do what they are intended. Many iptables commands published in HOWTOs
and other instructional material use the -A command which adds the
rules to the end of the chain. Most chains that Shorewall constructs
end with an unconditional DROP, ACCEPT or REJECT rule and any rules
that you add after that will be ignored. Check "man iptables" and look
at the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font neutral (it
doesn't explicitly specify fonts except on a few pages) so the
fonts you see are largely the default fonts configured in your browser.
If you don't like them then reconfigure your browser.<br>
The Shorewall web site is almost font neutral
(it doesn't explicitly specify fonts except on a few pages) so
the fonts you see are largely the default fonts configured in your
browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
@ -1446,15 +1458,16 @@ a colon and a list of the host/subnet addresses as a comma-separated
<br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 3/22/2003 - <a href="support.htm">Tom
<font size="2">Last updated 4/8/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

49
STABLE/documentation/Install.htm
View File

@ -18,6 +18,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
@ -27,7 +28,14 @@
</table>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b><br>
Before attempting installation, I strongly urge you to read and print a
copy of the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart
Guide</a> for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
@ -63,8 +71,8 @@ diagnostic:<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
@ -72,8 +80,8 @@ match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
NETWORK CONNECTIVITY.</b></font></li>
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
@ -102,15 +110,15 @@ type "./install.sh /etc/init.d"</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be
started automatically at boot, see <a
<li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
@ -120,23 +128,24 @@ started automatically at boot, see <a
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
Beta RPMs installed, you must use the "--oldpackage" option to rpm
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
the iproute package. Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
@ -201,7 +210,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -212,5 +221,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
<br>
<br>
<br>
<br>
<br>
</body>
</html>

1436
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

137
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -34,10 +34,11 @@
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br>
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle">
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
@ -52,14 +53,14 @@ run as a transparent proxy as described at <a
files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
in the local zone, that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being routed
to the Squid server still have their original destination IP addresses.<br>
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br>
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
@ -72,22 +73,22 @@ to the Squid server still have their original destination IP addresses.<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests
EXCEPT those to your
own http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -95,7 +96,6 @@ EXCEPT those to your
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -107,7 +107,6 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
@ -131,14 +130,7 @@ EXCEPT those to your
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
@ -147,9 +139,9 @@ EXCEPT those to your
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
@ -177,12 +169,45 @@ EXCEPT those to your
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -194,7 +219,6 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
@ -210,19 +234,12 @@ EXCEPT those to your
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -288,8 +305,8 @@ EXCEPT those to your
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
@ -402,7 +419,6 @@ EXCEPT those to your
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul>
@ -432,6 +448,22 @@ EXCEPT those to your
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
@ -476,20 +508,11 @@ EXCEPT those to your
<blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

29
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -16,13 +16,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
@ -89,7 +86,7 @@ the IP address.<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
@ -345,13 +342,13 @@ file:<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative
privileges because in that case, the users can simply manipulate their system's
routing table to bypass your firewall/router. Nevertheless, there are cases
where you simply want to consider the LAN segment itself as a zone and allow
your firewall/router to route between the two subnetworks.<br>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not provide
for any security between the subnetworks if the users of the systems have
administrative privileges because in that case, the users can simply manipulate
their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
@ -360,6 +357,7 @@ your firewall/router to route between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -424,6 +422,7 @@ In /etc/shorewall/interfaces:<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
@ -497,8 +496,9 @@ specify the <b>multi</b> option.<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -617,5 +617,6 @@ that you want to permit.<br>
<br>
<br>
<br>
<br>
</body>
</html>

303
STABLE/documentation/download.htm
View File

@ -20,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
@ -29,22 +27,20 @@
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
@ -53,23 +49,23 @@ at:</p>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy
of the documentation).</li>
<li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a
copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
</ul>
@ -88,9 +84,9 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>RPM - "rpm -qip shorewall-<i>version</i>.noarch.rpm"</li>
<li>TARBALL - "tar -ztf shorewall-<i>version</i>.tgz"
(the directory name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
@ -103,266 +99,13 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<p><b></b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -430,7 +173,6 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
@ -446,11 +188,12 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a
<p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

112
STABLE/documentation/errata.htm
View File

@ -2,19 +2,14 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
@ -27,13 +22,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
@ -41,8 +33,6 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -50,22 +40,17 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
@ -104,10 +89,33 @@ iptables</a></b></li>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
@ -115,7 +123,9 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -127,12 +137,10 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
@ -142,7 +150,6 @@ RedHat released this buggy iptables in RedHat 7.2.
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
@ -150,84 +157,67 @@ download from<font color="#ff6633"> <a
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
which corrects a problem with parsing of the --log-level
specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
@ -239,8 +229,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -249,16 +239,18 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

70
STABLE/documentation/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -29,25 +23,19 @@
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
@ -69,27 +57,25 @@
</td>
</tr>
</tbody>
</table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br>
@ -114,14 +100,14 @@ record in DNS.</li>
list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
spam and that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts. This means that HTML-only posts will be bounced by
the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -168,10 +151,9 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
@ -212,9 +194,9 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -271,20 +253,17 @@ to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and
click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed
@ -298,14 +277,15 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a
<p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

396
STABLE/documentation/seattlefirewall_index.htm
View File

@ -2,210 +2,88 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<td
width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
This program is
distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
@ -215,157 +93,155 @@ Software Foundation.<br>
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
<b>Problems Corrected:</b><br>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><b></b></p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>

497
STABLE/documentation/sourceforge_index.htm
View File

@ -2,450 +2,247 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small>Shorewall 1.2 Site here<br>
</small></small></small></font></a>
</h1>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<td
width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
system, a multi-function gateway/router/server or on
a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
it under
the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>
<h2><b>News</b></h2>
<b> </b>
<ul>
</ul>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>

66
STABLE/documentation/standalone.htm
View File

@ -61,8 +61,8 @@
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -77,21 +77,21 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
to /etc/shorewall (they will replace files with the same names that were
placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -132,8 +132,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -177,8 +177,8 @@ has the following policies:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>drop (ignore) all connection requests from the internet to
your firewall</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
@ -191,21 +191,21 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
<ul>
<li>
@ -214,8 +214,8 @@ are specified for the interface. Some hints:</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
@ -284,8 +284,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
</div>
<div align="left">
@ -327,8 +327,8 @@ on your firewall system:</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -384,7 +384,8 @@ application uses, see <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -425,5 +426,6 @@ Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

