extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 10:51:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.6 Beta2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@649 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-07 14:18:52 +00:00
parent cf62edd5ca
commit 184390708e
17 changed files with 11188 additions and 10565 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4901
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1213
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

106
Shorewall-docs/NAT.htm
View File

@ -16,71 +16,71 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a firewall and configured <p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918) with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique, appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p> href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a static NAT environment.</p> <p>The following figure represents a static NAT environment.</p>
<p align="center"><strong> <img src="images/staticnat.png" <p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> width="435" height="397">
</strong></p> </strong></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.* <p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address file would make the lower left-hand system appear to have IP address 130.252.100.18
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p> and the right-hand one to have IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr> <tr>
<td>130.252.100.18</td> <td><b>EXTERNAL</b></td>
<td>eth0</td> <td><b>INTERFACE</b></td>
<td>10.1.1.2</td> <td><b>INTERNAL</b></td>
<td>yes</td> <td><b>ALL INTERFACES</b></td>
<td>yes</td> <td><b>LOCAL</b></td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.19</td> <td>130.252.100.18</td>
<td>eth0</td> <td>eth0</td>
<td>10.1.1.3</td> <td>10.1.1.2</td>
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody> </tbody>
</table> </table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above <p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces to specify whether access to the external IP from all firewall interfaces
@ -89,29 +89,29 @@ the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p> "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es). you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
that is configured with a single subnetwork -- if your external interface external addresses to an interface that is configured with a single subnetwork
has addresses in more than one subnetwork, Shorewall can only add addresses -- if your external interface has addresses in more than one subnetwork,
to the first one.</p> Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If this for the EXTERNAL address are redirected to the internal ADDRESS. If
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also
"Yes" or "yes") then such packets are redirected; otherwise, such packets contains "Yes" or "yes") then such packets are redirected; otherwise,
are not redirected. The LOCAL column was added in version 1.1.8.</p> such packets are not redirected. The LOCAL column was added in version
</blockquote> 1.1.8.</p>
</blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a <p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body> </body>
</html> </html>

3299
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

BIN
Shorewall-docs/images/Netfilter.png
View File

Binary file not shown.

467
Shorewall-docs/seattlefirewall_index.htm
View File

@ -9,7 +9,7 @@
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -18,32 +18,33 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td> </td>
<td valign="middle"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -55,11 +56,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -70,38 +71,38 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br> it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
This program is distributed in the <br>
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br> This program is distributed in
the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
You should have received a copy of <br>
the GNU General Public License
along with this program; if not, write to You should have received a copy
the Free Software Foundation, Inc., of the GNU General Public License
675 Mass Ave, Cambridge, MA 02139, USA</p> along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -117,20 +118,22 @@ General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Getting Started with Shorewall</h2>
If so, the documentation<b> </b>on this site will not apply New to Shorewall? Start by selecting the <a
directly to your setup. If you want to use the documentation that you
find here, you will want to consider uninstalling what you have and installing
a setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not
apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
<h2>News</h2> <h2>News</h2>
@ -138,152 +141,230 @@ General Public License</a> as published by the Free Software
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img <p><b></b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> <ol>
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br> </ol>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered <li>A problem seen on RH7.3 systems where Shorewall encountered start
start errors when started using the "service" mechanism has been worked around.<br> errors when started using the "service" mechanism has been worked around.<br>
<br> <br>
</li> </li>
<li>Previously, where a list of IP addresses appears in the DEST <li>Where a list of IP addresses appears in the DEST column of a
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
in the nat table (one for each element in the list). Shorewall now correctly table (one for each element in the list). Shorewall now correctly creates
creates a single DNAT rule with multiple "--to-destination" clauses.<br> a single DNAT rule with multiple "--to-destination" clauses.<br>
</li> <br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol> </ol>
<p><b>New Features:</b><br> <p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option <li>A 'newnotsyn' interface option has been added. This option may
may be specified in /etc/shorewall/interfaces and overrides the setting be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
NEWNOTSYN=No for packets arriving on the associated interface.<br> for packets arriving on the associated interface.<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br> ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than the <li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br> first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) <li>DNAT[-] rules may now be used to load balance (round-robin) over
over a set of servers. Up to 256 servers may be specified in a range of addresses a set of servers. Servers may be specified in a range of addresses given
given as &lt;first address&gt;-&lt;last address&gt;.<br> as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
Note that this capability has previously been available using a combination </li>
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
for load-balancing over a large number of servers (&gt; 16) since specifying have been removed and have been replaced by code that detects whether these
a range in the DNAT rule causes one filter table ACCEPT rule to be generated capabilities are present in the current kernel. The output of the start,
for each IP address in the range.<br> restart and check commands have been enhanced to report the outcome:<br>
<br> <br>
</li> Shorewall has detected the following iptables/netfilter capabilities:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration    NAT: Available<br>
options have been removed and have been replaced by code that detects whether    Packet Mangling: Available<br>
these capabilities are present in the current kernel. The output of the start,    Multi-port Match: Available<br>
restart and check commands have been enhanced to report the outcome:<br> Verifying Configuration...<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> </li>
   NAT: Available<br> <li>Support for the Connection Tracking Match Extension has been
   Packet Mangling: Available<br> added. This extension is available in recent kernel/iptables releases and
   Multi-port Match: Available<br> allows for rules which match against elements in netfilter's connection
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart extension and reports its availability in the output of the start, restart
and check commands.<br> and check commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
   Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall is If this extension is available, the ruleset generated by Shorewall is changed
changed in the following ways:</li> in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create <li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li> in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules; <li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br> defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ol> </ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly <li>The command "shorewall debug try &lt;directory&gt;" now
traces the attempt.</li> correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; <li>The INCLUDE directive now works properly in the zones
previously, INCLUDE in that file was ignored.</li> file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second <li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br> column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the may now contain a list of addresses. If the list begins with "!' then
rule will take effect only if the original destination address in the connection the rule will take effect only if the original destination address in
request does not match any of the addresses listed.</li> the connection request does not match any of the addresses listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
have been encountered with this set of software. The Shorewall version problems have been encountered with this set of software. The Shorewall
is 1.4.4b plus the accumulated changes for 1.4.5.<br> version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p> </p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
@ -303,105 +384,108 @@ is 1.4.4b plus the accumulated changes for 1.4.5.<br>
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent <b>Congratulations to Jacques and Eric on the recent
release of Bering 1.2!!! </b><br> release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center">
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font <font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font <font
face="Arial" size="-1"> <input type="text" name="words" face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial" size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font> name="config" value="htdig"> <input type="submit" value="Search"></font>
</p> </p>
<font <font
face="Arial"> <input type="hidden" name="exclude" face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;" <td width="100%" style="margin-top: 1px;"
valign="middle"> valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and <font size="+2"> Shorewall is free but if you try it
find it useful, please consider making a donation and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p> Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -409,11 +493,8 @@ is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</table> </table>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

