extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.9

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@265 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-29 21:42:38 +00:00
parent 9e24f2bdd7
commit 17eb5cd1bb
21 changed files with 10779 additions and 10067 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

448
Shorewall-docs/Documentation.htm
View File

@ -10,6 +10,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall 1.3 Documentation</title>
<base target="_self">
<meta name="Microsoft Theme" content="none, default">
<meta name="Microsoft Border" content="none, default">
@ -52,20 +53,23 @@ in /etc/shorewall/ that establishes overall firewall policy.</li>
<li><b> <a href="#Rules">rules</a> </b> -- a parameter file installed
in /etc/shorewall and used to express firewall rules that are exceptions
to the high-level policies established in /etc/shorewall/policy.</li>
<li><b><a href="#Blacklist">blacklist</a> -- </b>a parameter file installed
in /etc/shorewall and used to list blacklisted IP/subnet/MAC addresses.</li>
<li><b><a href="#Blacklist">blacklist</a> -- </b>a parameter file
installed in /etc/shorewall and used to list blacklisted IP/subnet/MAC
addresses.</li>
<li><b> functions</b> -- a set of shell functions used by both the
firewall and shorewall shell programs. Installed in /etc/shorewall prior
to version 1.3.2 and in /var/lib/shorewall in later versions.</li>
<li><b> <a href="#modules">modules</a></b> -- a parameter file installed
in /etc/shorewall and that specifies kernel modules and their parameters.
Shorewall will automatically load the modules specified in this file.</li>
<li><a href="#TOS"><b> tos</b> </a>-- a parameter file installed in
/etc/shorewall that is used to specify how the Type of Service (TOS)
field in packets is to be set.</li>
<li><a href="#Scripts"><b> icmp.def</b> </a>-- a parameter file installed
in /etc/shorewall and that specifies the default handling of ICMP
packets when the applicable policy is DROP or REJECT.</li>
to version 1.3.2, in /var/lib/shorewall in version s 1.3.2-1.3.8 and in
/usr/lib/shorewall in later versions.</li>
<li><b> <a href="#modules">modules</a></b> -- a parameter file
installed in /etc/shorewall and that specifies kernel modules and
their parameters. Shorewall will automatically load the modules
specified in this file.</li>
<li><a href="#TOS"><b> tos</b> </a>-- a parameter file installed
in /etc/shorewall that is used to specify how the Type of Service
(TOS) field in packets is to be set.</li>
<li><a href="#Scripts"><b> icmp.def</b> </a>-- a parameter file
installed in /etc/shorewall and that specifies the default handling
of ICMP packets when the applicable policy is DROP or REJECT.</li>
<li><b><a href="#Scripts">common.def</a></b> -- a parameter file installed
in in /etc/shorewall that defines firewall-wide rules that are applied
before a DROP or REJECT policy is applied.</li>
@ -75,38 +79,41 @@ on the firewall system.</li>
<li><a href="#Hosts"><b> hosts</b> </a>-- a parameter file installed
in /etc/shorewall/ and used to describe individual hosts or subnetworks
in zones.</li>
<li><b> <a href="#Masq">masq</a></b> - This file also describes
IP masquerading under Shorewall and is installed in /etc/shorewall.</li>
<li><b><a href="#Structure">firewall</a></b> -- a shell program that
reads the configuration files in /etc/shorewall and configures your
firewall. This file is installed in your init.d
directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i> 
/etc/shorewall/firewall (/var/lib/shorewall/firewall in version 1.3.2 and
later) is a symbolic link to this program.</li>
<li><b> <a href="#Masq">masq</a></b> - This file also
describes IP masquerading under Shorewall and is installed in
/etc/shorewall.</li>
<li><b><a href="shorewall_firewall_structure.htm">firewall</a></b>
-- a shell program that reads the configuration files in /etc/shorewall
and configures your firewall. This file is installed in your
init.d directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i> 
/etc/shorewall/firewall (/var/lib/shorewall/firewall in versions 1.3.2-1.3.8
and /usr/lib/shorewall/firewall in 1.3.9 and later) is a symbolic link
to this program.</li>
<li><b> <a href="#NAT">nat</a></b> -- a parameter file in /etc/shorewall
used to define <a href="#NAT"> static NAT</a> .</li>
<li><b> <a href="#ProxyArp">proxyarp</a></b> -- a parameter file
in /etc/shorewall used to define <a href="#ProxyArp"> Proxy Arp</a>
.</li>
in /etc/shorewall used to define <a href="#ProxyArp"> Proxy
Arp</a> .</li>
<li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in
/etc/shorewall used to define the treatment of packets under the <a
href="#Interfaces">norfc1918 interface option</a>.</li>
<li><b><a href="#Routestopped">routestopped</a></b> -- a parameter file
in /etc/shorewall used to define those hosts that can access the firewall
when Shorewall is stopped.</li>
<li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b> </a>-- a parameter
file in /etc/shorewall used to define rules for classifying packets for
<a href="traffic_shaping.htm">Traffic Shaping/Control</a>.</li>
<li><b> <a href="#Tunnels">tunnels</a></b> -- a parameter file in
/etc/shorewall used to define IPSec tunnels.</li>
<li><b><a href="#Routestopped">routestopped</a></b> -- a parameter
file in /etc/shorewall used to define those hosts that can access the
firewall when Shorewall is stopped.</li>
<li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b> </a>-- a
parameter file in /etc/shorewall used to define rules for classifying
packets for <a href="traffic_shaping.htm">Traffic Shaping/Control</a>.</li>
<li><b> <a href="#Tunnels">tunnels</a></b> -- a parameter file
in /etc/shorewall used to define IPSec tunnels.</li>
<li><b> <a href="#Starting">shorewall</a> </b> -- a shell program
(requiring a Bourne shell or derivative) used to control and
monitor the firewall. This should be placed in /sbin or in
/usr/sbin (the install.sh script and the rpm install this file
in /sbin).</li>
<li><b> <a href="#Version">version</a></b> -- a file created in /etc/shorewall/
(/var/lib/shorewall in version 1.3.2 and later) that describes
the version of  Shorewall installed on your system.</li>
<li><b> version</b> -- a file created in /etc/shorewall/
(/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
beginning in version 1.3.9) that describes the version of  Shorewall
installed on your system.</li>
</ul>
@ -140,18 +147,18 @@ files.</p>
in /etc/shorewall/zones for each zone; Columns in an entry are:</p>
<ul>
<li><b> ZONE</b> - short name for the zone. The name should be 5 characters
or less in length and consist of lower-case letters or numbers. Short
names must begin with a letter and the name assigned to the firewall is
reserved for use by Shorewall itself. Note that the output produced
<li><b> ZONE</b> - short name for the zone. The name should be 5
characters or less in length and consist of lower-case letters or numbers.
Short names must begin with a letter and the name assigned to the firewall
is reserved for use by Shorewall itself. Note that the output produced
by iptables is much easier to read if you select short names that
are three characters or less in length. The name "all" may not be
used as a zone name nor may the zone name assigned to the firewall itself
via the FW variable in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b> DISPLAY</b> - The name of the zone as displayed during Shorewall
startup.</li>
<li><b> COMMENTS</b> - Any comments that you want to make about the
zone. Shorewall ignores these comments.</li>
<li><b> COMMENTS</b> - Any comments that you want to make about
the zone. Shorewall ignores these comments.</li>
</ul>
@ -180,6 +187,7 @@ zone. Shorewall ignores these comments.</li>
<td>Demilitarized zone</td>
</tr>
</tbody>
</table>
@ -209,9 +217,9 @@ accessed via this interface.</li>
ppp0, ipsec+)</li>
<li><b> BROADCAST</b> - the broadcast address(es) for the sub-network(s)
attached to the interface. This should be left empty for P-T-P interfaces
(ppp*, ippp*); if you need to specify options for such an interface, enter
"-" in this column. If you supply the special value "detect" in this
column, the firewall will automatically determine the broadcast address.
(ppp*, ippp*); if you need to specify options for such an interface,
enter "-" in this column. If you supply the special value "detect" in
this column, the firewall will automatically determine the broadcast address.
In order to use "detect":
<ul>
<li>you must have iproute installed</li>
@ -239,13 +247,14 @@ that use DHCP and you select the <b>norfc1918 </b>option (see below).</p>
the firewall will be ignored by this interface.<br>
<br>
<b>filterping </b>- ICMP echo-request (ping) packets addressed to the
firewall will be handled according to the /etc/shorewall/rules and /etc/shorewall/policy
file. If the applicable policy is DROP or REJECT and you have supplied
your own /etc/shorewall/icmpdef file then these 'ping' requests will be
passed through the rules in that file before being dropped or rejected.
If neither <b>noping </b>nor <b>filterping</b> is specified then the firewall
will automatically ACCEPT these 'ping' requests. If both <b>noping</b>
and <b>filterping </b>are specified, <b>filterping</b> takes precedence.</p>
firewall will be handled according to the /etc/shorewall/rules and
/etc/shorewall/policy file. If the applicable policy is DROP or REJECT and
you have supplied your own /etc/shorewall/icmpdef file then these 'ping'
requests will be passed through the rules in that file before being dropped
or rejected. If neither <b>noping </b>nor <b>filterping</b> is specified
then the firewall will automatically ACCEPT these 'ping' requests. If both
<b>noping</b> and <b>filterping </b>are specified, <b>filterping</b>
takes precedence.</p>
<p> <b> routestopped</b> - Beginning with Shorewall 1.3.4, this option
is deprecated in favor of the <a href="#Routestopped">/etc/shorewall/routestopped</a>
@ -274,8 +283,8 @@ to allow access to certain addresses from the above list, see <a
<p> <b> routefilter</b> - Invoke the Kernel's route filtering
(anti-spoofing) facility on this interface. The kernel will reject
any packets incoming on this interface that have a source address that