362
STABLE/documentation/standalone_fr.html
View File

@ -1,14 +1,19 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
@ -18,75 +23,91 @@
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
une traduction exacte du texte, mais plutôt à en faire une version
française intelligible par tous (et par moi). Les termes techniques sont
la plupart du temps conservés sous leur forme originale et mis entre
parenthèses car vous pouvez les retrouver dans le reste des
documentations ainsi que dans les fichiers de configuration. N?hésitez
pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall
(écluse) pour un petit réseau est une chose assez simple, si vous
comprenez les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la
présence du programme ip sur votre système de firewall. Sous root,
utilisez la commande 'which' pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au
début en effectuant le changements dans votre configuration. Les points,
où les changements dans la configuration sont recommandées, sont
signalés par une <img border="0" src="images/BD21298_.gif" width="13"
height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de
les utiliser. De la même manière, si vous copiez un fichier de
configuration depuis votre disque dur Windows vers une disquette, vous
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points, où les changements dans
la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient des instructions de configuration détaillées et des entrées par
défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
unique interface, une seule zone est définie :</p>
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
@ -98,30 +119,39 @@ unique interface, une seule zone est d
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
correspondent, alors la première politique dans /etc/shorewall/policy
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la
requête est alors comparée par rapport aux règles contenues dans
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
one-interface a les politiques suivantes :</p>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -159,80 +189,95 @@ one-interface a les politiques suivantes :</p>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<pre> </pre>
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers
l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</li>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL
(pas un simple modem), l'<i>External Interface</i> (interface externe)
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface
externe sera<b> ippp0.</b></p>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface
suppose que votre interface externe est <b>eth0</b>. Si votre
configuration est différente, vous devrez modifier le fichier d'exemple
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous
pourriez parcourir la liste d'options qui sont spécifiées pour
l'interface. Quelques astuces :</p>
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre
interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un
"-". </p>
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
"dhcp" de la liste d'option. </p>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
</li>
</ul>
<div align="left">
<h2 align="left">Adresse IP</h2>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les
paquets dont les adresses de destinations sont définies dans la RFC
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
ou vers l'Internet.</p>
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez
regarder l'adresse de votre interface externe et si elle est comprise
dans une des plages précédentes, vous devriez enlever l'option
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
width="13" height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Permettre d'autres connexions</h2>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis
l'Internet vers votre firewall, le format général est :</p>
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -258,14 +303,17 @@ l'Internet vers votre firewall, le format g
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
un serveur POP3 sur votre système de firewall :</p>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
serveur POP3 sur votre système de firewall :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -302,20 +350,24 @@ un serveur POP3 sur votre syst
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
en clair (même pour le login et le mot de passe !). Si vous voulez avoir
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
le login et le mot de passe !). Si vous voulez avoir un accès au shell de
votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -341,61 +393,71 @@ un acc
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter
les autres connexions désirées.</p>
height="13">
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div>
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure
d'installation </a> configure votre système pour lancer Shorewall au
boot du système, mais au début avec la version 1.3.9 de Shorewall le
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
configuration soit finie. Une fois que vous en aurez fini avec la
configuration du firewall, vous pouvez permettre le lancement de
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et
mettre 'startup=1'.</font><br>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
est stoppé, le routage est autorisé sur les hôtes qui possèdent une
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Un firewall qui tourne peut être relancé en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
sur votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
firewall depuis Internet, n'essayez pas une commande "shorewall stop"
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle
à partir de laquelle vous êtes connectée) dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall
restart"; il est plus intéressant de créer une <i><a
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

61
STABLE/documentation/support.htm
View File

@ -20,7 +20,8 @@
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td
width="100%">
@ -41,13 +42,14 @@
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you post.
of sources of Shorewall information. Please try these before you
post.
<ul>
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
@ -114,8 +116,8 @@
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
to be correct, or was mentioned in a previous post. There have
been countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<br>
@ -123,16 +125,16 @@ countless posts by people who were sure that some part of their
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
for us to help you. Follow good, courteous practices in writing and
formatting your e-mail. Provide details that we need if you expect good
answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please
don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
don't describe your environment and then ask us to send
you custom configuration files. We're here to answer
your questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
@ -227,13 +229,15 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
</ul>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<br>
them often misleads us (and 80% of the time, a hacker could derive
them anyway from information contained in the SMTP headers of your
post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
@ -245,8 +249,8 @@ include the message(s) in your post along with a copy of your /etc/shorewall
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
modified that file) that you think are relevant. If
you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
@ -256,8 +260,8 @@ include the message(s) in your post along with a copy of your /etc/shorewall
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
<li><b>The list server limits posts to 120kb so don't post
GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul>
@ -286,8 +290,8 @@ plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</e
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I
have now configured the list server at shorewall.net to strip all HTML
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
@ -302,20 +306,16 @@ have now configured the list server at shorewall.net to strip all HTML
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a
Multi Network Firewall (MNF) and you have not purchased an
MNF license from MandrakeSoft then you can post non MNF-specific
Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
list</a>.<br>
To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
@ -331,7 +331,7 @@ Forum</a>.<br>
</p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -341,5 +341,6 @@ Forum</a>.<br>
<br>
<br>
<br>
<br>
</body>
</html>