403
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -17,142 +17,142 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Firewall Structure</font></h1> <h1 align="center"><font color="#ffffff">Firewall Structure</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> Shorewall views the network in which it is running as a set of <p> Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which <i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
refers to the firewall system itself . The /etc/shorewall/zones file is refers to the firewall system itself . The /etc/shorewall/zones file is
used to define additional zones and the example file provided with Shorewall used to define additional zones and the example file provided with Shorewall
defines the zones:</p> defines the zones:</p>
<ol> <ol>
<li> net -- the (untrusted) internet.</li> <li> net -- the (untrusted) internet.</li>
<li> dmz - systems that must be accessible from the internet <li> dmz - systems that must be accessible from the internet
and from the local network.  These systems cannot be trusted completely and from the local network.  These systems cannot be trusted completely since
since their servers may have been compromised through a security exploit.</li> their servers may have been compromised through a security exploit.</li>
<li> loc - systems in your local network(s). These systems <li> loc - systems in your local network(s). These systems
must be protected from the internet and from the DMZ and in some cases, must be protected from the internet and from the DMZ and in some cases,
from each other.</li> from each other.</li>
</ol> </ol>
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall <p><b>Note: </b><a href="#Conf">You can specify the name of the firewall zone</a>.
zone</a>. For ease of description in this documentation, it is assumed For ease of description in this documentation, it is assumed that the firewall
that the firewall zone is named "fw".</p> zone is named "fw".</p>
<p>It can't be stressed enough that with the exception of the firewall zone, <p>It can't be stressed enough that with the exception of the firewall zone,
Shorewall itself attaches no meaning to zone names. Zone names are simply Shorewall itself attaches no meaning to zone names. Zone names are simply
labels used to refer to a collection of network hosts.</p> labels used to refer to a collection of network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common), <p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p> there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose <p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the
of this document, we will consider Netfilter to have three tables:</p> purpose of this document, we will consider Netfilter to have three tables:</p>
<ol> <ol>
<li>Filter table -- this is the main table for packet filtering and can <li>Filter table -- this is the main table for packet filtering and can
be displayed with the command "shorewall show".</li> be displayed with the command "shorewall show".</li>
<li>Nat table -- used for all forms of Network Address Translation (NAT); <li>Nat table -- used for all forms of Network Address Translation (NAT);
SNAT, DNAT and MASQUERADE.</li> SNAT, DNAT and MASQUERADE.</li>
<li>Mangle table -- used to modify fields in the packet header.<br> <li>Mangle table -- used to modify fields in the packet header.<br>
</li> </li>
</ol> </ol>
<p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT, <p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT,
FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables
as shown in this table.<br> as shown in this table.<br>
</p> </p>
<div align="center"> <div align="center">
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">CHAIN<br> <td valign="top">CHAIN<br>
</td> </td>
<td valign="top">Filter<br> <td valign="top">Filter<br>
</td> </td>
<td valign="top">Nat<br> <td valign="top">Nat<br>
</td> </td>
<td valign="top">Mangle<br> <td valign="top">Mangle<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">PREROUTING<br> <td valign="top">PREROUTING<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">INPUT<br> <td valign="top">INPUT<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">OUTPUT<br> <td valign="top">OUTPUT<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">FORWARD<br> <td valign="top">FORWARD<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">POSTROUTING<br> <td valign="top">POSTROUTING<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
<td valign="top">X<br> <td valign="top">X<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
<p>Shorewall doesn't create rules in all of the builtin chains. In the large <p>Shorewall doesn't create rules in all of the builtin chains. In the large
diagram below are boxes such as  shown below.  This box represents in INPUT diagram below are boxes such as  shown below.  This box represents in INPUT
chain and shows that packets first flow through the INPUT chain in the Mangle chain and shows that packets first flow through the INPUT chain in the Mangle
table followed by the INPUT chain in the Filter table. The parentheses around table followed by the INPUT chain in the Filter table. The parentheses around