would be routed outbound through another interface on the firewall.
any packets incoming on this interface that have a source address
that would be routed outbound through another interface on the firewall.
<font color="#ff0000">Warning: </font>If you specify this option
for an interface then the interface must be up prior to starting the
firewall.</p>
@ -285,8 +294,8 @@ you want to be able to route between them. Example: you have two addresse
on your single local interface eth1, one each in subnets 192.168.1.0/24
and 192.168.2.0/24 and you want to route between these subnets. Because
you only have one interface in the local zone, Shorewall won't normally
create a rule to forward packets from eth1 to eth1. Adding "multi" to
the entry for eth1 will cause Shorewall to create the loc2loc chain
create a rule to forward packets from eth1 to eth1. Adding "multi"
to the entry for eth1 will cause Shorewall to create the loc2loc chain
and the appropriate forwarding rule.</p>
<p><b>dropunclean</b> - Packets from this interface that
@ -295,8 +304,8 @@ and the appropriate forwarding rule.</p>
<font color="#ff0000"><b>Warning: This feature requires
that UNCLEAN match support be configured in your kernel,
either in the kernel itself or as a module. UNCLEAN support
is broken in some versions of the kernel but appears to
work ok in 2.4.17-rc1.<br>
is broken in some versions of the kernel but appears
to work ok in 2.4.17-rc1.<br>
<br>
Update 12/17/2001: </b></font>The unclean match patch
from 2.4.17-rc1 is <a
@ -309,10 +318,10 @@ applied to kernel 2.4.16.</p>
being dropped in the <i>badpkt</i> chain. This appears
to be a bug in the remote TCP stack whereby it is 8-byte
aligning a timestamp (TCP option 8) but rather than padding
with 0x01 it is padding with 0x00. It's a tough call whether
to deny people access to your servers because of this
rather minor bug in their networking software. If you
wish to disable the check that causes these connections
with 0x01 it is padding with 0x00. It's a tough call
whether to deny people access to your servers because
of this rather minor bug in their networking software.
If you wish to disable the check that causes these connections
to be dropped, <a
href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean1.patch">here's
a kernel patch</a> against 2.4.17-rc2.</p>
@ -326,8 +335,8 @@ and if LOGUNCLEAN has not been set, "info" is assumed.</p>
<p><b>proxyarp </b>(Added in version 1.3.5) - This option
causes Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp
and is used when implementing Proxy ARP Sub-netting as
described at <a
and is used when implementing Proxy ARP Sub-netting
as described at <a
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do <u>
not</u> set this option if you are implementing Proxy ARP
@ -375,6 +384,7 @@ Your /etc/shorewall/interfaces file would be as follows:</p>
<p>Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces
file would be:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -622,12 +632,13 @@ connection request then the policy from /etc/shorewall/policy is applied.</p>
<p>Four policies are defined:</p>
<ul>
<li><b> ACCEPT</b> - The connection is allowed.</li>
<li><b> DROP</b> - The connection request is ignored.</li>
<li><b> REJECT</b> - The connection request is rejected with an RST
(TCP) or an ICMP destination-unreachable packet being returned to the
client.</li>
<li><b> REJECT</b> - The connection request is rejected with an
RST (TCP) or an ICMP destination-unreachable packet being returned
to the client.</li>
<li><b> CONTINUE </b> - The connection is neither ACCEPTed, DROPped
nor REJECTed. CONTINUE may be used when one or both of the zones named
in the entry are sub-zones of or intersect with another zone. For more
@ -657,10 +668,11 @@ zone (a zone defined in the <a href="#Zones"> /etc/shorewall/zones
<li> <b> POLICY</b> - The default policy
for connection requests from the SOURCE zone to the DESTINATION zone.</li>
<li> <b> LOG LEVEL</b> - Optional. If left
empty, no log message is generated when the policy is applied. Otherwise,
this column should contain an integer or name indicating a syslog level.
See the syslog.conf man page for a description of each log level.</li>
<li> <b> LOG LEVEL</b> - Optional. If
left empty, no log message is generated when the policy is applied.
Otherwise, this column should contain an integer or name indicating
a syslog level. See the syslog.conf man page for a description of
each log level.</li>
<li> <b>LIMIT:BURST </b>- Optional. If left
empty, TCP connection requests from the <b>SOURCE</b> zone to the <b>DEST</b>
@ -740,8 +752,8 @@ and logged at level KERNEL.INFO.</li>
<p><font color="#ff0000"><b> The firewall script processes</b> <b> the
/etc/shorewall/policy file from top to bottom and <u>uses the first applicable
policy that it finds.</u> For example, in the following policy file,
the policy for (loc, loc) connections would be ACCEPT as specified in the
first entry even though the third entry in the file specifies REJECT.</b></font></p>
the policy for (loc, loc) connections would be ACCEPT as specified in
the first entry even though the third entry in the file specifies REJECT.</b></font></p>
<blockquote> <font
face="Century Gothic, Arial, Helvetica"> </font>
@ -846,6 +858,7 @@ under the rules of all of these zones. Let's look at an example:</p>
</tr>
</tbody>
</table>
@ -874,6 +887,7 @@ under the rules of all of these zones. Let's look at an example:</p>
</tr>
</tbody>
</table>
@ -926,6 +940,7 @@ be listed before <b>net</b>
</tbody>
</table>
</blockquote>
@ -1106,24 +1121,26 @@ in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules
for each of these rules. </p>
<p>Entries in the file have the following columns:</p>
<ul>
<li><b>ACTION</b>
<ul>
<li>ACCEPT, DROP or REJECT. These have the same meaning here as in
the policy file above.</li>
<li>DNAT -- Causes the connection request to be forwarded to the system
specified in the DEST column (port forwarding). "DNAT" stands for "<u>D</u>estination
<u>N</u>etwork <u>A</u>ddress <u>T</u>ranslation"</li>
<li>ACCEPT, DROP or REJECT. These have the same meaning here as
in the policy file above.</li>
<li>DNAT -- Causes the connection request to be forwarded to the
system specified in the DEST column (port forwarding). "DNAT" stands
for "<u>D</u>estination <u>N</u>etwork <u>A</u>ddress <u>T</u>ranslation"</li>
<li>REDIRECT -- Causes the connection request to be redirected to
a port on the local (firewall) system.</li>
</ul>
<p>The ACTION may optionally be followed by ":" and a syslogd log
level (example: REJECT:info). This causes the packet to be logged at the
specified level prior to being processed according to the specified ACTION.<br>
level (example: REJECT:info). This causes the packet to be logged at
the specified level prior to being processed according to the specified
ACTION.<br>
<br>
The use of DNAT or REDIRECT requires that you have <a
href="#NatEnabled">NAT enabled</a>.<br>
@ -1141,9 +1158,12 @@ by a comma-separated list of qualifiers. Qualifiers are may include:
<ul>
<li>An interface name - refers to any connection requests arriving
on the specified interface (example loc:eth4).</li>
<li>An IP address - refers to a connection request from the host with
the specified address (example net:155.186.235.151)</li>
on the specified interface (example loc:eth4). Beginning with Shorwall
1.3.9, the interface name may optionally be followed by a colon (":") and
an IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).</li>
<li>An IP address - refers to a connection request from the host
with the specified address (example net:155.186.235.151). If the
ACTION is DNAT, this must not be a DNS name.</li>
<li>A MAC Address in <a href="#MAC">Shorewall format</a>.</li>
<li>A subnet - refers to a connection request from any host in the
specified subnet (example net:155.186.235.0/24).</li>
@ -1151,16 +1171,16 @@ on the specified interface (example loc:eth4).</li>
</ul>
</li>
<li><b>DEST</b> - Describes the destination host(s) to which the rule
applies. May take any of the forms described above for SOURCE plus the
following two additional forms:
applies. May take any of the forms described above for SOURCE plus
the following two additional forms:
<ul>
<li>An IP address followed by a colon and the port <u>number</u> that
the server is listening on (service names from /etc/services are
not allowed - example loc:192.168.1.3:80). </li>
<li>A single port number (again, service names are not allowed) --
this form is only allowed if the ACTION is REDIRECT and refers to a
server running on the firewall itself and listening on the specified
port.</li>
<li>An IP address followed by a colon and the port <u>number</u>
that the server is listening on (service names from /etc/services
are not allowed - example loc:192.168.1.3:80). </li>
<li>A single port number (again, service names are not allowed)
-- this form is only allowed if the ACTION is REDIRECT and refers
to a server running on the firewall itself and listening on the
specified port.</li>
</ul>
</li>
@ -1169,15 +1189,16 @@ a number, "all" or "related". Specifies the protocol of the connection
request. "related" should be specified only if you have given ALLOWRELATED="no"
in /etc/shorewall/shorewall.conf and you wish to override that setting
for related connections originating with the client(s) and server(s)
specified in this rule. When "related" is given for the protocol, the
remainder of the columns should be left blank.</li>
specified in this rule. When "related" is given for the protocol,
the remainder of the columns should be left blank.</li>
<li><b> DEST PORT(S)</b> - Port or port range (&lt;low port&gt;:&lt;high
port&gt;) being connected to. May only be specified if the protocol
is tcp, udp or icmp. For icmp, this column's contents are interpreted
as an icmp type. If you don't want to specify DEST PORT(S) but need
to include information in one of the columns to the right, enter "-"
in this column. You may give a list of ports and/or port ranges separated
by commas. Port numbers may be either integers or service names from /etc/services.</li>
by commas. Port numbers may be either integers or service names from
/etc/services.</li>
<li><b> SOURCE</b> <b>PORTS(S) </b>- May be used to restrict the