209
STABLE/documentation/three-interface.htm
View File

@ -20,7 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
@ -39,8 +38,8 @@ basics and follow the documentation.</p>
in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Linux system used as a firewall/router for a small
local network.</li>
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
@ -75,16 +74,15 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -93,17 +91,17 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration,
@ -144,8 +142,8 @@ the following zone names are used:</p>
<li>You express your default policy for connections from
one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -192,7 +190,6 @@ DROP
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -220,7 +217,6 @@ DROP
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -232,8 +228,8 @@ DROP
to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>optionally accept all connection requests from the
firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -266,9 +262,9 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
@ -294,15 +290,13 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -312,16 +306,15 @@ the option list. </p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP
address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
this purpose:</p>
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal network
(the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,8 +334,8 @@ interface's entry in /etc/shorewall/interfaces.</p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as
the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
@ -376,7 +369,6 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
</blockquote>
@ -408,8 +400,8 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -425,10 +417,10 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network and if it is in the 10.10.11.0/24 subnet then
you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network and if it is in the 10.10.11.0/24 subnet then you will need
to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
@ -438,30 +430,28 @@ you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed accross the internet). When the firewall receives a return
packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to local computer 1. </p>
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will
be able to route return packets back to the firewall (remember that
packets whose destination address is reserved by RFC 1918 can't be routed
accross the internet). When the firewall receives a return packet, it
rewrites the destination address back to 10.10.10.1 and forwards the
packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
@ -475,8 +465,8 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -491,8 +481,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
@ -506,16 +496,16 @@ change them appropriately:<br>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
Destination Network Address Translation</i> (DNAT). You configure
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -544,13 +534,12 @@ them. It is rather necessary for those clients to address their connection
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -587,7 +576,6 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td>from the local network</td>
</tr>
</tbody>
</table>
</blockquote>
@ -598,8 +586,8 @@ be the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to <a
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -628,14 +616,13 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you
can replace the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -660,7 +647,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</tbody>
</table>
</blockquote>
@ -702,7 +688,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td>$ETH0_IP</td>
</tr>
</tbody>
</table>
</blockquote>
@ -718,16 +703,15 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
@ -737,27 +721,25 @@ as your primary and secondary name servers. It is <u>your</u> responsibili
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
server (which also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the caching name server as their primary (and
only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to
talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the server; you do that by adding
the rules in /etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
<p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -807,7 +789,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</p>
@ -866,7 +847,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -913,7 +893,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -921,8 +900,8 @@ by adding the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
removed if you commented out the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -962,7 +941,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1003,7 +981,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1047,7 +1024,6 @@ allowing all connections from the firewall to the internet.</p>
<td>from the internet</td>
</tr>
</tbody>
</table>
</blockquote>
@ -1059,8 +1035,8 @@ allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -1093,7 +1069,6 @@ application uses, look <a href="ports.htm">here</a>.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1146,7 +1121,6 @@ with Jacques's Shorewall configuration.<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -1165,12 +1139,12 @@ with Jacques's Shorewall configuration.<br>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1205,8 +1179,8 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1230,5 +1204,6 @@ configuration</a></i> and test it using the <a
<br>
<br>
<br>
<br>
</body>
</html>

179
STABLE/documentation/three-interface_fr.html
View File

@ -30,16 +30,16 @@
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n?est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité).</i></small></p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,8 +66,8 @@ RTC, ...</li>
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
@ -85,12 +85,12 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,15 +144,15 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -161,11 +161,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
@ -244,10 +243,10 @@ avoir un acc
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis votre
firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis
votre firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>reject (rejeter) toutes les autres demandes de connexion.</li>
</ol>
@ -263,14 +262,14 @@ que vous d
</p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -298,8 +297,8 @@ ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b>
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
@ -310,9 +309,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
d'option. </p>
</li>
</ul>
@ -325,11 +324,11 @@ Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela
signifie que vous configurez votre interface externe sur votre firewall afin
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet.
Vous devrez assigner vos propres adresses à votre réseau local (votre interface
provider peu vous assigner une adresse statique (staticIP address); cela signifie
que vous configurez votre interface externe sur votre firewall afin d'utiliser
cette adresse de manière permanente. Une fois votre adresse externe assignée,
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
@ -392,9 +391,9 @@ gauche du masque de sous-r
</div>
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
<p align="left">Il est de convention d'assigner à l'interface interne la première
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
@ -411,8 +410,8 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
@ -437,23 +436,22 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui même qui initie la connexion. Ceci
est nécessaire afin que l'hôte de destination soit capable de renvoyer les
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
Masquerading mais vous verrez aussi le terme de Source Network Address Translation
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
<ul>
<li>
@ -508,8 +506,7 @@ RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la
réponse.</p>
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -534,8 +531,7 @@ est :</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
@ -633,10 +629,10 @@ http://w.x.y.z:5000</a> o
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
le réseau local en utilisant votre adresse externe, et si vous avez une adresse
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
par :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -707,8 +703,8 @@ les
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -716,13 +712,13 @@ adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
a été écrit). Il arrive que votre provider vous donne une paire d'adresse
IP pour les DNS (name servers) afin que vous configuriez manuellement votre
serveur de nom primaire et secondaire. La manière dont le DNS est configuré
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
de ses deux façons :</p>
<ul>
<li>
@ -1084,9 +1080,9 @@ particuli
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -1168,10 +1164,10 @@ d'h
</div>
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1204,5 +1200,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

195
STABLE/documentation/two-interface.htm
View File

@ -12,7 +12,6 @@
content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -23,8 +22,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
@ -63,19 +60,19 @@ local network.</li>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq" where
"loc" is empty; this conflicts with this documentation which assumes a single
local zone "loc"). We therefore recommend that once you have set up this
sharing that you uninstall the Mandrake Shorewall RPM and install the one
from the <a href="download.htm">download page</a> then follow the instructions
in this Guide.</b><br>
the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
the one from the <a href="download.htm">download page</a> then follow the
instructions in this Guide.</b><br>
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -98,11 +95,12 @@ floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -110,21 +108,22 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration,
the following zone names are used:</p>
set of <i>zones.</i> In the two-interface sample configuration, the
following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -170,8 +169,8 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li
DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -206,7 +205,6 @@ has the following policies:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -234,7 +232,6 @@ has the following policies:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -262,9 +259,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -280,9 +277,9 @@ the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same hub/switch (note: If you have
only a single internal system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -295,20 +292,18 @@ directly to the computer using a <i>cross-over </i> cable).</p>
width="13" height="13">
    The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
is <b>eth1</b>. If your configuration is different, you will have to
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-".
</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
@ -326,8 +321,8 @@ establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses in your internal
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
@ -347,8 +342,8 @@ IP address of your external interface and if it is one of the above
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
@ -384,7 +379,6 @@ bits from the left of the subnet mask. </p>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
</blockquote>
@ -431,22 +425,22 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network.</b><br>
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response
@ -454,20 +448,18 @@ is initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
@ -481,22 +473,22 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, you
do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name of
your external interface and the second column to the name of your internal
interface.</p>
    If your external firewall interface is <b>eth0</b>,
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name
of your external interface and the second column to the name of your
internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the
third column in the /etc/shorewall/masq entry if you like although
    If your external IP is static, you can enter it in
the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes processing outgoing packets a little
more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
<img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
@ -513,12 +505,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
it is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -551,7 +543,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -582,7 +573,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -592,9 +582,9 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to access
your web server using the IP address of your external interface, see
<a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
computers 1 or 2 or on the firewall). If you want to be able to
access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li>
@ -624,7 +614,6 @@ following rule and try connecting to port 5000.</li>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -646,7 +635,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
@ -656,19 +644,18 @@ as your primary and secondary name servers. Regardless of how DNS gets
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall.<i> </i>Red Hat has an RPM for a caching name server
(the RPM also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name server.
You use the internal IP address of the firewall (10.10.10.254 in the
example above) for the name server address. To allow your local systems
to talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the firewall; you do that by adding
the following rules in /etc/shorewall/rules. </p>
systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you
do that by adding the following rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -705,7 +692,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -751,7 +737,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -791,7 +776,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -831,7 +815,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -875,7 +858,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td>from the local network</td>
</tr>
</tbody>
</table>
</blockquote>
@ -888,14 +870,14 @@ your firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -922,7 +904,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -972,7 +953,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -994,8 +974,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -1020,8 +1000,8 @@ you have completed configuration of your firewall, you can enable Shorewall
height="13">
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if
you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
stopped. If your local network isn't connected to <b>eth1</b> or if you
wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
@ -1030,8 +1010,8 @@ you wish to enable access to/from other hosts, change /etc/shorewall/rou
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1044,5 +1024,6 @@ configuration</a></i> and test it using the <a
</p>
<br>
<br>
<br>
</body>
</html>