"Mangle" indicate that while the packets will flow through the INPUT chain "Mangle" indicate that while the packets will flow through the INPUT chain
in the Mangle table, Shorewall does not create any rules in that chain.<br> in the Mangle table, Shorewall does not create any rules in that chain.<br>
</p> </p>
<div align="center"><img src="images/Legend.png" alt="(Box Legend)" <div align="center"><img src="images/Legend.png" alt="(Box Legend)"
width="145" height="97" align="middle"> width="145" height="97" align="middle">
<br> <br>
</div> </div>
<p></p> <p></p>
@ -162,116 +162,108 @@ in the Mangle table, Shorewall does not create any rules in that chain.<br>
<div align="center"><img src="images/Netfilter.png" <div align="center"><img src="images/Netfilter.png"
alt="Netfilter Flow Diagram" width="541" height="767"> alt="Netfilter Flow Diagram" width="541" height="767">
</div> </div>
<p><br> <p><br>
<br> <br>
In the text that follows, the paragraph numbers correspond to the box number In the text that follows, the paragraph numbers correspond to the box number
in the diagram above.<br> in the diagram above.<br>
</p> </p>
<ol> <ol>
<li>Packets entering the firewall first pass through the <i>mangle </i>table's <li>Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing "shorewall show PREROUTING chain (you can see the mangle table by typing "shorewall show
mangle"). If the packet entered through an interface that has the <b>norfc1918</b> mangle"). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b> chain which will option and if iptables/netfilter doesn't support the connection tracking
drop the packet if its destination IP address is reserved (as specified match extension, then the packet is sent down the <b>man1918</b> chain which
will drop the packet if its destination IP address is reserved (as specified
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b> in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
file. Finally, if traffic control/shaping is being used, the packet is sent file. Finally, if traffic control/shaping is being used, the packet is sent
through the<b> tcpre</b> chain to be marked for later use in policy routing through the<b> tcpre</b> chain to be marked for later use in policy routing
or traffic control.<br> or traffic control.<br>
<br> <br>
Next, if the packet isn't part of an established connection, it passes Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table through the<i> nat</i> table's PREROUTING chain (you can see the nat table
by typing "shorewall show nat"). If you are doing both static nat and by typing "shorewall show nat"). If you are doing both static nat and port
port forwarding, the order in which chains are traversed is dependent on forwarding, the order in which chains are traversed is dependent on the
the setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on
on then packets will ender a chain called<b> <i>interface_</i>in</b> where then packets will ender a chain called<b> <i>interface_</i>in</b> where
<i>interface</i> is the name of the interface on which the packet entered. <i>interface</i> is the name of the interface on which the packet entered.
Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP addresses
addresses from /etc/shorewall/nat that correspond to this interface; if from /etc/shorewall/nat that correspond to this interface; if there is
there is a match, DNAT is applied and the packet header is modified to a match, DNAT is applied and the packet header is modified to the IP in
the IP in the <i>INTERNAL</i> column of the nat file record. If the destination the <i>INTERNAL</i> column of the nat file record. If the destination address
address doesn't match any of the rules in the <b><i>interface_</i>in</b> doesn't match any of the rules in the <b><i>interface_</i>in</b> chain then
chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b> the packet enters a chain called <b><i>sourcezone</i>_dnat</b> where <i>sourcezone</i>
where <i>sourcezone</i> is the source zone of the packet. There it is compared is the source zone of the packet. There it is compared for a match against
for a match against each of the DNAT records in the rules file that specify each of the DNAT records in the rules file that specify <i> sourcezone
<i> sourcezone </i>as the source zone. If a match is found, the destination </i>as the source zone. If a match is found, the destination IP address
IP address (and possibly the destination port) is modified based on the (and possibly the destination port) is modified based on the rule matched.
rule matched. If NAT_BEFORE_RULES is off, then the order of traversal of If NAT_BEFORE_RULES is off, then the order of traversal of the <b><i> interface_</i>in</b>
the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is reversed.<br> and <b><i>sourcezone</i>_dnat</b> is reversed.<br>
<br> <br>
</li> </li>
<li>Depending on whether the packet is destined for the firewall itself <li>Depending on whether the packet is destined for the firewall itself
or for another system, it follows either the left or the right path. Traffic or for another system, it follows either the left or the right path. Traffic
going to the firewall goes through chains called INPUT in the mangle table. going to the firewall goes through chain called INPUT in the mangle table.