rule to a particular client port or port range (a port range is specified
as &lt;low port number&gt;:&lt;high port number&gt;). If you don't want
@ -1188,19 +1209,19 @@ space). Port numbers may be either integers or service names from /etc/servi
<li><b>ORIGINAL DEST</b> - This column may only be non-empty if the
ACTION is DNAT or REDIRECT.<br>
<br>
If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is left
empty, any connection request arriving at the firewall from the SOURCE
that matches the rule will be forwarded or redirected. This works fine
for connection requests arriving from the internet where the firewall
If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is
left empty, any connection request arriving at the firewall from the
SOURCE that matches the rule will be forwarded or redirected. This works
fine for connection requests arriving from the internet where the firewall
has only a single external IP address. When the firewall has multiple
external IP addresses or when the SOURCE is other than the internet, there
will usually be a desire for the rule to only apply to those connection
external IP addresses or when the SOURCE is other than the internet,
there will usually be a desire for the rule to only apply to those connection
requests directed to a particular IP address (see Example 2 below for
another usage). That IP address (or a comma-separated list of such addresses)
is specified in the ORIGINAL DEST column.<br>
<br>
The IP address may be optionally followed by ":" and a second IP
address. This latter address, if present, is used as the source address
The IP address may be optionally followed by ":" and a second
IP address. This latter address, if present, is used as the source address
for packets forwarded to the server (This is called "Source NAT" or SNAT).<br>
<br>
<b><font
@ -1273,8 +1294,8 @@ require access to remote web servers. This example shows yet
<a href="#GettingStarted">
(notice the "!")</a> originally
destined to 206.124.146.177
are redirected to local port
3128.</p>
are redirected to local
port 3128.</p>
<blockquote> <font
face="Century Gothic, Arial, Helvetica"> </font>
@ -1367,21 +1388,22 @@ by Proxy ARP or by classical sub-netting.</p>
</table>
</blockquote>
<p><b> Example 4. </b> You want to run wu-ftpd on 192.168.2.2 in your masqueraded
DMZ. Your internet interface address is 155.186.235.151 and you want the
FTP server to be accessible from the internet in addition to the local
DMZ. Your internet interface address is 155.186.235.151 and you want
the FTP server to be accessible from the internet in addition to the local
192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since the
server is in the 192.168.2.0/24 subnetwork, we can assume that access to
the server from that subnet will not involve the firewall (<a
server is in the 192.168.2.0/24 subnetwork, we can assume that access
to the server from that subnet will not involve the firewall (<a
href="FAQ.htm#faq2">but see FAQ 2</a>). Note that unless you
have more than one external
IP address, you can leave
the ORIGINAL DEST column
blank in the first rule.
You cannot leave it blank
in the second rule though
because then <u>all
ftp connections</u>
You cannot leave it
blank in the second rule
though because then
<u>all ftp connections</u>
originating in the local
subnet 192.168.1.0/24 would
be sent to 192.168.2.2 <u>
@ -1393,6 +1415,7 @@ originating in the local
src="images/SY00079.gif" width="20" height="20" align="top">
.</p>
<blockquote> <font
face="Century Gothic, Arial, Helvetica"> </font><font
face="Century Gothic, Arial, Helvetica"> </font>
@ -1527,8 +1550,8 @@ the pure-ftpd runline.</p>
requirements. Rather
than modify
/etc/shorewall/common.def,
you should copy that
file to
you should copy
that file to
/etc/shorewall/common
and modify that file.</p>
@ -1557,8 +1580,8 @@ function 'run_iptables'.
<p>The /etc/shorewall/masq file is used to define classical IP Masquerading
and Source Network Address Translation  (SNAT). There is one entry in the
file for each subnet that you want to masquerade. In order to make use of
this feature, you must have <a href="#NatEnabled">NAT enabled</a> .</p>
file for each subnet that you want to masquerade. In order to make use
of this feature, you must have <a href="#NatEnabled">NAT enabled</a> .</p>
@ -1618,8 +1641,8 @@ file would look like:
<p><b> Example 2:</b> You have a number of IPSEC tunnels through ipsec0
and you want to masquerade traffic from your 192.168.9.0/24 subnet to the
remote subnet 10.1.0.0/16 only.</p>
and you want to masquerade traffic from your 192.168.9.0/24 subnet to
the remote subnet 10.1.0.0/16 only.</p>
<blockquote>
@ -1648,10 +1671,11 @@ file would look like:
<p><b> Example 3:</b> You have a DSL line connected on eth0 and a local
network (192.168.10.0/24)
connected to eth1.
You want all local-&gt;net
connections to
use source address
connected to
eth1. You want
all local-&gt;net
connections to use
source address
206.124.146.176.</p>
<blockquote>
@ -1723,16 +1747,16 @@ use source address
If you decide
to use the technique
described in
that HOWTO, you
can set the
that HOWTO,
you can set the
proxy_arp flag
for an interface
(/proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp)
by including the
<b> proxyarp</b>
option in the
interface's record
in <a
interface's
record in <a
href="#Interfaces">
/etc/shorewall/interfaces</a>.
When using Proxy ARP
@ -1753,14 +1777,14 @@ in <a
need one entry
in this file
for each system
using proxy ARP.
Columns are:</p>
using proxy
ARP. Columns are:</p>
<ul>
<li><b> ADDRESS</b> - address of the system.</li>
<li><b> INTERFACE</b> - the interface that connects to the system.
If the interface is obvious from the subnetting, you may enter "-" in
this column.</li>
If the interface is obvious from the subnetting, you may enter "-"
in this column.</li>
<li><b> EXTERNAL</b> - the external interface that you want to honor
ARP requests for the ADDRESS specified in the first column.</li>
<li><b>HAVEROUTE</b> - If
@ -1788,8 +1812,8 @@ ARP requests for the ADDRESS specified in the first column.</li>
file, you may need to flush the ARP cache of all routers on the LAN segment
connected to the interface specified in the EXTERNAL column of the change/added
entry(s). If you are having problems communicating between an individual
host (A) on that segment and a system whose entry has changed, you may need
to flush the ARP cache on host A as well.</b></font></p>
host (A) on that segment and a system whose entry has changed, you may
need to flush the ARP cache on host A as well.</b></font></p>
<p><font color="#cc6666"><b>ISPs typically have ARP configured with long TTL
@ -1859,8 +1883,8 @@ files</a>.</p>
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so
I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
@ -1921,10 +1945,10 @@ the <a
<p>Columns in an entry are:</p>
<ul>
<li><b> EXTERNAL</b> - External IP address - <u>This should NOT be
the primary IP address of the interface named in the next column.</u></li>
<li><b> INTERFACE</b> - Interface that you want the EXTERNAL IP address
to appear on.</li>
<li><b> EXTERNAL</b> - External IP address - <u>This should NOT
be the primary IP address of the interface named in the next column.</u></li>
<li><b> INTERFACE</b> - Interface that you want the EXTERNAL IP
address to appear on.</li>
<li><b> INTERNAL </b> - Internal IP address.</li>
<li><b>ALL
INTERFACES</b>
@ -1936,9 +1960,9 @@ to appear on.</li>
be
effective
from all
hosts. If
No
or no
hosts.
If
No or no
then NAT
will be
effective
@ -1971,8 +1995,8 @@ in your kernel.</li>
<p> The /etc/shorewall/tunnels file allows you to define IPSec, GRE and
IPIP tunnels with end-points on your firewall. To use ipsec, you must install
version 1.9, 1.91 or the current <a
IPIP tunnels with end-points on your firewall. To use ipsec, you must
install version 1.9, 1.91 or the current <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</a> development snapshot. </p>
@ -1997,37 +2021,37 @@ about setting up PPTP
<ul>
<li><b>NEWNOTSYN </b>- Added in Version 1.3.8<br>
When set to "Yes" or "yes", Shorewall will filter TCP packets that are not
part of an established connention and that are not SYN packets (SYN flag
on - ACK flag off). If set to "No", Shorewall will silently drop such packets.
If not set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is
assumed.<br>
When set to "Yes" or "yes", Shorewall will filter TCP packets that are
not part of an established connention and that are not SYN packets (SYN
flag on - ACK flag off). If set to "No", Shorewall will silently drop such
packets. If not set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No
is assumed.<br>
<br>
If you have a HA setup with failover to another firewall, you should have
NEWNOTSYN=Yes on both firewalls. You should also select NEWNOTSYN=Yes if
you have asymmetric routing.<br>
</li>
<li><b>FORWARDPING</b> - Added in Version 1.3.7<br>
When set to "Yes" or "yes", ICMP echo-request (ping) packets from interfaces
that specify "filterping" are ACCEPTed by the firewall. When set to "No"
or "no", such ping requests are silently dropped unless they are handled
by an explicit entry in the <a href="#Rules">rules file</a>. If not specified,
"No" is assumed.</li>
When set to "Yes" or "yes", ICMP echo-request (ping) packets from
interfaces that specify "filterping" are ACCEPTed by the firewall. When
set to "No" or "no", such ping requests are silently dropped unless
they are handled by an explicit entry in the <a href="#Rules">rules
file</a>. If not specified, "No" is assumed.</li>
<li><b>LOGNEWNOTSYN</b> - Added in Version 1.3.6<br>
Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that
are not part of an existing connection. If you would like to log these
packets, set LOGNEWNOTSYN to the syslog level at which you want the packets
logged. Example: LOGNEWNOTSYN=debug|<br>
Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets
that are not part of an existing connection. If you would like to log
these packets, set LOGNEWNOTSYN to the syslog level at which you want
the packets logged. Example: LOGNEWNOTSYN=debug|<br>
<br>
<b>Note: </b>Packets logged under this option are usually the result