845
STABLE/documentation/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

195
STABLE/documentation/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -22,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
@ -31,7 +27,6 @@
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
@ -40,32 +35,45 @@
version number mentioned in the section title is later than what you are
currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups in
zone Z will be accepted. If you do have one or more explicit rules for Z
to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
</ul>
@ -86,10 +94,10 @@ add an explicit DROP or REJECT policy for Z to Z.<br>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then either:</li>
<li>Beginning with Version 1.4.1, Shorewall will never create rules
to deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic between
two subnetworks on the same interface then either:</li>
</ul>
@ -101,6 +109,11 @@ subnetworks on the same interface then either:</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
@ -114,18 +127,19 @@ subnetworks on the same interface then either:</li>
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br>
Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
@ -143,8 +157,8 @@ and you are using a NONE polciy in the other direction.
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
@ -157,20 +171,20 @@ are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.con
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -190,36 +204,37 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or
from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
</ul>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries in
<a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -243,7 +258,8 @@ an interface name in the SUBNET (second) column; and</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
 <b>Example 1</b> -- Suppose that your current config is as
follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -261,7 +277,8 @@ this?<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
@ -290,38 +307,36 @@ application will need to be changed to reflect this change of location.<br>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version
1.3.8, you must set NEWNOTSYN=Yes in
your /etc/shorewall/shorewall.conf file.</p>
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any
Shorewall configuration changes that
you have made to the new configuration.</li>
<li>Be sure you have a
backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not
obtain the later version from Jacques's
site, see additional instructions below.</li>
obtain the later version from Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
@ -342,30 +357,28 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be
rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
                                    # from
non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
rebuild connection<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
@ -375,8 +388,8 @@ rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Example 1:</p>
@ -408,19 +421,17 @@ rebuild connection<br>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.1
VERSION=1.4.2
usage() # $1 = exit status
{

38
STABLE/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface"
fi
fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done
eval ${zone}_interfaces="\$interfaces"
@ -605,6 +608,10 @@ validate_interfaces_file() {
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
@ -635,6 +642,9 @@ validate_hosts_file() {
case $option in
maclist|-)
;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
@ -3185,13 +3195,14 @@ initialize_netfilter () {
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
#
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
run_iptables -A $chain -m state --state INVALID -j DROP
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done
[ -n "$CLAMPMSS" ] && \
@ -3661,6 +3672,13 @@ activate_rules()
chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3696,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done
for zone1 in $zones; do
@ -3692,17 +3712,27 @@ activate_rules()
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if [ $zone = $zone1 ]; then
eval routeback=\"\$${zone}_routeback\"
else
routeback=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi
done
done

30
STABLE/functions
View File

@ -181,6 +181,34 @@ mutex_off()
rm -f $STATEDIR/lock
}
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
}
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
@ -192,7 +220,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
[ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else
> $TMP_DIR/$1
fi

9
STABLE/hosts
View File

@ -44,6 +44,15 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall show set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.1
VERSION=1.4.2
usage() # $1 = exit status
{

93
STABLE/releasenotes.txt
View File

@ -1,19 +1,90 @@
This is a minor release of Shorewall.
This release introduces incompatibilities with prior releases. See
http://www.shorewall.net/upgrade_issues.htm.
Problems Corrected:
Changes are:
1) TCP connection requests rejected out of the common chain are now
properly rejected with TCP RST; previously, some of these requests
were rejeced with an ICMP port-unreachable response.
a) There is now a new NONE policy specifiable in
/etc/shorewall/policy. This policy will cause Shorewall to assume that
there will never be any traffic between the source and destination
zones.
2) 'traceroute -I' from behind the firewall previously timed out on the
first hop (e.g., to the firewall). This has been worked around.
b) Shorewall no longer creates rules to govern traffic from an
interface:subnet to itself.
New Features:
c) Intra-zone traffic is always accepted now (exception is (b)
above).. Intrazone policies and rules are no longer allowed.
1) Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can
substantially reduce the number of rules traversed by connections
requests from such zones.
2) Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the
contents of the named file to be logically included into the file
containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored.
3) Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that
such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on
individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from
(zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues' for information about how this new option
may affect your configuration.