Shorewall doesn't add any rules to that chain. Traffic next passes the the Shorewall doesn't add any rules to that chain.<br>
INPUT chain in the filter table where it is broken out based on the interface <br>
on which the packet arrived; packets from interface <i>interface</i> are routed </li>
to chain <b><i>interface</i>_in</b>. For example, packets arriving through <li>Traffic that is to be forwarded to another host goes through the chains
eth0 are passed to the chain <b>eth0_in.</b></li> called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf,
all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
processed in a chain called <br>
<br>
</li>
<ol> <ol>
<li>The first rule in <b><i>interface</i>_in</b> jumps to the chain
named <b>dynamic</b> which matches the source IP in the packet against all
of the addresses that have been blacklisted using <a
href="blacklisting_support.htm#Dynamic">dynamic blacklisting</a>.</li>
<li>If the the interface has the <b>norfc1918</b> option then the packet
is sent down the <b>rfc1918 </b>which checks the source address against those
listed in /etc/shorewall/rfc1918 and treats the packet according to the first
match in that file (if any).</li>
<li>If the interface has the  <b>dhcp </b>option, UDP packets to ports
67 and 68 are accepted.</li>
<li><br>
</li>
</ol> </ol>
<li>Traffic is next sent to an<i> input </i>chain in the mail Netfilter <li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
table (called 'filter'). If the traffic is destined for the firewall itself, table (called 'filter'). If the traffic is destined for the firewall itself,
the name of the input chain is formed by appending "_in" to the interface the name of the interface chain is formed by appending "_in" to the interface
name. So traffic on eth0 destined for the firewall will enter a chain called name. So traffic on eth0 destined for the firewall will enter a chain called
<i>eth0_in</i>. The input chain for traffic that will be routed to <i>eth0_in</i>. The interface chain for traffic that will be routed
another system is formed by appending "_fwd" to the interface name. So traffic to another system is formed by appending "_fwd" to the interface name.
from eth1 that is going to be forwarded enters a chain called<i> eth1_fwd</i>. So traffic from eth1 that is going to be forwarded enters a chain called<i>
Interfaces described with the wild-card character ("+") in /etc/shorewall/interfaces, eth1_fwd</i>. Interfaces described with the wild-card character ("+")
share input chains. if <i>ppp+ </i>appears in /etc/shorewall/interfaces in /etc/shorewall/interfaces, share input chains. if <i>ppp+ </i>appears
then all PPP interfaces (ppp0, ppp1, ...) will share the input chains <i>ppp_in</i> in /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will
and <i>ppp_fwd</i>. In other words, "+" is deleted from the name before share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>. In other words,
forming the input chain names.</li> "+" is deleted from the name before forming the input chain names.<br>
<br>
While the use of interfacechains may seem wasteful in simple environments,
in complex setups it substantially reduces the number of rules that each
packet must traverse.  </li>
</ol> </ol>
<p> While the use of input chains may seem wasteful in simple environments, <p> Traffic directed from a zone to the firewall itself is sent through a
in complex setups it substantially reduces the number of rules that each chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
packet must traverse.  </p> the internet and addressed to the firewall is sent through a chain named
net2fw. Similarly, traffic originating in the firewall and being sent
to a host in a given zone is sent through a chain named fw2<i>&lt;zone
name&gt;. </i>For example, traffic originating in the firewall and
destined for a host in the local network is sent through a chain named
<i>fw2loc.</i> <font face="Century Gothic, Arial, Helvetica">  </font></p>
<p> Traffic directed from a zone to the firewall itself is sent through <p> Traffic being forwarded between two zones (or from one interface to a
a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from zone to another interface to that zone) is sent through a chain named <i>
the internet and addressed to the firewall is sent through a chain named &lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example,
net2fw. Similarly, traffic originating in the firewall and being sent to traffic originating in a local system and destined for a remote web server
a host in a given zone is sent through a chain named fw2<i>&lt;zone name&gt;. is sent through chain <i>loc2net. </i>This chain is referred to
</i>For example, traffic originating in the firewall and destined as the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
for a host in the local network is sent through a chain named <i>fw2loc.</i> zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
<font face="Century Gothic, Arial, Helvetica">  </font></p> traverses one of these chains so rules in /etc/shorewall/rules should
be expressed in terms of the destination system's real IP address as opposed
<p> Traffic being forwarded between two zones (or from one interface to to its apparent external address. Similarly, source NAT will occur <u>after</u>