of broken remote IP stacks rather than the result of any sort of attempt
to breach your firewall.<br>
 </li>
<li><b>MERGE_HOSTS </b>- Added in Version 1.3.5<br>
Prior to 1.3.5, when the <a href="#Hosts">/etc/shorewall/hosts</a> file
included an entry for a zone then the entire zone had to be defined in
the /etc/shorewall/hosts file and any associations between the zone and
interfaces in the <a href="#Interfaces">/etc/shorewall/interfaces</a>
Prior to 1.3.5, when the <a href="#Hosts">/etc/shorewall/hosts</a>
file included an entry for a zone then the entire zone had to be defined
in the /etc/shorewall/hosts file and any associations between the zone
and interfaces in the <a href="#Interfaces">/etc/shorewall/interfaces</a>
file were ignored. This behavior is preserved if MERGE_HOSTS=No or if
MERGE_HOSTS is not set or is set to the empty value.<br>
<br>
@ -2089,8 +2113,8 @@ file. <br>
  </p>
</li>
<li><b>DETECT_DNAT_ADDRS</b> - Added in Version 1.3.4<br>
If set to "Yes" or "yes", Shorewall will detect the IP address(es) of the
interface(es) to the source zone and will include this (these) address(es)
If set to "Yes" or "yes", Shorewall will detect the IP address(es) of
the interface(es) to the source zone and will include this (these) address(es)
in DNAT rules as the original destination IP address. If set to "No" or "no",
Shorewall will not detect this (these) address(es) and any destination IP
address will match the DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes"
@ -2122,23 +2146,23 @@ set to an empty value, "Yes" is assumed.</li>
parameter
specifies
the name
of the firewall
zone. If
not set or
of the
firewall zone.
If not set or
if set to an
empty string,
the value
"fw"
is assumed.</li>
<li><b>SUBSYSLOCK</b><br>
This parameter should be set to the name of a file that the firewall
should create if it starts successfully and remove when it stops.
Creating and removing this file allows Shorewall to work with your
distribution's initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall.
For Debian, the value is /var/state/shorewall and in LEAF it is
This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when
it stops. Creating and removing this file allows Shorewall to work
with your distribution's initscripts. For RedHat, this should be
set to /var/lock/subsys/shorewall. For Debian, the value is /var/state/shorewall
and in LEAF it is
/var/run/shorwall.
Example:
SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
Example: SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
<li><b> STATEDIR</b><br>
This parameter specifies the name of a directory where Shorewall
stores state information. If the directory doesn't exist when Shorewall
@ -2149,13 +2173,13 @@ is running, create the new directory if necessary then copy the contents
of the old directory to the new directory. </li>
<li><b> ALLOWRELATED</b><br>
This parameter must be assigned the value "Yes" ("yes")
or "No" ("no") and specifies whether Shorewall allows connection requests
that are related to an already allowed connection. If you say "No"
("no"), you can still override this setting by including "related" rules
in /etc/shorewall/rules ("related" given as the protocol). If you
specify ALLOWRELATED=No, you will need to include rules in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a> to
handle common ICMP packet types.</li>
or "No" ("no") and specifies whether Shorewall allows connection
requests that are related to an already allowed connection. If you
say "No" ("no"), you can still override this setting by including
"related" rules in /etc/shorewall/rules ("related" given as the protocol).
If you specify ALLOWRELATED=No, you will need to include rules in
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>
to handle common ICMP packet types.</li>
<li><b> MODULESDIR</b><br>
This parameter specifies the directory where your kernel netfilter
modules may be found. If you leave the variable empty, Shorewall
@ -2163,8 +2187,8 @@ will supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter
<li><b> LOGRATE </b> and <b> LOGBURST</b><br>
These parameters set the match rate and initial burst size for
logged packets. Please see the iptables man page for a description of
the behavior of these parameters (the iptables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters are
the behavior of these parameters (the iptables option --limit is set
by LOGRATE and --limit-burst is set by LOGBURST). If both parameters are
set empty, no rate-limiting will occur.<br>
<br>
Example:<br>
@ -2204,15 +2228,15 @@ parameter
    Masquerading<br>
<br>
If the parameter has no value or has a value of "Yes" or
"yes" then NAT is enabled. If the parameter has a value of "no" or
"No" then NAT is disabled.<br>
"yes" then NAT is enabled. If the parameter has a value of "no"
or "No" then NAT is disabled.<br>
</li>
<li><b> MANGLE_ENABLED</b><br>
This parameter determines if packet mangling is enabled. If the
parameter has no value or has a value of "Yes" or "yes" than
This parameter determines if packet mangling is enabled. If
the parameter has no value or has a value of "Yes" or "yes" than
packet mangling is enabled. If the parameter has a value of "no"
or "No" then packet mangling is disabled. If packet mangling is disabled,
the /etc/shorewall/tos file is ignored.<br>
or "No" then packet mangling is disabled. If packet mangling is
disabled, the /etc/shorewall/tos file is ignored.<br>
</li>
<li><b> IP_FORWARDING</b><br>
This parameter determines whether Shorewall enables or disables
@ -2232,17 +2256,17 @@ values are:<br>
the
<i>external </i>address(es) in <a href="#NAT">/etc/shorewall/nat</a>
. If the variable is set to "Yes" or "yes" then Shorewall automatically
adds these aliases. If it is set to "No" or "no", you must add
these aliases yourself using your distribution's network configuration
adds these aliases. If it is set to "No" or "no", you must
add these aliases yourself using your distribution's network configuration
tools.<br>
<br>
If this variable is not set or is given an empty value (ADD_IP_ALIASES="")
then ADD_IP_ALIASES=Yes is assumed.</li>
<li><b>ADD_SNAT_ALIASES</b><br>
This parameter determines whether Shorewall automatically adds the SNAT
<i> ADDRESS </i>in <a href="#Masq">/etc/shorewall/masq</a>. If the
variable is set to "Yes" or "yes" then Shorewall automatically adds these
addresses. If it is set to "No" or "no", you must add these addresses
This parameter determines whether Shorewall automatically adds the
SNAT <i> ADDRESS </i>in <a href="#Masq">/etc/shorewall/masq</a>. If
the variable is set to "Yes" or "yes" then Shorewall automatically adds
these addresses. If it is set to "No" or "no", you must add these addresses
yourself using your distribution's network configuration tools.<br>
<br>
If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="")
@ -2356,8 +2380,8 @@ parameter
"Yes"
or
"yes",
the feature is
enabled.
the feature
is enabled.
If left
blank or
set to
@ -2406,6 +2430,7 @@ value is "no".</li>
<blockquote>
<p>loadmodule
<i>&lt;modulename&gt;
</i>[ <i> &lt;module parameters&gt; </i>]</p>
@ -2425,6 +2450,7 @@ value is "no".</li>
<blockquote>
@ -2435,10 +2461,12 @@ value is "no".</li>
<p><i> &lt;module parameters&gt;</i></p>
<blockquote>
@ -2512,16 +2540,16 @@ the zone name with a colon (":") and either an IP address, an IP subnet,
a MAC address in <a href="#MAC">Shorewall Format</a> or the name
of an interface. This column may also contain the <a href="#FW">name of
the firewall</a>
zone to
indicate packets originating on the firewall itself or "all" to
zone
to indicate packets originating on the firewall itself or "all" to
indicate any source.</li>
<li><b> DEST</b> -- The destination zone. May be qualified by following
the zone name with a colon (":") and either an IP address or an IP
subnet. Because packets are marked prior to routing, you may not specify
the name of an interface. This column may also contain  "all"
to indicate any destination.</li>
<li><b> PROTOCOL</b> -- The name of a protocol in /etc/protocols or
the protocol's number.</li>
<li><b> PROTOCOL</b> -- The name of a protocol in /etc/protocols
or the protocol's number.</li>
<li><b> SOURCE PORT(S)</b> -- The source port or a port range. For
all ports, place a hyphen ("-") in this column.</li>
<li><b> DEST PORT(S)</b>  -- The destination port or a port range.
@ -2706,19 +2734,22 @@ Format</a>
designed to prevent listed hosts/subnets from accessing services on <u><b>your</b></u>
network.<br>
</p>
<p>Beginning with Shorewall 1.3.8, the blacklist file has three columns:<br>
</p>
<ul>
<li><b>ADDRESS/SUBNET - </b>As described above.</li>
<li><b>PROTOCOL</b> - Optional. If specified, only packets specifying this
protocol will be blocked.</li>
<li><b>PROTOCOL</b> - Optional. If specified, only packets specifying
this protocol will be blocked.</li>
<li><b>PORTS - </b>Optional; may only be given if PROTOCOL is tcp, udp
or icmp. Expressed as a comma-separated list of port numbers or service names
(from /etc/services). If present, only packets destined for the specified
or icmp. Expressed as a comma-separated list of port numbers or service
names (from /etc/services). If present, only packets destined for the specified
protocol and one of the listed ports are blocked. When the PROTOCOL is icmp,
the PORTS column contains a comma-separated list of ICMP type numbers or
names (see "iptables -h icmp").<br>
</li>
</ul>
@ -2786,11 +2817,12 @@ the firewall is stopped.
<ul>
<li><b>INTERFACE </b>- The firewall interface through which the
host(s) comminicate with the firewall.</li>
<li><b>INTERFACE </b>- The firewall interface through which
the host(s) comminicate with the firewall.</li>
<li><b>HOST(S) </b>- (Optional) - A comma-separated list of IP/Subnet
addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.</li>
<li><b>HOST(S) </b>- (Optional) - A comma-separated list of
IP/Subnet addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is
assumed.</li>
</ul>
@ -2842,7 +2874,7 @@ eth1 and your local hosts through eth2.</p>
<p><font size="2"> Updated 9/16/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 9/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -2858,5 +2890,7 @@ eth1 and your local hosts through eth2.</p>
</font><br>
<br>
<br>
<br>
</body>
</html>