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.1
%define version 1.4.2
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.1
VERSION=1.4.2
usage() # $1 = exit status
{

1919
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

719
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

48
Shorewall-docs/Install.htm
View File

@ -27,7 +27,14 @@
</table>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to
read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
@ -63,8 +70,8 @@ diagnostic:<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
@ -72,8 +79,8 @@ match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
NETWORK CONNECTIVITY.</b></font></li>
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
@ -102,15 +109,15 @@ type "./install.sh /etc/init.d"</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be
started automatically at boot, see <a
<li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
@ -120,23 +127,24 @@ started automatically at boot, see <a
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
Beta RPMs installed, you must use the "--oldpackage" option to rpm
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
the iproute package. Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
@ -201,7 +209,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -212,5 +220,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
<br>
<br>
<br>
<br>
<br>
</body>
</html>

31
Shorewall-docs/NAT.htm
View File

@ -45,12 +45,11 @@ I strongly recommend that you read the <a
<blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear
to have IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -83,18 +82,21 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed. The ALL INTERFACES column was added
in version 1.1.6.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces
should undergo NAT (Yes or yes) or if only access from the interface in
the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface
that is configured with a single subnetwork -- if your external interface
has addresses in more than one subnetwork, Shorewall can only add addresses
to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined
@ -106,9 +108,10 @@ are not redirected. The LOCAL column was added in version 1.1.8.</p>
<blockquote> </blockquote>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

785
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

137
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -34,10 +34,11 @@
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br>
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle">
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
@ -52,14 +53,14 @@ run as a transparent proxy as described at <a
files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
in the local zone, that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being routed
to the Squid server still have their original destination IP addresses.<br>
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br>
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
@ -72,22 +73,22 @@ to the Squid server still have their original destination IP addresses.<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests
EXCEPT those to your
own http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -95,7 +96,6 @@ EXCEPT those to your
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -107,7 +107,6 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
@ -131,14 +130,7 @@ EXCEPT those to your
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
@ -147,9 +139,9 @@ EXCEPT those to your
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
@ -177,12 +169,45 @@ EXCEPT those to your
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -194,7 +219,6 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
@ -210,19 +234,12 @@ EXCEPT those to your
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -288,8 +305,8 @@ EXCEPT those to your
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
@ -402,7 +419,6 @@ EXCEPT those to your
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul>
@ -432,6 +448,22 @@ EXCEPT those to your
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
@ -476,20 +508,11 @@ EXCEPT those to your
<blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

29
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -16,13 +16,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
@ -89,7 +86,7 @@ the IP address.<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
@ -345,13 +342,13 @@ file:<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative
privileges because in that case, the users can simply manipulate their system's
routing table to bypass your firewall/router. Nevertheless, there are cases
where you simply want to consider the LAN segment itself as a zone and allow
your firewall/router to route between the two subnetworks.<br>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not provide
for any security between the subnetworks if the users of the systems have
administrative privileges because in that case, the users can simply manipulate
their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
@ -360,6 +357,7 @@ your firewall/router to route between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -424,6 +422,7 @@ In /etc/shorewall/interfaces:<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
@ -497,8 +496,9 @@ specify the <b>multi</b> option.<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -617,5 +617,6 @@ that you want to permit.<br>
<br>
<br>
<br>
<br>
</body>
</html>

48
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -2,23 +2,17 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -30,18 +24,12 @@
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
@ -59,8 +47,7 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
@ -73,14 +60,8 @@
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -96,22 +77,11 @@ help or Answers to Questions</a><br>
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
@ -124,14 +94,10 @@ Archive</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
@ -140,11 +106,10 @@ Archive</a></li>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
@ -152,12 +117,11 @@ Archive</a></li>
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<br>
</body>
</html>

52
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -2,23 +2,16 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -30,18 +23,12 @@
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="sourceforge_index.htm">Home</a></li>
@ -59,8 +46,7 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
@ -72,14 +58,8 @@
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -95,25 +75,11 @@ Help or Answers to Questions</a></li>
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
@ -126,29 +92,22 @@ Archive</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
@ -156,12 +115,11 @@ Archive</a></li>
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

314
Shorewall-docs/download.htm
View File

@ -20,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
@ -29,17 +27,16 @@
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
@ -53,21 +50,21 @@ at:</p>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy
<li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a copy
of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
@ -75,294 +72,26 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<p><b></b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -430,7 +159,6 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
@ -446,11 +174,13 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a
<p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

112
Shorewall-docs/errata.htm
View File

@ -2,19 +2,14 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
@ -27,13 +22,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
@ -41,8 +33,6 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -50,22 +40,17 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
@ -104,10 +89,33 @@ iptables</a></b></li>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
@ -115,7 +123,9 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -127,12 +137,10 @@ correct script</a> in /usr/share/shorewall/firewall as described above.<br>
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
@ -142,7 +150,6 @@ RedHat released this buggy iptables in RedHat 7.2.
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
@ -150,84 +157,67 @@ download from<font color="#ff6633"> <a
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
which corrects a problem with parsing of the --log-level
specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
@ -239,8 +229,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -249,16 +239,18 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/ZoneDiagram.png
View File

Binary file not shown.

70
Shorewall-docs/mailing_list.htm
View File

@ -2,22 +2,16 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -29,25 +23,19 @@
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
@ -69,27 +57,25 @@
</td>
</tr>
</tbody>
</table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br>
@ -114,14 +100,14 @@ record in DNS.</li>
list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
spam and that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts. This means that HTML-only posts will be bounced by
the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
@ -138,20 +124,17 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -168,10 +151,9 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
@ -212,9 +194,9 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -271,20 +253,17 @@ to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and
click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed
@ -298,14 +277,15 @@ your subscription email address:". Enter your email address
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a
<p align="left"><font size="2">Last updated 3/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

412
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,53 +2,26 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base
target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4"
@ -58,171 +31,71 @@
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>
<br>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<td
width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
it under
the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
@ -232,155 +105,164 @@ Bering 1.1!!! </b><br>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in HTML format
but was generated from Microsoft PowerPoint and is best viewed using Internet
Explorer although Konqueror also seems to work reasonably well. Neither Opera
or Netscape work well to view the presentation.<br>
</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce the
number of rules traversed by connections requests from such zones.<br>
<br>
<b>Problems Corrected:</b><br>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on
Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for
the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more
than one group<i> </i>then if there is no explicit Z to Z policy and there
are no rules governing traffic from Z to Z then Shorewall will permit all
traffic between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create
rules to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE
is specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from
Z1 to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><b></b></p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