a zone to another interface to that zone) is sent through a chain named <i> the packet has traversed the appropriate forwarding chain so the rules
&lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example, again will be expressed using the source system's real IP address.</p>
traffic originating in a local system and destined for a remote web server
is sent through chain <i>loc2net. </i>This chain is referred to as
the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
traverses one of these chains so rules in /etc/shorewall/rules should be
expressed in terms of the destination system's real IP address as opposed
to its apparent external address. Similarly, source NAT will occur <u>after</u>
the packet has traversed the appropriate forwarding chain so the rules
again will be expressed using the source system's real IP address.</p>
<p> For each record in the /etc/shorewall/policy file, a chain is created. <p> For each record in the /etc/shorewall/policy file, a chain is created.
Policies in that file are expressed in terms of a source zone and destination Policies in that file are expressed in terms of a source zone and destination
zone where these zones may be a zone defined in /etc/shorewall/zones, zone where these zones may be a zone defined in /etc/shorewall/zones, "fw"
"fw" or "all". Policies specifying the pseudo-zone "all" matches all defined or "all". Policies specifying the pseudo-zone "all" matches all defined
zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice
that for an ordered pair of zones (za,zb), the canonical chain (za2zb) that for an ordered pair of zones (za,zb), the canonical chain (za2zb)
may also be the policy chain for the pair or the policy chain may be a may also be the policy chain for the pair or the policy chain may be a
@ -279,42 +271,42 @@ different chain (za2all, for example). Packets from one zone to another
will traverse chains as follows:</p> will traverse chains as follows:</p>
<ol> <ol>
<li> If the canonical chain exists, packets first traverse that <li> If the canonical chain exists, packets first traverse that
chain.</li> chain.</li>
<li> If the canonical chain and policy chain are different and <li> If the canonical chain and policy chain are different and
the packet does not match a rule in the canonical chain, it then is sent the packet does not match a rule in the canonical chain, it then is sent
to the policy chain.</li> to the policy chain.</li>
<li> If the canonical chain does not exist, packets are sent <li> If the canonical chain does not exist, packets are sent
immediately to the policy chain.</li> immediately to the policy chain.</li>
</ol> </ol>
<p> The canonical chain from zone za to zone zb will be created only if <p> The canonical chain from zone za to zone zb will be created only if there
there are exception rules defined in /etc/shorewall/rules for packets going are exception rules defined in /etc/shorewall/rules for packets going from
from za to zb.</p> za to zb.</p>
<p> Shorewall is built on top of the Netfilter kernel facility. Netfilter <p> Shorewall is built on top of the Netfilter kernel facility. Netfilter
implements connection tracking function that allow what is often referred implements connection tracking function that allow what is often referred
to as "statefull inspection" of packets. This statefull property allows to as "statefull inspection" of packets. This statefull property allows
firewall rules to be defined in terms of "connections" rather than in firewall rules to be defined in terms of "connections" rather than
terms of "packets". With Shorewall, you:</p> in terms of "packets". With Shorewall, you:</p>
<ol> <ol>
<li> Identify the client's zone.</li> <li> Identify the client's zone.</li>
<li> Identify the server's zone.</li> <li> Identify the server's zone.</li>
<li> If the POLICY from the client's zone to the server's zone <li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li> is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add a <li> If the POLICY is not what you want, then you must add a
rule. That rule is expressed in terms of the client's zone and the rule. That rule is expressed in terms of the client's zone and the
server's zone.</li> server's zone.</li>
</ol> </ol>
<p> Just because connections of a particular type are allowed between zone <p> Just because connections of a particular type are allowed between zone
A and the firewall and are also allowed between the firewall and zone A and the firewall and are also allowed between the firewall and zone B
B <font color="#ff6633"><b><u> DOES NOT mean that these connections <font color="#ff6633"><b><u> DOES NOT mean that these connections are
are allowed between zone A and zone B</u></b></font>. It rather means allowed between zone A and zone B</u></b></font>. It rather means that
that you can have a proxy running on the firewall that accepts a connection you can have a proxy running on the firewall that accepts a connection
from zone A and then establishes its own separate connection from the firewall from zone A and then establishes its own separate connection from the firewall
to zone B.</p> to zone B.</p>
@ -327,7 +319,8 @@ from zone A and then establishes its own separate connection from the firewall
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