652
Shorewall-docs/FAQ.htm
View File

@ -1,50 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall FAQs</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>1. </b><a href="#faq1">&nbsp;I want to <b>forward</b> UDP <b>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. <b>External clients can browse</b>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts in
Z. Hosts in Z cannot communicate with each other using their external
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local
network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other using their DNS
names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting </b>with
Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner to
check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now I <b>
can't ping</b> through the firewall</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
I <b> can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and&nbsp; how do I <b>change the destination</b>?</a></p>
written and  how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
@ -53,49 +70,53 @@ that work with Shorewall?</a></p>
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall on RedHat 7.x</b>, I
get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><b>9. </b><a href="#faq9"><b>Why </b>does Shorewall <b>only accept IP addresses</b> as
opposed to FQDNs?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does it
work with?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>&quot;Shorewall&quot;?</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem and it has an internel
web server that allows me to configure/monitor it but as expected if I enable <b>
rfc1918 blocking</b> for my eth0 interface, it also blocks the <b>cable modems
web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see out to
the net</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor it
but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, <b>my DHCP client cannot renew its
lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!</a></p>
<p align="left"><b>17. </b><a href="#faq17">Why can't Shorewall <b>detect my
interfaces </b>properly?</a></p>
<blockquote>
<p align="left">&nbsp;</p>
</blockquote>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
file documentation</a> shows how to do port forwarding under Shorewall. Assuming
that you have a dynamic external IP address, the format of a port-forwarding
rule to a local system is as follows:</p>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere and
can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. Assuming that you have a dynamic external
IP address, the format of a port-forwarding rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -111,15 +132,21 @@ rule to a local system is as follows:</p>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</p>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
the rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -135,18 +162,25 @@ rule is:</p>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<div align="left">
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -165,46 +199,63 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</tbody>
</table>
</blockquote>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions but
it doesn't work</h4>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You are trying to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address of your
firewall's internal interface).</li>
incorrect default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</h4>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
can browse http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems -
assuming that the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version
9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
externally and 192.168.1.5 internally. That's what I do here at
shorewall.net for my local systems that use static NAT.</li>
<li>Having an internet-accessible server in your local network is
like raising foxes in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal systems.
For the cost of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems - assuming
that the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is eth0
and your internal interface is eth1
and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify &quot;multi&quot; as an option
rather than a DNS solution, then assuming that your external interface is
eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1.</p>
<div align="left">
<p align="left">b) In /etc/shorewall/rules, add:</div>
<p align="left">b) In /etc/shorewall/rules, add:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -223,25 +274,35 @@ for eth1.</p>
<td>-</td>
<td>130.151.100.69:192.168.1.254</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre>
<pre align="left"> <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external IP
address. If you
have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</div>
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall 1.3.4
or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
<pre> ETH0_IP=`find_interface_address eth0`</pre>
</div>
<div align="left">
<p align="left">and make your DNAT rule:</div>
<p align="left">and make your DNAT rule:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -260,37 +321,50 @@ have a dynamic IP address and are running Shorewall 1.3.4 or later then include
<td>-</td>
<td>$ETH0_IP:192.168.1.254</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a new IP
address.</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
&quot;views&quot;. It allows both external and internal clients to access a
NATed host using the host's DNS name.</p>
address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
Hosts in Z cannot communicate with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and
can be accessed externally and internally using the same address.&nbsp;</p>
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
and can be accessed externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Specify &quot;multi&quot; on the entry for Z's interface in
/etc/shorewall/interfaces.<br>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.<br>
b) Set the Z-&gt;Z policy to ACCEPT.<br>
c) Masquerade Z to itself.<br>
<br>
Example:</p>
<p align="left">Zone: dmz<br>
Interface: eth2<br>
Subnet: 192.168.2.0/24</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber2">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2">
<tbody>
<tr>
<td><u><b>ZONE</b></u></td>
<td><u><b>INTERFACE</b></u></td>
@ -303,11 +377,17 @@ Subnet: 192.168.2.0/24</p>
<td>192.168.2.255</td>
<td>multi</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE </b></u></td>
<td><u><b>DESTINATION</b></u></td>
@ -318,16 +398,23 @@ Subnet: 192.168.2.0/24</p>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<div align="left">
<pre align="left"> dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre>
<pre align="left"> dmz    dmz    ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" width="369">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3" width="369">
<tbody>
<tr>
<td width="93"><u><b>INTERFACE </b></u></td>
<td width="31"><u><b>SUBNET</b></u></td>
@ -336,154 +423,198 @@ Subnet: 192.168.2.0/24</p>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120">&nbsp;</td>
<td width="120"> </td>
</tr>
</tbody>
</table>
</blockquote>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner to
check my firewall and it shows some ports as 'closed' rather than 'blocked'.
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger
with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter mailing list
archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x always
rejects connection requests on TCP port 113 rather than dropping them. This is
necessary to prevent outgoing connection problems to services that use the
'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are
used by Windows (Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. These
are ports that are used by Windows (Windows <u>can</u> be configured to
use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably your
ISP preventing you from running a web server in violation of your Service
Agreement.</p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of your
Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about
UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports
the port as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do
the nmap UDP scan again.</p>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your firewall
then it reports the port as open. If you want to see which UDP ports are
really open, temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
&quot;ping&quot;: </p>
<p align="left">a) Do NOT specify 'noping' on any interface in
/etc/shorewall/interfaces.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open
for "ping": </p>
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
ACCEPT </p>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT </p>
</blockquote>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and&nbsp; how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
&quot;man openlog&quot;) and you get to choose the log level (again, see
&quot;man syslog&quot;) in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see &quot;man
syslog.conf&quot;). When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages through
<a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
and  how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged logged
by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=&quot;&quot;
LOGBURST=&quot;&quot;</pre>
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
</div>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
with Shorewall?</h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
<p align="left"><b>Answer: </b>Here are several links that may be helpful:
</p>
<blockquote>
<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
</blockquote>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into a
safe state whereby only those interfaces/hosts having the 'routestopped' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
to totally open up your firewall, you must use the 'shorewall clear' command. </p>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands: </p>
<p align="left"><b>Answer: </b>The output you will see looks something like
this:</p>
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br> Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br> iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br> Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands:
</p>
<div align="left">
<pre align="left"> service ipchains stop
chkconfig --delete ipchains
rmmod ipchains</pre>
<pre align="left"> service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</pre>
</div>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for
problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
<h4 align="left"> <a name="faq9"></a>9. Why does Shorewall only accept IP
addresses as opposed to FQDNs?</h4><p align="left"> <b>Answer: </b>FQDNs in iptables rules
aren't nearly as useful as they first appear. When a DNS name appears in a rule,
the iptables utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So change in the DNS-&gt;IP address relationship
that occur after the firewall has started have absolutely no effect on the
firewall's ruleset.</p>
<p align="left"> I'm also trying to protect
people from themselves. If your firewall rules include FQDN's then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
</ul>
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
</div>
<h4 align="left">
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
properly?</h4>
</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
<div align="left">
<pre> Processing /etc/shorewall/shorewall.conf ...<br> Processing /etc/shorewall/params ...<br> Starting Shorewall...<br> Loading Modules...<br> Initializing...<br> Determining Zones...<br> Zones: net loc<br> Validating interfaces file...<br> Validating hosts file...<br> Determining Hosts in Zones...<br><b> Net Zone: eth0:0.0.0.0/0<br> Local Zone: eth1:0.0.0.0/0<br></b> Deleting user chains...<br> Creating input Chains...<br> ...</pre>
</div>
<div align="left">
<p align="left">Why can't Shorewall detect my interfaces properly?</p>
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
with?</h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature
List</a>.<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing
other things. I guess I just don't care enough if Shorewall has a GUI to
invest the effort to create one myself. There are several Shorewall GUI
projects underway however and I will publish links to them when the authors
feel that they are ready. <h4 align="left">
<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the
city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left">
<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an
internal web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks
the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the
rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than
1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
Feature List</a>.</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
myself doing other things. I guess I just don't care enough if Shorewall
has a GUI to invest the effort to create one myself. There are several
Shorewall GUI projects underway however and I will publish links to
them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor it
but as expected if I enable rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the modem
in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
</div>
<div align="left">
<p align="left">If you are running version 1.3.1 or later, simply add the
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SUBNET </b></u></td>
<td><u><b>TARGET</b></u></td>
@ -492,88 +623,71 @@ of the modem in/out but still block all other rfc1918 addresses.</p>
<td>192.168.100.1</td>
<td>RETURN</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</div>
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</p>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, my DHCP client cannot renew its lease.</h4>
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
</div>
<div align="left">
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
the IP address of your ISPs DHCP server.</div>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to the
net</h4>
the IP address of your ISPs DHCP server.</p>
</div>
<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder
where the poster bought computers with eyes and what those computers will &quot;see&quot;
when things are working properly. That aside, the most common causes of this
problem are:</p>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and what those
computers will "see" when things are working properly. That aside, the most
common causes of this problem are:</p>
<ol>
<li><p align="left">The default gateway on each local system isn't set to the
IP address of the local firewall interface.</p>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
</li>
<li><p align="left">The entry for the local network in the /etc/shorewall/masq
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li><p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and TCP
port 53 from the firewall to the internet.</p>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and
TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages all
over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start. Under RedHat, the max log level
that is sent to the console is specified in /etc/sysconfig/init in the
LOGLEVEL variable.</p>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
all over my console making it unusable!</h4>
<h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under RedHat,
the max log level that is sent to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.</p>
<div align="left">
<pre> Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
<b> Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
</b> Deleting user chains...
Creating input Chains...
...</pre>
<p align="left"></p>
</div>
<div align="left">
<p align="left">Why can't Shorewall detect my interfaces properly?</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1.</div>
<p align="left"><font size="2">Last updated
8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font size="2">Last updated 9/23/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

827
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

142
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,106 +1,106 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#FFFFFF">Shorewall</font></h3>
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#FFFFFF">
<td width="100%" bgcolor="#ffffff">
<ul>
<li>
<a href="seattlefirewall_index.htm">Home</a></li>
<li>
<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li>
<a href="shorewall_prerequisites.htm">Requirements</a></li>
<li>
<a href="download.htm">Download</a></li>
<li>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li>
<a href="Install.htm">Installation/Upgrade/</a><br>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a></li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li>
<a href="Documentation.htm">Reference Manual</a></li>
<li>
<a href="FAQ.htm">FAQs</a></li>
<li>
<a href="troubleshoot.htm">Troubleshooting</a></li>
<li>
<a href="errata.htm">Errata</a></li>
<li>
<a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li>
<a href="support.htm">Support</a></li>
<li>
<a href="mailing_list.htm">Mailing Lists</a></li>
<li>
<a href="shorewall_mirrors.htm">Mirrors</a><ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak
Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas,
USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul>
</li>
</ul>
<ul>
<li>
<a href="News.htm">News Archive</a></li>
<li>
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
<li>
<a href="quotes.htm">Quotes from Users</a></li>
<li>
<a href="shoreline.htm">About the Author</a></li>
<li>
<a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p>
<strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type=text name=words size=15></font><font size="-1"> </font>
<font face="Arial" size="-1">
<input type=hidden name=format value=long>
<input type=hidden name=method value=and>
<input type=hidden name=config value=htdig>
<input type="submit" value="Search"></font>
<p> <strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial">
<input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
</font>
</form>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://www.shorewall.net/pipermail/*]"> </font> </form>
<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
<p><b><a href="htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top">
<img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

283
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,41 +1,49 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</table>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
dos2unix</a> before you use them with Shorewall.</b></p>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the
world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
@ -44,50 +52,122 @@
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to
the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later
use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field
in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by
delimiting the comment from the rest of the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the line
with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<pre># This is a comment</pre><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed
immediately by a new line character.</p>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a result
of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule. So
change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your inconvenience
by Shorewall. <br>
<br>
<pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with &quot;!&quot; to specify the complement of the item. For
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4".</p>
<h2>Comma-separated Lists</h2>
@ -97,12 +177,12 @@ smtp,www,pop3,imap #Services running on the firewall</pre>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818</li>
<li>If you use line continuation to break a comma-separated list, the
continuation line(s) must begin in column 1 (or there would be embedded
white space)</li>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated list,
the continuation line(s) must begin in column 1 (or there would be
embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2>Port Numbers/Service Names</h2>
@ -117,108 +197,95 @@ smtp,www,pop3,imap #Services running on the firewall</pre>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params
file to set shell variables that you can then use in some of the other
configuration files.</p>
<p>You may use the file /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font size="1">
</font>to distinguish them from variables used internally within the
Shorewall programs</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</pre>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font face="Century Gothic, Arial, Helvetica">
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the
other configuration files.</p>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC)
addresses can be used to specify packet source in several of the
configuration files. To use this feature, your kernel must have MAC
Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written as a series of 6
hex numbers separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields, Shorewall requires
MAC addresses to be written in another way. In Shorewall, MAC addresses
begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by
hyphens. In Shorewall, the MAC address in the example above would be
written &quot;~02-00-08-E3-FA-55&quot;.</p>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".</p>
<h2>Shorewall Configurations</h2>
<p>
Shorewall allows you to have configuration
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
and restart</a>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p>
<p>
This facility permits you to easily create a test or temporary configuration
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li>
copying the files that need modification from /etc/shorewall to a separate
directory;</li>
<li>
modify those files in the separate directory; and</li>
<li>
specifying the separate directory in a shorewall start or shorewall
restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li>
</ol>
<p><font size="2">
Updated 8/6/2002 - <a href="support.htm">Tom
Eastep</a>
<p><font size="2"> Updated 9/24/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -227,7 +294,7 @@ Eastep</a>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

29
Shorewall-docs/download.htm
View File

@ -36,19 +36,19 @@
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
you can use the RPM version (note: the RPM should also work
with other distributions that store init scripts in /etc/init.d
and that include chkconfig or insserv). If you find that it works
you can use the RPM version (note: the RPM should also work with
other distributions that store init scripts in /etc/init.d and
that include chkconfig or insserv). If you find that it works
in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
know so that I can mention them here. See the <a
href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want
to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
@ -59,8 +59,8 @@ Testing Branch</a> and the <a
and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p>
release of a new version of Shorewall, the links below may point to
a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
@ -78,12 +78,10 @@ that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></p>
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
@ -295,11 +293,12 @@ cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/2/2002 - <a
<p align="left"><font size="2">Last Updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