70
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -2,22 +2,16 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -28,20 +22,17 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 4.0</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
@ -82,7 +73,6 @@ we must all first walk before we can run.<br>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
@ -93,34 +83,27 @@ we must all first walk before we can run.<br>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<li><a
href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
@ -128,20 +111,16 @@ we must all first walk before we can run.<br>
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
<li><a
href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
@ -165,19 +144,14 @@ trying to use this documentation directly.</p>
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
@ -197,18 +171,15 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
@ -239,15 +210,16 @@ a test configuration)</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code through the use of
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="ECN.html">ECN Disabling by host or
subnet</a><br>
</li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
@ -263,13 +235,10 @@ etc.)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
@ -290,7 +259,6 @@ Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
@ -300,7 +268,6 @@ Proxy with Shorewall</a><br>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
@ -311,11 +278,12 @@ Proxy with Shorewall</a><br>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 4/112003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

392
Shorewall-docs/sourceforge_index.htm
View File

@ -1,322 +1,282 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base
target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small>Shorewall
1.2 Site here<br>
</small></small></small></font></a>
</h1>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<td
width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
it under
the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should
have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
<h2>News</h2>
</b>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
<h2><b>News</b></h2>
<b> </b>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
</b></p>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is best
viewed using Internet Explorer although Konqueror also seems to work reasonably
well. Neither Opera or Netscape work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce
the number of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the
INCLUDE. File names given in an INCLUDE directive are assumed to reside
in /etc/shorewall or in an alternate configuration directory if one has
been specified for the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

66
Shorewall-docs/standalone.htm
View File

@ -61,8 +61,8 @@
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -77,21 +77,21 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
to /etc/shorewall (they will replace files with the same names that were
placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -132,8 +132,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -177,8 +177,8 @@ has the following policies:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>drop (ignore) all connection requests from the internet to
your firewall</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
@ -191,21 +191,21 @@ has the following policies:</p>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
<ul>
<li>
@ -214,8 +214,8 @@ are specified for the interface. Some hints:</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
@ -284,8 +284,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
</div>
<div align="left">
@ -327,8 +327,8 @@ on your firewall system:</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -384,7 +384,8 @@ application uses, see <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -425,5 +426,6 @@ Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

362
Shorewall-docs/standalone_fr.html
View File

@ -1,14 +1,19 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
@ -18,75 +23,91 @@
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
une traduction exacte du texte, mais plutôt à en faire une version
française intelligible par tous (et par moi). Les termes techniques sont
la plupart du temps conservés sous leur forme originale et mis entre
parenthèses car vous pouvez les retrouver dans le reste des
documentations ainsi que dans les fichiers de configuration. N?hésitez
pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall
(écluse) pour un petit réseau est une chose assez simple, si vous
comprenez les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé. Vous pouvez voir si le paquet est installé en vérifiant la
présence du programme ip sur votre système de firewall. Sous root,
utilisez la commande 'which' pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au
début en effectuant le changements dans votre configuration. Les points,
où les changements dans la configuration sont recommandées, sont
signalés par une <img border="0" src="images/BD21298_.gif" width="13"
height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de
les utiliser. De la même manière, si vous copiez un fichier de
configuration depuis votre disque dur Windows vers une disquette, vous
devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points, où les changements dans
la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
le <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient des instructions de configuration détaillées et des entrées par
défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
unique interface, une seule zone est définie :</p>
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
@ -98,30 +119,39 @@ unique interface, une seule zone est d
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
correspondent, alors la première politique dans /etc/shorewall/policy
qui y correspond est appliquée. Si cette politique est REJECT ou DROP la
requête est alors comparée par rapport aux règles contenues dans
/etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
one-interface a les politiques suivantes :</p>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -159,80 +189,95 @@ one-interface a les politiques suivantes :</p>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<pre> </pre>
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers
l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</li>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL
(pas un simple modem), l'<i>External Interface</i> (interface externe)
sera l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins
que</u> vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
connectez par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface
externe sera<b> ippp0.</b></p>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une interface
suppose que votre interface externe est <b>eth0</b>. Si votre
configuration est différente, vous devrez modifier le fichier d'exemple
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous
pourriez parcourir la liste d'options qui sont spécifiées pour
l'interface. Quelques astuces :</p>
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre
interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un
"-". </p>
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
"dhcp" de la liste d'option. </p>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
</li>
</ul>
<div align="left">
<h2 align="left">Adresse IP</h2>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
privée (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les
paquets dont les adresses de destinations sont définies dans la RFC
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
ou vers l'Internet.</p>
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez
regarder l'adresse de votre interface externe et si elle est comprise
dans une des plages précédentes, vous devriez enlever l'option
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
width="13" height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Permettre d'autres connexions</h2>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis
l'Internet vers votre firewall, le format général est :</p>
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -258,14 +303,17 @@ l'Internet vers votre firewall, le format g
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
un serveur POP3 sur votre système de firewall :</p>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
serveur POP3 sur votre système de firewall :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -302,20 +350,24 @@ un serveur POP3 sur votre syst
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
en clair (même pour le login et le mot de passe !). Si vous voulez avoir
un accès au shell de votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
le login et le mot de passe !). Si vous voulez avoir un accès au shell de
votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -341,61 +393,71 @@ un acc
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter
les autres connexions désirées.</p>
height="13">
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div>
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure
d'installation </a> configure votre système pour lancer Shorewall au
boot du système, mais au début avec la version 1.3.9 de Shorewall le
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
configuration soit finie. Une fois que vous en aurez fini avec la
configuration du firewall, vous pouvez permettre le lancement de
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs des paquets .deb doivent éditer /etc/default/shorewall et
mettre 'startup=1'.</font><br>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
est stoppé, le routage est autorisé sur les hôtes qui possèdent une
entrée dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Un firewall qui tourne peut être relancé en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
sur votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
firewall depuis Internet, n'essayez pas une commande "shorewall stop"
tant que vous n'avez pas ajouté une entrée pour votre adresse IP (celle
à partir de laquelle vous êtes connectée) dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall
restart"; il est plus intéressant de créer une <i><a
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