335
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -19,51 +19,51 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.<br> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> <li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li> Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> <li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li> network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved or where <b>there are multiple public IP addresses involved or
if you want to learn more about Shorewall than is explained in if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p> the single-address guides above.</b></p>
<ul> <ul>
@ -72,221 +72,239 @@ the single-address guides above.</b></p>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p> trying to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm">Common configuration file href="configuration_file_basics.htm">Common configuration file
features</a> features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br> <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li> href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br> href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
(making a test configuration)</a></li> a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration <li><a href="Documentation.htm">Configuration
File Reference Manual</a> File Reference Manual</a>
<ul> <ul>
<li> <a <li> <a
href="Documentation.htm#Variables">params</a></li> href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a
<li><font color="#000099"><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a <li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li> href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a <li><a
href="Documentation.htm#modules">modules</a></li> href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> <li><a href="Documentation.htm#TOS">tos</a>
</li> </li>
<li><a <li><a
href="Documentation.htm#Blacklist">blacklist</a></li> href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a <li><a
href="Documentation.htm#rfc1918">rfc1918</a></li> href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a <li><a
href="Documentation.htm#Routestopped">routestopped</a></li> href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host <li><a href="ECN.html">ECN Disabling by
or subnet</a><br> host or subnet</a></li>
</li> <li><a href="errata.htm">Errata</a><br>
<li><font color="#000099"><a </li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the (How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li> etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a <li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li> href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a <li><a href="support.htm">Getting help or answers to questions</a></li>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li> href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br> </li>
</li> <li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li> Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li> Resolution Protocol (ARP)</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li> 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a> up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li> Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li> NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li> and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li> Starting and Stopping the Firewall</a></li>
</ul> </ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration <li>How to safely test a Shorewall configuration
change<br> change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li> href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br> Proxy with Shorewall</a></li>
</li> <li><a href="traffic_shaping.htm">Traffic
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
Shaping/QOS</a></li> <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it doesn't
<li>VPN work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br> <li><a href="6to4.htm">6t04</a><br>
</li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from <li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li> a system behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a <li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li> href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
@ -294,15 +312,10 @@ Shaping/QOS</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 5/18/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 7/6/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