439
Shorewall-docs/errata.htm
View File

@ -2,115 +2,120 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">
<b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left">
<b><u>I</u>f you use a Windows system to download a corrected script, be sure to
run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
dos2unix</a></u>
after you have moved it to your Linux system.</b></p>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left">
<b>If you are installing Shorewall for the first time and plan to use the
.tgz and install.sh script, you can untar the archive, replace the
'firewall' script in the untarred directory with the one you downloaded
below, and then run install.sh.</b></p>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left">
<b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li>
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
<li>
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li>
<b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li>
<b><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li>
<b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels
&gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
</ul>
<hr>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.8</h3>
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with different
port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3>
<p>&quot;shorewall refresh&quot; is not creating the proper
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
&quot;shorewall refresh&quot;, the firewall will not forward
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
@ -119,20 +124,21 @@ dos2unix</a></u>
has two problems:</p>
<ol>
<li>If the firewall is running a DHCP server,
the client won't be able to obtain an IP address
lease from that server.</li>
<li>With this order of checking, the &quot;dhcp&quot;
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the "dhcp"
option cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
measure where there are both dynamic and
static clients on a LAN segment.</li>
</ol>
<p>
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed in /var/lib/shorewall
as described above.</p>
corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3>
@ -141,129 +147,136 @@ dos2unix</a></u>
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and
compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7
version in each sequence from now on.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<h3 align="Left">Version 1.3.6</h3>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<p align="Left">If ADD_SNAT_ALIASES=Yes is specified in
/etc/shorewall/shorewall.conf, an error occurs when the firewall
script attempts to add an SNAT alias.</li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT
alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
<p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
</ul>
<p align="Left">These problems are fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="Left">A line was inadvertently deleted from the &quot;interfaces
file&quot; -- this line should be added back in if the version that you
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp;
routefilter,dhcp,norfc1918</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="Left">If you downloaded two-interfaces-a.tgz then the above
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="Left">Versions 1.3.4-1.3.5a</h3>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="Left">Prior to version 1.3.4, host file entries such as the
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to&nbsp; include a single host specification on each line. This
problem is corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
possible to  include a single host specification on each line. This
problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</div>
as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</div>
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="Left">Version 1.3.5</h3>
<h3 align="left">Version 1.3.5</h3>
<p align="Left">REDIRECT rules are broken in this version. Install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="Left">Version 1.3.n, n &lt; 4</h3>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file. The
&quot;shorewall check&quot; command does perform this verification so it's a
good idea to run that command after you have made configuration
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="Left">Version 1.3.n, n &lt; 3</h3>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="Left">If you have upgraded from Shorewall 1.2 and after
&quot;Activating rules...&quot; you see the message: &quot;iptables: No
chains/target/match by that name&quot; then you probably have an entry in
/etc/shorewall/hosts that specifies an interface that you didn't
include in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
<h3 align="Left">Version 1.3.2</h3>
<h3 align="left">Version 1.3.2</h3>
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="Left">Both problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="Left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="Left">Version 1.3.1</h3>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted when
@ -273,10 +286,11 @@ dos2unix</a></u>
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
may ignore all but the first appearence of the option. For
example:<br>
<br>
net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
@ -284,116 +298,105 @@ dos2unix</a></u>
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT today
should download and install the corrected script again to ensure
that this second problem is corrected.</li>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
</ul>
<p align="Left">These problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in
/etc/shorewall/firewall as described above.</p>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="Left">Version 1.3.0</h3>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download page
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
1.3.0. The &quot;shorewall version&quot; command will tell you which version
that you have installed.</li>
<li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="Left">The upgrade issues have moved to
<a href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="Left"><font color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may
experience the following:</p>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<h3><a name="SuSE"></a>Problems
installing/upgrading RPM on SuSE</h3>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the &quot;--nodeps&quot; option to
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -412,18 +415,22 @@ Aborted (core dumped)
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may
install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
<li>if you are running Shorewall 1.3.6
you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<p><font size="2">
Last updated 9/1/2002 -
<p><font size="2"> Last updated 9/28/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

208
Shorewall-docs/mailing_list.htm
View File

@ -1,32 +1,48 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</b></font>
<h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35">
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#ffffff"><b>Powered by Postfix     
</b></font> </p>
</td>
</tr>
</tbody>
</table>
<p align="left">
<b>Note: </b>The list server limits posts to 120kb.</p>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check
Here</a></h2>
<h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
@ -36,104 +52,132 @@ let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p>
<h2>A Word about SPAM Filters
<a href="http://ordb.org">
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a></h2>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
src="images/but3.png" hspace="3" width="88" height="31">
 </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks the sender of incoming mail against the open relay
databases at <a href="http://ordg.org">ordb.org</a> and at
<a href="http://osirusoft.com">osirusoft.com</a>.</p>
at shorewall.net checks the sender of incoming mail against the open
relay databases at <a href="http://ordb.org">ordb.org.</a></p>
<h2>Search the Mailing List Archives</h2>
<h2></h2>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
<p>
<font size="-1">
Match: <select name="method">
<option value="and">All
<option value="or">Any
<option value="boolean">Boolean
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format: <select name="format">
<option value="builtin-long">Long
<option value="builtin-short">Short
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by: <select name="sort">
<option value="score">Score
<option value="time">Time
<option value="title">Title
<option value="revscore">Reverse Score
<option value="revtime">Reverse Time
<option value="revtitle">Reverse Title
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font>
<input type="hidden" name="config" value="htdig">
<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]">
<input type="hidden" name="exclude" value="">
<br>
Search:
<input type="text" size="30" name="words" value="">
<input type="submit" value="Search"> </p>
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users to get
answers to questions and to report problems.
Information of general interest to the Shorewall user community is also posted
to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see the
<a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">To post to the list, post to <a href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <a href="http://sourceforge.net">Sourceforge</a>.
The archives from that list may be found at <a href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for the
exchange of ideas about the future of Shorewall and for coordinating ongoing
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating ongoing
Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">To post to the list, post to <a href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of the
Mailing Lists</h2>
<p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe to the
list.</p>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text: &quot;To
change your subscription (set options like digest and delivery modes, get a
reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), enter
your subscription email address:&quot;. Enter your email address in the box and click
on the &quot;Edit Options&quot; button.</p>
<p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
enter your subscription email address:". Enter your email address in the
box and click on the "Edit Options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password and
click on &quot;Unsubscribe&quot;; if you have forgotten your password, there is another
button that will cause your password to be emailed to you.</p>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there is
another button that will cause your password to be emailed to you.</p>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 7/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p align="left"><font size="2">Last updated 9/27/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

15
Shorewall-docs/myfiles.htm
View File

@ -39,16 +39,18 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
<p> I use:<br>
</p>
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for  my
Wife's system (tarry) and the Wireless Access Point (wap)</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
@ -106,8 +108,8 @@ of the entry in /etc/shorewall/proxyarp (see below).</
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -156,10 +158,11 @@ my Ethernet interfaces. </p>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/14/2002 - </font><font size="2">
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</body>
</html>

123
Shorewall-docs/quotes.htm
View File

@ -1,96 +1,101 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1>
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</table>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
<p>&quot;I just installed Shorewall after weeks of messing with
ipchains/iptables and I had it up and running in under 20 minutes!&quot;
-- JL, Ohio
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
<p>&quot;I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
without any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot.
THANKS!!!&quot; -- MM.
</p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>&quot;[Shorewall is a] great, great project. I've used/tested may
firewall scripts but this one is till now the best.&quot; -- B.R,
Netherlands
</p>
<p>&quot;Never in my +12 year career as a sys admin have I witnessed
someone so relentless in developing a secure, state of the art, save and
useful product as the Shorewall firewall package for no cost or obligation
involved.&quot; -- Mario Kericki, Toronto
</p>
<p>&quot;one time more to report, that your great shorewall in the latest
release
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up
and running with shorewall on several versions - starting with 1.2.2 up to
the new 1.2.9 and I never have encountered any problems!&quot; -- SM, Germany</p>
<p>&quot;You have the best support of any other package I've ever
used.&quot; -- SE, US
</p>
<p>&quot;Because our company has information which has been classified by the
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use of
checkpoint firewalls, but not all of the internet servers are guarded by
checkpoint, some of them are running....Shorewall.&quot; -- Name withheld by request,
Europe</p>
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
<p>&quot;thanx for all your efforts you put into shorewall - this product stands out
against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support&quot; -- RM, Austria</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>&quot;I have never seen such a complete firewall package that is so easy to
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down.&quot; -- RG, Toronto</p>
Shorewall won hands down." -- RG, Toronto</p>
<p>&quot;My respects... I've just found and installed Shorewall 1.3.3-1 and it is a
wonderful piece of software. I've just sent out an email to about 30 people
recommending it. :-)<br>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes.&quot; -- RP,
Guatamala<br>
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
&nbsp;</p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
7/9/2002 - <a href="support.htm">Tom Eastep</a>
</font>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

315
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,37 +2,44 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<base target="_self">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img border="0"
src="images/washington.jpg" align="right" width="100" height="82">
<img border="0" src="images/washington.jpg" align="left"
width="100" height="82">
</a></i></font><font color="#ffffff">Shorewall 1.3 - <font
size="4">"<i>iptables made easy"</i></font></font></h1>
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
@ -41,185 +48,208 @@
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall",  is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a copy of the GNU General
Public License along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF distribution called
<i>Bering</i> that features Shorewall-1.3.3 and Kernel-2.4.18.
You can find their work at: <a
</a>Jacques Nilo and Eric Wolzak have a LEAF
distribution called <i>Bering</i> that features Shorewall-1.3.3
and Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>News</h2>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
height="12">
</b></p>
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
<p>In this version:<br>
</p>
<ul>
<li>A NEWNOTSYN option has been added to shorewall.conf. This option
determines whether Shorewall accepts TCP packets which are not part of an
established connection and that are not 'SYN' packets (SYN flag on and ACK
flag off).</li>
<li>The need for the 'multi' option to communicate between zones
za and zb on the same interface is removed in the case where the chain 'za2zb'
and/or 'zb2za' exists. 'za2zb' will exist if:</li>
<ul>
<li>
<blockquote>There is a policy for za to zb; or</blockquote>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
<li>
<blockquote>There is at least one rule for za to zb.</blockquote>
</li>
</ul>
</ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
<li>Only one page of matches was presented.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:<br>
</p>
<ul>
<li>The /etc/shorewall/blacklist file now contains three columns.
In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
PORT columns to block only certain applications from the blacklisted addresses.<br>
<li>A NEWNOTSYN option has been added to shorewall.conf.
This option determines whether Shorewall accepts TCP packets which
are not part of an established connection and that are not 'SYN' packets
(SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the case
where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
</li>
</ul>
</li>
</ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a
are available at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
its Author -- Shorewall 1.3.7a released <img border="0"
src="images/j0233056.gif" width="50" height="80" align="middle">
</b></p>
<p>1.3.7a corrects problems occurring in rules file processing when
starting Shorewall 1.3.7.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf"> shorewall.conf</a> should see the
<a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a
href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to
the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding
TCP SYN and ICMP treatment in Shorewall. That input has led to marked improvement
in Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image
files - the Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS
Repository</a></b></p>
<p>This branch will only be updated after I release a new version of
Shorewall so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
</a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or related
to an existing connection and that are not SYN packets. These "New not
SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended by commands
in the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
script</a>.</li>
</ul>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <a href="http://sourceforge.net">M</a></td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
@ -231,26 +261,35 @@ script</a>.</li>
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
<img border="4" src="images/newlog.gif" width="57" height="100"
align="right" hspace="10">
</a></p>
  </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 9/16/2002 - <a href="support.htm">Tom Eastep</a>
</font>
<p><font size="2">Updated 9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