163
Shorewall-docs/support.htm
View File

@ -2,73 +2,57 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you post.
of sources of Shorewall information. Please try these before you
post.
<ul>
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<li>More than half of the questions
posted on the support list have answers directly accessible from
the <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
<li> The
<a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
problems. </li>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.
</li>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
<li> The Site and
Mailing List Archives search facility can locate documents and
posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
@ -110,29 +94,28 @@
<h2>Problem Reporting Guidelines<br>
</h2>
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
to be correct, or was mentioned in a previous post. There have
been countless posts by people who were sure that some part of
their configuration was correct when it actually contained a small
error. We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
<li>Please keep in mind that you're asking
for <strong>free</strong> technical support. Any help we
offer is an act of generosity, not an obligation. Try to make it
easy for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please
don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
don't describe your environment and then ask us to send
you custom configuration files. We're here to answer
your questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
@ -142,7 +125,6 @@ don't describe your environment and then ask us to send you
<ul>
<ul>
<li>the exact version of Shorewall you are
running.<br>
@ -151,10 +133,8 @@ running.<br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
@ -162,10 +142,8 @@ running.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
@ -173,10 +151,8 @@ running.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
@ -184,29 +160,14 @@ running.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul>
@ -222,14 +183,28 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
3.<b><font color="#009900"> /sbin/shorewall status &gt;
/tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
<li>As a
general matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
@ -238,47 +213,42 @@ addresses, domain name, etc. These aren't secrets, and concealing
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
modified that file) that you think are relevant. If
you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="troubleshoot.htm">Troubleshooting</a> section for
instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
<li><b>The list server limits posts to 120kb so don't post
GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
@ -291,12 +261,9 @@ have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
@ -306,11 +273,10 @@ Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
list</a> or the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
@ -322,17 +288,11 @@ Forum</a>.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -341,5 +301,8 @@ Forum</a>.<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

209
Shorewall-docs/three-interface.htm
View File

@ -20,7 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
@ -39,8 +38,8 @@ basics and follow the documentation.</p>
in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Linux system used as a firewall/router for a small
local network.</li>
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
@ -75,16 +74,15 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -93,17 +91,17 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration,
@ -144,8 +142,8 @@ the following zone names are used:</p>
<li>You express your default policy for connections from
one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -192,7 +190,6 @@ DROP
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -220,7 +217,6 @@ DROP
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -232,8 +228,8 @@ DROP
to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>optionally accept all connection requests from the
firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -266,9 +262,9 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
@ -294,15 +290,13 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -312,16 +306,15 @@ the option list. </p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP
address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
this purpose:</p>
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal network
(the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,8 +334,8 @@ interface's entry in /etc/shorewall/interfaces.</p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as
the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
@ -376,7 +369,6 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
</blockquote>
@ -408,8 +400,8 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -425,10 +417,10 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network and if it is in the 10.10.11.0/24 subnet then
you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network and if it is in the 10.10.11.0/24 subnet then you will need
to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
@ -438,30 +430,28 @@ you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed accross the internet). When the firewall receives a return
packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to local computer 1. </p>
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will
be able to route return packets back to the firewall (remember that
packets whose destination address is reserved by RFC 1918 can't be routed
accross the internet). When the firewall receives a return packet, it
rewrites the destination address back to 10.10.10.1 and forwards the
packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
@ -475,8 +465,8 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -491,8 +481,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
@ -506,16 +496,16 @@ change them appropriately:<br>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
Destination Network Address Translation</i> (DNAT). You configure
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -544,13 +534,12 @@ them. It is rather necessary for those clients to address their connection
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -587,7 +576,6 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td>from the local network</td>
</tr>
</tbody>
</table>
</blockquote>
@ -598,8 +586,8 @@ be the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to <a
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -628,14 +616,13 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you
can replace the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -660,7 +647,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</tbody>
</table>
</blockquote>
@ -702,7 +688,6 @@ can replace the loc-&gt;dmz rule above with:</p>
<td>$ETH0_IP</td>
</tr>
</tbody>
</table>
</blockquote>
@ -718,16 +703,15 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
@ -737,27 +721,25 @@ as your primary and secondary name servers. It is <u>your</u> responsibili
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
server (which also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the caching name server as their primary (and
only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to
talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the server; you do that by adding
the rules in /etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
<p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -807,7 +789,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</p>
@ -866,7 +847,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -913,7 +893,6 @@ by adding the rules in /etc/shorewall/rules. </p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -921,8 +900,8 @@ by adding the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
removed if you commented out the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -962,7 +941,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1003,7 +981,6 @@ allowing all connections from the firewall to the internet.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1047,7 +1024,6 @@ allowing all connections from the firewall to the internet.</p>
<td>from the internet</td>
</tr>
</tbody>
</table>
</blockquote>
@ -1059,8 +1035,8 @@ allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -1093,7 +1069,6 @@ application uses, look <a href="ports.htm">here</a>.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -1146,7 +1121,6 @@ with Jacques's Shorewall configuration.<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -1165,12 +1139,12 @@ with Jacques's Shorewall configuration.<br>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1205,8 +1179,8 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1230,5 +1204,6 @@ configuration</a></i> and test it using the <a
<br>
<br>
<br>
<br>
</body>
</html>

179
Shorewall-docs/three-interface_fr.html
View File

@ -30,16 +30,16 @@
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n?est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité).</i></small></p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,8 +66,8 @@ RTC, ...</li>
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
@ -85,12 +85,12 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,15 +144,15 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -161,11 +161,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
@ -244,10 +243,10 @@ avoir un acc
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis votre
firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall ou vers votre réseau local</li>
<li>Facultativement accepter toutes les demandes de connexion depuis
votre firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>reject (rejeter) toutes les autres demandes de connexion.</li>
</ol>
@ -263,14 +262,14 @@ que vous d
</p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -298,8 +297,8 @@ ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b>
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
@ -310,9 +309,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
d'option. </p>
</li>
</ul>
@ -325,11 +324,11 @@ Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela
signifie que vous configurez votre interface externe sur votre firewall afin
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet.
Vous devrez assigner vos propres adresses à votre réseau local (votre interface
provider peu vous assigner une adresse statique (staticIP address); cela signifie
que vous configurez votre interface externe sur votre firewall afin d'utiliser
cette adresse de manière permanente. Une fois votre adresse externe assignée,
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
@ -392,9 +391,9 @@ gauche du masque de sous-r
</div>
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
<p align="left">Il est de convention d'assigner à l'interface interne la première
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
@ -411,8 +410,8 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
@ -437,23 +436,22 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui même qui initie la connexion. Ceci
est nécessaire afin que l'hôte de destination soit capable de renvoyer les
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
Masquerading mais vous verrez aussi le terme de Source Network Address Translation
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
<ul>
<li>
@ -508,8 +506,7 @@ RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la
réponse.</p>
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -534,8 +531,7 @@ est :</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
@ -633,10 +629,10 @@ http://w.x.y.z:5000</a> o
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
le réseau local en utilisant votre adresse externe, et si vous avez une adresse
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
par :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -707,8 +703,8 @@ les
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -716,13 +712,13 @@ adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
a été écrit). Il arrive que votre provider vous donne une paire d'adresse
IP pour les DNS (name servers) afin que vous configuriez manuellement votre
serveur de nom primaire et secondaire. La manière dont le DNS est configuré
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
de ses deux façons :</p>
<ul>
<li>
@ -1084,9 +1080,9 @@ particuli
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -1168,10 +1164,10 @@ d'h
</div>
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1204,5 +1200,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