2925
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

493
Shorewall-docs/sourceforge_index.htm
View File

@ -9,7 +9,7 @@
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -18,31 +18,32 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td> </td>
<td valign="middle"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br> target="_top"><br>
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -54,11 +55,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -70,11 +71,11 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a a <a
href="http://www.netfilter.org">Netfilter</a> (iptables) href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
@ -83,25 +84,25 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed in
hope that it will be useful, but WITHOUT the hope that it will be useful, but
ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even
warranty of MERCHANTABILITY or FITNESS the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General or FITNESS FOR A PARTICULAR PURPOSE. See the
Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy You should have received a copy
of the GNU General Public License of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -114,171 +115,252 @@ Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a setup that matches the documentation on this site. See
the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
match your environment and follow the step by step instructions.<br> Guide</a> that most closely match your environment and follow
the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not
apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.
<h2></h2>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing" target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered <li>A problem seen on RH7.3 systems where Shorewall encountered start
start errors when started using the "service" mechanism has been worked around.<br> errors when started using the "service" mechanism has been worked around.<br>
<br> <br>
</li> </li>
<li>Previously, where a list of IP addresses appears in the DEST <li>Where a list of IP addresses appears in the DEST column of a
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
in the nat table (one for each element in the list). Shorewall now correctly table (one for each element in the list). Shorewall now correctly creates
creates a single DNAT rule with multiple "--to-destination" clauses.<br> a single DNAT rule with multiple "--to-destination" clauses.<br>
</li> <br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol> </ol>
<p><b>New Features:</b><br> <p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option <li>A 'newnotsyn' interface option has been added. This option may
may be specified in /etc/shorewall/interfaces and overrides the setting be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
NEWNOTSYN=No for packets arriving on the associated interface.<br> for packets arriving on the associated interface.<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br> ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than the <li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br> first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) <li>DNAT[-] rules may now be used to load balance (round-robin) over
over a set of servers. Up to 256 servers may be specified in a range of addresses a set of servers. Servers may be specified in a range of addresses given
given as &lt;first address&gt;-&lt;last address&gt;.<br> as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
Note that this capability has previously been available using a combination </li>
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
for load-balancing over a large number of servers (&gt; 16) since specifying have been removed and have been replaced by code that detects whether these
a range in the DNAT rule causes one filter table ACCEPT rule to be generated capabilities are present in the current kernel. The output of the start,
for each IP address in the range.<br> restart and check commands have been enhanced to report the outcome:<br>
<br> <br>
</li> Shorewall has detected the following iptables/netfilter capabilities:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration    NAT: Available<br>
options have been removed and have been replaced by code that detects whether    Packet Mangling: Available<br>
these capabilities are present in the current kernel. The output of the start,    Multi-port Match: Available<br>
restart and check commands have been enhanced to report the outcome:<br> Verifying Configuration...<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> </li>
   NAT: Available<br> <li>Support for the Connection Tracking Match Extension has been
   Packet Mangling: Available<br> added. This extension is available in recent kernel/iptables releases and
   Multi-port Match: Available<br> allows for rules which match against elements in netfilter's connection
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart extension and reports its availability in the output of the start, restart
and check commands.<br> and check commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
   Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall is If this extension is available, the ruleset generated by Shorewall is changed
changed in the following ways:</li> in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create <li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li> in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules; <li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br> defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24</li>
</ol>
<b> </b>
<ol>
</ol> </ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly <li>The command "shorewall debug try &lt;directory&gt;" now
traces the attempt.</li> correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; <li>The INCLUDE directive now works properly in the zones
previously, INCLUDE in that file was ignored.</li> file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second <li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br> column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the may now contain a list of addresses. If the list begins with "!' then
rule will take effect only if the original destination address in the connection the rule will take effect only if the original destination address in
request does not match any of the addresses listed.</li> the connection request does not match any of the addresses listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
have been encountered with this set of software. The Shorewall version problems have been encountered with this set of software. The Shorewall
is 1.4.4b plus the accumulated changes for 1.4.5. version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
@ -296,6 +378,7 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b></b></p> <p><b></b></p>
<blockquote> <blockquote>
@ -306,25 +389,26 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
@ -333,46 +417,47 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and <b>Congratulations to Jacques
Eric on the recent release of Bering 1.2!!! and Eric on the recent release of Bering 1.2!!!
</b><br> </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" <td width="88" bgcolor="#4b017c"
valign="top" align="center"> valign="top" align="center">
@ -382,58 +467,59 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 <font color="#ffffff">Search is unavailable Daily
GMT.</font><br> 0200-0330 GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font><font <input type="text" name="words" size="15"></font><font
face="Arial" size="-1"> <input type="hidden" name="format" size="-1"> </font><font face="Arial" size="-1"> <input
value="long"> <input type="hidden" name="method" value="and"> type="hidden" name="format" value="long"> <input
<input type="hidden" name="config" value="htdig"> <input type="hidden" name="method" value="and"> <input type="hidden"
type="submit" value="Search"></font> </p> name="config" value="htdig"> <input type="submit"
<font face="Arial"> <input value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -442,22 +528,22 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and <font size="+2">Shorewall is free but if you try it
find it useful, please consider making a donation and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p> Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -465,11 +551,8 @@ is 1.4.4b plus the accumulated changes for 1.4.5.
</table> </table>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