121
Shorewall-docs/shoreline.htm
View File

@ -2,49 +2,44 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1>
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Hiking1.jpg"
alt="Tom on the PCT - 1991" width="374" height="365">
</p>
<p align="Center">
<img border="3" src="images/Hiking1.jpg" alt="Tom on the PCT - 1991" width="374" height="365"></p>
<p align="Center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington&nbsp; -- Sept
1991.<br>
<font size="2">Photo
by Ken Mazawa</font></p>
<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington  -- Sept 1991.<br>
<font size="2">Photo by Ken Mazawa</font></p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a>
.</li>
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a>
1967</li>
University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
@ -52,57 +47,65 @@ of Washington</a> 1969</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security
when I established a home office in 1999 and had DSL service installed in our
home. I investigated
ipchains and developed the scripts which are now collectively known as <a href="http://seawall.sourceforge.net"> Seattle
Firewall</a>. Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated ipchains
and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline,
Washington</a>
where I live with my wife Tarry. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX
(Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
personal Linux System which runs Samba configured as a WINS server. This
system also has <a href="http://www.vmware.com/">VMware</a> installed and
can run both <a href="http://www.debian.org">Debian</a> and
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
in expansion base and LinkSys WAC11 - My main work system.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall
Configuration</a>.</p>
<p>All of our
other systems are made by <a href="http://www.compaq.com">Compaq</a> (part
of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a>
FA310TXs.</p>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0" src="images/poweredby.png" width="88" height="31"></a><a href="http://www.compaq.com"><img border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"></a><a href="http://www.pureftpd.org"><img border="0" src="images/pure.jpg" width="88" height="31"></a><font size="4"><a href="http://www.apache.org"><img border="0" src="images/apache_pb1.gif" hspace="2" width="170" height="20"></a>
</font></p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 8/16/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

68
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -1,40 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</table>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
see the Seattle Firewall site</a>
.</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>.
<font color="#FF0000"><b>WARNING: </b></font>The buggy iptables version 1.2.3
is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to
installing Shorewall. Version 1.2.4 is available
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going to be
running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM
will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Some features require iproute ("ip" utility). The iproute package is
included with most distributions but may not be installed by default. The
official download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
<font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
<a href="kernel.htm"> Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a
href="http://www.shorewall.net/seawall"> see the Seattle Firewall
site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
to be running kernel 2.4.18 or later, NO currently-available RedHat iptables
RPM will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
</li>
<li>Some features require iproute ("ip" utility). The iproute package
is included with most distributions but may not be installed by default.
The official download site is <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font
face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct
support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
@ -42,13 +55,14 @@
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have awk
(gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p align="left"><font size="2">Last updated 9/19/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

17
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -30,8 +30,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<h2>The Guides</h2>
@ -54,8 +54,8 @@ as a firewall/router for a small local network and a DMZ.</li>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -67,7 +67,8 @@ and Routing</a>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul>
@ -77,6 +78,7 @@ and Routing</a>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -84,6 +86,7 @@ and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -125,6 +128,8 @@ features</a>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
@ -132,6 +137,7 @@ features</a>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
@ -198,5 +204,6 @@ to a remote network.</li>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
</body>
</html>

2091
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

386
Shorewall-docs/standalone.htm
View File

@ -1,74 +1,99 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1>
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the
documentation.</p>
<p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in one
of its
most common configurations:</p>
Shorewall. It rather focuses on what is required to configure Shorewall in
one of its most common configurations:</p>
<ul>
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#</pre><p>I recommend that you read through the guide
first to familiarize yourself with what's involved then go back through it again
making your configuration changes.&nbsp; Points at which configuration changes
are recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp;
If you edit your configuration files on a Windows system, you must save them as
Unix files if your editor supports that option or you must run them through
dos2unix before trying to use them. Similarly, if you copy a configuration file
from your Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>,
download the <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, un-tar it
(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
these as described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation).</p>
<p>As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the one-interface sample configuration, only one zone is
defined:</p>
<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
@ -77,30 +102,41 @@ defined:</p>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a>.</p>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If no rule in that file matches the connection
request then the first policy in /etc/shorewall/policy that matches the
request is applied. If that policy is REJECT or DROP&nbsp; the request is first
checked against the rules in /etc/shorewall/common (the samples provide that
file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has the
following policies:</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common (the samples
provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
@ -112,87 +148,115 @@ following policies:</p>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>net</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<pre> fw net ACCEPT
net all DROP info
all all REJECT info</pre>
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
<h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that &quot;Modem&quot;&nbsp;
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a <b>ppp0</b>. If you connect via a regular modem, your External
Interface will also be <b>ppp0</b>. If you connect using ISDN, your external
interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>.
If your configuration is different, you will have to modify the sample
/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
review the list of options that are specified for the interface. Some hints:</p>
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the external
interface is <b>eth0</b>. If your configuration is different, you will have
to modify the sample /etc/shorewall/interfaces file accordingly. While you
are there, you may wish to review the list of options that are specified
for the interface. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the
&quot;detect&quot; in the second column with &quot;-&quot;.</li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP
address, you can remove &quot;dhcp&quot; from the option list.</li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
<div align="left">
<h2 align="left">IP Addresses</h2>
</div>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges for
use in private networks:</p>
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</pre>
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs are
assigning these addresses then using <i>Network Address Translation </i>to
rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" width="13" height="13">&nbsp;&nbsp;&nbsp;&nbsp;
Before starting Shorewall, you should look at the IP address of your external
interface and if it is one of the above ranges, you should remove the
'norfc1918' option from the entry in /etc/shorewall/interfaces.</div>
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div>
<div align="left">
<p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div>
<p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -208,18 +272,25 @@ use in private networks:</p>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on your firewall
system:</div>
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -235,8 +306,8 @@ use in private networks:</p>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -244,22 +315,31 @@ use in private networks:</p>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</div>
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want shell
access to your firewall from the internet, use SSH:</div>
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -275,46 +355,72 @@ use in private networks:</p>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit
/etc/shorewall/rules to add other connections as desired.</div>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    At this point, edit /etc/shorewall/rules to add other connections
as desired.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot.</div>
<div align="left">
<p align="left">The firewall is started using the &quot;shorewall start&quot; command
and stopped using &quot;shorewall stop&quot;. When the firewall is stopped, routing is
enabled on those hosts that have an entry in
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the &quot;shorewall restart&quot; command. If
you want to totally remove any trace of Shorewall from your Netfilter
configuration, use &quot;shorewall clear&quot;.</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from the
internet, do not issue a &quot;shorewall stop&quot; command unless you have added an
entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using &quot;shorewall restart&quot;; it is better to create an
<i><a href="Documentation.htm#Configs">alternate configuration</a></i> and
test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div>
<p align="left"><font size="2">Last updated
7/23/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have added
an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall try"
command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
</body>
</html>

198
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -1,73 +1,103 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p>
If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type "chkconfig
--add firewall". This will start the firewall in run levels 2-5 and stop
it in run levels 1 and 6. If you want to configure your firewall differently
from this default, you can use the "--level" option in chkconfig
(see "man chkconfig") or using your favorite graphical run-level editor.</p>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your firewall
differently from this default, you can use the "--level" option in
chkconfig (see "man chkconfig") or using your favorite graphical run-level
editor.</p>
<p><strong><u>
<font color="#000099">
Important Note:</font></u> </strong></p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local
script. I recommend just placing "shorewall restart" in that script.
</p>
<p>
You can manually start and stop Shoreline Firewall using the "shorewall"
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) and
then starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast addresses
of firewall interfaces and the black and white lists.</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
</ul>
<p>
The "shorewall" program may also be used to monitor the firewall.</p>
<p> The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the firewall
@ -79,96 +109,108 @@ Shoreline Firewall</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently being
tracked by the firewall.</li>
<li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li>
<li>shorewall
show
tc
- displays information about the traffic control/shaping configuration.</li>
tc - displays information
about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet log
messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation
of the zones, interfaces, hosts, rules and policy files.
<font size="4" color="#FF6666"><b>The &quot;check&quot; command does not parse and
validate the generated iptables commands so even though the &quot;check&quot; command
completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] - Restart shorewall using the
specified configuration and if an error occurs or if the<i> timeout </i>
option is given and the new configuration has been up for that many seconds
then shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall save
implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the
standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul>
<p>
The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>&nbsp;and
<b>shorewall try </b>commands allow you to specify which <a href="#Configs">
Shorewall configuration</a>
to use:</p>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a
href="#Configs"> Shorewall configuration</a> to use:</p>
<blockquote>
<p>
shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p>
If a <i>configuration-directory</i> is specified, each time that Shorewall
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p>
When changing the configuration of a production firewall, I recommend the
following:</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<ul>
<li>mkdir /etc/test</li>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall to . and change them here&gt;</li>
<li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li>
<li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li>
</ul>
<p>
If the configuration starts but doesn't work, just &quot;shorewall restart&quot; to
restore the old configuration. If the new configuration fails to start, the
&quot;try&quot; command will automatically start the old one for you.</p>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
<p>
When the new configuration works then just </p>
<p> When the new configuration works then just </p>
<ul>
<li>cp * /etc/shorewall</li>
<li>cd</li>
<li>rm -rf /etc/test</li>
</ul>
<p><font size="2">
Updated 8/8/2002 - <a href="support.htm">Tom
Eastep</a>
<p><font size="2"> Updated 9/26/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -177,7 +219,7 @@ Eastep</a>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

45
Shorewall-docs/support.htm
View File

@ -29,17 +29,18 @@
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer with tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Weitse Venema</font></span></p>
- <font size="2"> Wietse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3>
@ -47,20 +48,16 @@ free software comes at no cost. The cost is incredibly high."</i>
<ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li>
<li>The Mailing List Archives are a useful source of problem solving
information.</li>
<li>The Mailing List Archives search facility can locate posts about
similar problems:</li>
</ul>
<blockquote>
<p>The archives from the mailing List are at <a
href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<h3>Search the Mailing List Archives at Shorewall.net</h3>
<h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
@ -90,20 +87,19 @@ a number of tips to help you solve common problems.</li>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
</blockquote>
<h3 align="left">Problem Reporting Guidelines</h3>
<ul>
<li>When reporting a problem, give as much information as you can. Reports
that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your questions
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump to
try to understand what is going on?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li>
@ -138,10 +134,13 @@ to help people who have a similar question or problem in the future.</p>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