195
Shorewall-docs/two-interface.htm
View File

@ -12,7 +12,6 @@
content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -23,8 +22,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
@ -63,19 +60,19 @@ local network.</li>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq" where
"loc" is empty; this conflicts with this documentation which assumes a single
local zone "loc"). We therefore recommend that once you have set up this
sharing that you uninstall the Mandrake Shorewall RPM and install the one
from the <a href="download.htm">download page</a> then follow the instructions
in this Guide.</b><br>
the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
the one from the <a href="download.htm">download page</a> then follow the
instructions in this Guide.</b><br>
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -98,11 +95,12 @@ floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -110,21 +108,22 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration,
the following zone names are used:</p>
set of <i>zones.</i> In the two-interface sample configuration, the
following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -170,8 +169,8 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li
DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -206,7 +205,6 @@ has the following policies:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -234,7 +232,6 @@ has the following policies:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -262,9 +259,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -280,9 +277,9 @@ the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same hub/switch (note: If you have
only a single internal system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -295,20 +292,18 @@ directly to the computer using a <i>cross-over </i> cable).</p>
width="13" height="13">
    The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
is <b>eth1</b>. If your configuration is different, you will have to
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-".
</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
@ -326,8 +321,8 @@ establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses in your internal
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
@ -347,8 +342,8 @@ IP address of your external interface and if it is one of the above
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
@ -384,7 +379,6 @@ bits from the left of the subnet mask. </p>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
</blockquote>
@ -431,22 +425,22 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network.</b><br>
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response
@ -454,20 +448,18 @@ is initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
@ -481,22 +473,22 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, you
do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name of
your external interface and the second column to the name of your internal
interface.</p>
    If your external firewall interface is <b>eth0</b>,
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name
of your external interface and the second column to the name of your
internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the
third column in the /etc/shorewall/masq entry if you like although
    If your external IP is static, you can enter it in
the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes processing outgoing packets a little
more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
<img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
@ -513,12 +505,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
it is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -551,7 +543,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -582,7 +573,6 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -592,9 +582,9 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to access
your web server using the IP address of your external interface, see
<a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
computers 1 or 2 or on the firewall). If you want to be able to
access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li>
@ -624,7 +614,6 @@ following rule and try connecting to port 5000.</li>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -646,7 +635,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
@ -656,19 +644,18 @@ as your primary and secondary name servers. Regardless of how DNS gets
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall.<i> </i>Red Hat has an RPM for a caching name server
(the RPM also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name server.
You use the internal IP address of the firewall (10.10.10.254 in the
example above) for the name server address. To allow your local systems
to talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the firewall; you do that by adding
the following rules in /etc/shorewall/rules. </p>
systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you
do that by adding the following rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -705,7 +692,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -751,7 +737,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -791,7 +776,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -831,7 +815,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -875,7 +858,6 @@ as your primary and secondary name servers. Regardless of how DNS gets
<td>from the local network</td>
</tr>
</tbody>
</table>
</blockquote>
@ -888,14 +870,14 @@ your firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -922,7 +904,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -972,7 +953,6 @@ you want shell access to your firewall from the internet, use SSH:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -994,8 +974,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -1020,8 +1000,8 @@ you have completed configuration of your firewall, you can enable Shorewall
height="13">
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if
you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
stopped. If your local network isn't connected to <b>eth1</b> or if you
wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
@ -1030,8 +1010,8 @@ you wish to enable access to/from other hosts, change /etc/shorewall/rou
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1044,5 +1024,6 @@ configuration</a></i> and test it using the <a
</p>
<br>
<br>
<br>
</body>
</html>

845
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

195
Shorewall-docs/upgrade_issues.htm
View File

@ -6,12 +6,10 @@
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -22,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
@ -31,7 +27,6 @@
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
@ -40,32 +35,45 @@
version number mentioned in the section title is later than what you are
currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups in
zone Z will be accepted. If you do have one or more explicit rules for Z
to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
</ul>
@ -86,10 +94,10 @@ add an explicit DROP or REJECT policy for Z to Z.<br>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then either:</li>
<li>Beginning with Version 1.4.1, Shorewall will never create rules
to deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic between
two subnetworks on the same interface then either:</li>
</ul>
@ -101,6 +109,11 @@ subnetworks on the same interface then either:</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
@ -114,18 +127,19 @@ subnetworks on the same interface then either:</li>
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br>
Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
@ -143,8 +157,8 @@ and you are using a NONE polciy in the other direction.
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
@ -157,20 +171,20 @@ are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.con
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -190,36 +204,37 @@ longer accepted; you must convert to using the new syntax.</li>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or
from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
</ul>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries in
<a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -243,7 +258,8 @@ an interface name in the SUBNET (second) column; and</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
 <b>Example 1</b> -- Suppose that your current config is as
follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -261,7 +277,8 @@ this?<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
@ -290,38 +307,36 @@ application will need to be changed to reflect this change of location.<br>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version
1.3.8, you must set NEWNOTSYN=Yes in
your /etc/shorewall/shorewall.conf file.</p>
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any
Shorewall configuration changes that
you have made to the new configuration.</li>
<li>Be sure you have a
backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not
obtain the later version from Jacques's
site, see additional instructions below.</li>
obtain the later version from Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
@ -342,30 +357,28 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be
rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
                                    # from
non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
rebuild connection<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
@ -375,8 +388,8 @@ rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Example 1:</p>
@ -408,19 +421,17 @@ rebuild connection<br>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>