178
Shorewall-docs/three-interface.htm
View File

@ -41,7 +41,8 @@ in one of its more popular configurations:</p>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
...</li>
</ul>
@ -54,10 +55,11 @@ in one of its more popular configurations:</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
firewall system. As root, you can use the 'which' command to check for
this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
@ -65,26 +67,26 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must save
them as Unix files if your editor supports that option or you must run them
through dos2unix before trying to use them. Similarly, if you copy a configuration
file from your Windows hard drive to a floppy disk, you must run dos2unix
against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
files to /etc/shorewall (the files will replace files with the same names
@ -130,8 +132,9 @@ zone names are used:</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -215,17 +218,17 @@ the internet, uncomment that line.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network</li>
<li>optionally accept all connection requests from the firewall to the
internet (if you uncomment the additional policy)</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and make any changes
that you wish.</p>
    At this point, edit your /etc/shorewall/policy file and make any
changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -238,15 +241,15 @@ that you wish.</p>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect using ISDN,
you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will
want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
@ -285,6 +288,7 @@ you can replace the "detect" in the second column with "-". </p>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
<h2 align="left">IP Addresses</h2>
@ -293,14 +297,14 @@ list. </p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In rare
cases, your ISP may assign you a<i> static</i> IP address; that means that
you configure your firewall's external interface to use that address permanently.<i>
</i>Regardless of how the address is assigned, it will be shared by all of
your systems when you access the Internet. You will have to assign your
own addresses for your internal network (the local and DMZ Interfaces on
your firewall plus your other computers). RFC 1918 reserves several <i>Private
</i>IP address ranges for this purpose:</p>
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>Regardless of how the address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses for your internal network (the local and DMZ
Interfaces on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -309,20 +313,21 @@ your firewall plus your other computers). RFC 1918 reserves several <i>Private
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of your
external interface and if it is one of the above ranges, you should remove
the 'norfc1918' option from the external interface's entry in /etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another subnet.
For our purposes, we can consider a subnet to consists of a range of addresses
x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet Mask </i>of 255.255.255.0.
The address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a href="subnet_masks.htm"> <i>Variable-Length
Subnet Mask </i>(VLSM)</a> notation with consists of the subnet address
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of a range
of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i> <i>Address</i>.
In Shorewall, a subnet is described using <a href="subnet_masks.htm"><i>Classless
InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet address
followed by "/24". The "24" refers to the number of consecutive "1"
bits from the left of the subnet mask. </p>
</div>
@ -349,7 +354,7 @@ bits from the left of the subnet mask. </p>
<td>10.10.10.255</td>
</tr>
<tr>
<td><b>VLSM Notation:</b></td>
<td><b>CIDR Notation:</b></td>
<td>10.10.10.0/24</td>
</tr>
@ -367,8 +372,8 @@ or the last usable address (10.10.10.254).</p>
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
@ -404,8 +409,8 @@ to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your local
systems (let's assume local computer 1) sends a connection request to an
internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to be
the address of the firewall's external interface; in other words, the firewall
</i>(NAT). The firewall rewrites the source address in the packet to be the
address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address is
@ -413,10 +418,10 @@ reserved by RFC 1918 can't be routed accross the internet). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
@ -429,6 +434,7 @@ with Netfilter:</p>
the source address that you want outbound packets from your local network
to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
@ -453,15 +459,15 @@ work fine if you leave that column empty. Entering your static IP in column
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is
rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
rather necessary for those clients to address their connection requests to
your firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port forwarding
using DNAT rules in the /etc/shorewall/rules file.</p>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -482,7 +488,8 @@ is:</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
@ -493,8 +500,8 @@ is:</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -538,11 +545,11 @@ be the same as <i>&lt;port&gt;</i>.</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>When you are connecting to your server from your local systems, you
must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If you have
problems connecting to your web server, try the following rule and try
connecting to port 5000 (e.g., connect to <a
<li>When you are connecting to your server from your local systems,
you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -674,17 +681,18 @@ given in "nameserver" records in that file. </p>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your firewall or
in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which also
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
    You can configure a<i> Caching Name Server </i>on your firewall
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use the
caching name server as their primary (and only) name server. You use the
internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on your
firewall. To allow your local systems to talk to your caching name server,
you must open port 53 (both UDP and TCP) from the local network to the
server; you do that by adding the rules in /etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
@ -984,8 +992,8 @@ on your firewall system:</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -1035,8 +1043,19 @@ as required.</p>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot.</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
@ -1070,11 +1089,14 @@ and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/16/2002 - <a
<p align="left"><font size="2">Last updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

191
Shorewall-docs/two-interface.htm
View File

@ -40,8 +40,8 @@ in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up
...</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
dial-up ...</li>
</ul>
@ -54,10 +54,11 @@ in its most common configuration:</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
firewall system. As root, you can use the 'which' command to check for
this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
@ -65,26 +66,26 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must save
them as Unix files if your editor supports that option or you must run them
through dos2unix before trying to use them. Similarly, if you copy a configuration
file from your Windows hard drive to a floppy disk, you must run dos2unix
against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
@ -126,8 +127,9 @@ file.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -140,8 +142,8 @@ matches the request is applied. If that policy is REJECT or DROP
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -211,17 +213,17 @@ the internet, uncomment that line.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network</li>
<li>optionally accept all connection requests from the firewall to the
internet (if you uncomment the additional policy)</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
    At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -229,15 +231,15 @@ you wish.</p>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect via ISDN, your
external interface will be <b>ippp0.</b></p>
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -252,19 +254,19 @@ a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface to the same hub
or switch (even for testing). It won't work the way that you think that it
will and you will end up confused and believing that Shorewall doesn't work
at all.</p>
</b></u>Do not connect the internal and external interface to the same
hub or switch (even for testing). It won't work the way that you think that
it will and you will end up confused and believing that Shorewall doesn't
work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes that the external
interface is <b>eth0</b> and the internal interface is <b>eth1</b>. If your
configuration is different, you will have to modify the sample <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interfaces. Some hints:</p>
    The Shorewall two-interface sample configuration assumes that the
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -276,6 +278,7 @@ you can replace the "detect" in the second column with "-". </p>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
<h2 align="left">IP Addresses</h2>
@ -284,14 +287,14 @@ list. </p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In rare
cases, your ISP may assign you a<i> static</i> IP address; that means that
you configure your firewall's external interface to use that address permanently.<i>
</i>However your external address is assigned, it will be shared by all of
your systems when you access the Internet. You will have to assign your
own addresses in your internal network (the Internal Interface on your firewall
plus your other computers). RFC 1918 reserves several <i>Private </i>IP
address ranges for this purpose:</p>
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>However your external address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses in your internal network (the Internal Interface
on your firewall plus your other computers). RFC 1918 reserves several
<i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -300,9 +303,10 @@ address ranges for this purpose:</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of your
external interface and if it is one of the above ranges, you should remove
the 'norfc1918' option from the external interface's entry in /etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -312,7 +316,7 @@ the 'norfc1918' option from the external interface's entry in /etc/shorewa
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as the
<i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"> <i>Variable-Length Subnet Mask </i>(VLSM)
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
@ -340,7 +344,7 @@ of the subnet mask. </p>
<td>10.10.10.255</td>
</tr>
<tr>
<td><b>VLSM Notation:</b></td>
<td><b>CIDR Notation:</b></td>
<td>10.10.10.0/24</td>
</tr>
@ -358,8 +362,8 @@ or the last usable address (10.10.10.254).</p>
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
@ -402,10 +406,10 @@ can't address its response to computer 1). When the firewall receives a
return packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
@ -418,6 +422,7 @@ with Netfilter:</p>
the source address that you want outbound packets from your local network
to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
@ -450,8 +455,8 @@ the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port forwarding
using DNAT rules in the /etc/shorewall/rules file.</p>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -472,7 +477,8 @@ is:</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
@ -516,14 +522,14 @@ is:</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>You must test the above rule from a client outside of your local network
(i.e., don't test from a browser running on computers 1 or 2 or on the
firewall). If you want to be able to access your web server using the
IP address of your external interface, see <a href="FAQ.htm#faq2">Shorewall
FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you have
problems connecting to your web server, try the following rule and try
connecting to port 5000.</li>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
</ul>
@ -555,8 +561,8 @@ FAQ #2</a>.</li>
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any DNAT rules that
you require.</p>
    At this point, modify /etc/shorewall/rules to add any DNAT rules
that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
@ -592,6 +598,7 @@ this approach, you configure your internal systems to use the firewall
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</li>
</ul>
<blockquote>
@ -803,8 +810,8 @@ and connect to that server from your local systems.</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -845,8 +852,8 @@ shell access to your firewall from the internet, use SSH:</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Now edit your /etc/shorewall/rules file to add or delete other connections
as required.</p>
    Now edit your /etc/shorewall/rules file to add or delete other
connections as required.</p>
</div>
<div align="left">
@ -854,8 +861,19 @@ as required.</p>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot.</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
@ -871,10 +889,10 @@ If you want to totally remove any trace of Shorewall from your Netfilter
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to enable routing to/from
<b>eth1 </b>(the local network) when Shorewall is stopped. If your local
network isn't connected to <b>eth1</b> or if you wish to enable access
to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
@ -888,11 +906,14 @@ and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/16/2002 - <a
<p align="left"><font size="2">Last updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

142
Shorewall-docs/upgrade_issues.htm
View File

@ -2,43 +2,55 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Upgrade Issues</font></h1>
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the
<a href="Install.htm">Install/Upgrade page</a>.</p>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.7,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in
/etc/shorewall.conf will need to include the
following rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules in
their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now
empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
@ -46,100 +58,108 @@
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will need
to transcribe any Shorewall configuration
<li>Be sure you have a backup -- you will
need to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Replace the shorwall.lrp package provided
on the Bering floppy with the later one.
If you did not obtain the later version from
Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li>
file and remove the /var/lib/shorewall entry
if present. Then do not forget to backup
root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
setting up a two-interface firewall</a> plus you also need to add the following
two Bering-specific rules to /etc/shorewall/rules:</p>
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add the
following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80</pre>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="Left">Version &gt;= 1.3.6</h3>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="Left">If you have a pair of firewall systems configured for
failover, you will need to modify your firewall setup slightly under
Shorewall versions &gt;= 1.3.6. </p>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 and
1.3.7</p>
<ol>
<li>
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font></li>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So
that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets after
takeover.<br>
 </font> </p>
</li>
<li>
<p align="Left">Create /etc/shorewall/common (if you don't already
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="Left">Example 1:</p>
<p align="left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="Left">Must be replaced with:</p>
<p align="left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</div>
<p align="left">Example 2:</p>
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h3 align="Left">Version &gt;= 1.3.2</h3>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="Left">The functions and versions files together with the
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2">
Last updated 9/13/2002 -
<p><font size="2"> Last updated 9/28/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>