353
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -14,166 +14,149 @@
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tbody> <tr>
<tr> <td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want in run levels 2-5 and stop it in run levels 1 and 6. If you want to
to configure your firewall differently from this default, you can configure your firewall differently from this default, you can use
use the "--level" option in chkconfig (see "man chkconfig") or using the "--level" option in chkconfig (see "man chkconfig") or using your
your favorite graphical run-level editor.</p> favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have <li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must /etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br> edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall <li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
"shorewall restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> <p> </p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li> running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains installed
installed by Shoreline Firewall</li> by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the
addresses of firewall interfaces, <a broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li> href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then If you include the keyword <i>debug</i> as the first argument, then
a shell trace of the command is produced as in:<br> a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
</p>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br> bottom of this page.<br>
</p> </p>
<p>The "shorewall" program may also be used to monitor the firewall.</p> <p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the <li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li> firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report <li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li> about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the <li>shorewall show nat - produce a verbose report about
nat table (iptables -t nat -L -n -v)</li> the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the <li>shorewall show tos - produce a verbose report about
mangle table (iptables -t mangle -L -n -v)</li> the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log
<li>shorewall show connections - displays the IP connections entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li> currently being tracked by the firewall.</li>
<li>shorewall <li>shorewall show
show
tc - displays tc - displays
information about the traffic control/shaping configuration.</li> information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the <li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</li> entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the
packet log messages in the current /var/log/messages file.</li> Shorewall packet log messages in the current /var/log/messages
<li>shorewall version - Displays the installed version file.</li>
<li>shorewall version - Displays the installed version
number.</li> number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the <li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br> zones, interfaces, hosts, rules and policy files.<br>
<br> <br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands. Even and does not parse and validate the generated iptables commands.
though the "check" command completes successfully, the configuration Even though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check' may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br> command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br> <br>
See the recommended way to make configuration changes described below.</b></font><br> </li>
<br> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
</li> ] - Restart shorewall using the specified configuration and if
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> an error occurs or if the<i> timeout </i> option is given and the
] - Restart shorewall using the specified configuration and if an new configuration has been up for that many seconds then shorewall
error occurs or if the<i> timeout </i> option is given and the new is restarted using the standard configuration.</li>
configuration has been up for that many seconds then shorewall is <li>shorewall deny, shorewall reject, shorewall accept and
restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li> blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors <li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li> new Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands
the contents of a zone.<br> for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays
the network address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified Adds the specified interface (and host if included) to the specified zone.</li>
zone.</li> <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- </i>- Deletes the specified interface (and host if included) from
Deletes the specified interface (and host if included) from the specified the specified zone.</li>
zone.</li>
</ul> </ul>
@ -181,26 +164,21 @@ zone.</li>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0 vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br> from zone vpn1<br>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a <b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the is going to use a file in /etc/shorewall it will first look in the
@ -208,134 +186,109 @@ from zone vpn1<br>
that file will be used; otherwise, the file in /etc/shorewall will be that file will be used; otherwise, the file in /etc/shorewall will be
used.</p> used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
<li><font color="#009900"><b>cd /etc/test</b></font></li> from /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;copy any files that you need to change from <li>&lt;correct any errors found by check and check again&gt;</li>
/etc/shorewall to . and change them here&gt;</li> <li><font
<li><font color="#009900"><b>shorewall -c . check</b></font></li> color="#009900"><b>/sbin/shorewall try .</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to restore the old configuration. If the new configuration fails to
to start, the "try" command will automatically start the old one for start, the "try" command will automatically start the old one for you.</p>
you.</p>
<p> When the new configuration works then just </p> <p> When the new configuration works then just </p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p> </p>
<div align="center"><img src="images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle">
<br> <br>
</div> </div>
<p>  <br> <p>  <br>
</p> </p>
You will note that the commands that result in state transitions You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br> on Debian); /sbin/shorewall runs 'firewall" according to the following
<br> table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">shorewall start<br> <td valign="top">shorewall start<br>
</td> </td>
<td valign="top">firewall start<br> <td valign="top">firewall start<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br> <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br> If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 7/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

327
Shorewall-docs/support.htm
View File

@ -13,47 +13,49 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There There
are a number of sources of Shorewall information. Please try are a number of sources of Shorewall information. Please try
these before you post. these before you post.
<ul> <ul>
<li>Shorewall versions earlier <li>Shorewall versions
that 1.3.0 are no longer supported.<br> earlier that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
solutions to more than 20 common problems. </li> has solutions to more than 20 common problems.
</li>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
Information contains a number of tips to help to download updated components. </li>
you solve common problems. </li> <li>
<li> The The Site and Mailing List Archives search facility can
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has locate documents and posts about similar problems:
links to download updated components. </li> </li>
<li> The
Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul> </ul>
@ -69,13 +71,13 @@ links to download updated components. </li>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -85,7 +87,7 @@ links to download updated components. </li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives: size="-1"> Include Mailing List Archives:
@ -93,99 +95,87 @@ links to download updated components. </li>
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br> value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know <li>Please remember we only know
what is posted in your message. Do not leave out any information what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail contained a small error. We tend to be skeptics where detail
is lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that you're
asking for <strong>free</strong> technical support. asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that practices in writing and formatting your e-mail. Provide details
we need if you expect good answers. <em>Exact quoting </em> of error that we need if you expect good answers. <em>Exact quoting </em>
messages, log entries, command output, and other output is better than of error messages, log entries, command output, and other output is
a paraphrase or summary.<br> better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask Please don't describe your environment and then ask
us to send you custom configuration files. We're us to send you custom configuration files. We're
here to answer your questions but we can't do here to answer your questions but we can't do
your job for you.<br> your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem,
include this information:</li> <strong>ALWAYS</strong> include this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall <li>the exact version of Shorewall
you are running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall <b><font color="#009900">shorewall
version</font><br> version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version
you are running<br>
<br>
<font color="#009900"><b>uname
-a<br>
<br>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output <li>the complete, exact output
of<br> of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip
addr show<br> addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output <li>the complete, exact output
of<br> of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip
route show<br> route show<br>
<br> </b></font></li>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
</ul> </ul>
@ -195,101 +185,103 @@ route show<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having <li><font color="#ff0000"><u><i><big><b>THIS IS IMPORTANT!<br>
connection problems of any kind then:</b></big></i></u></font><br> <br>
<br> </b></big></i></u></font>If your problem is that some type of connection
1. <b><font color="#009900">/sbin/shorewall to/from or through your firewall isn't working then please:<br>
reset</font></b><br> <br>
<br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
2. Try the connection that is failing.<br> <br>
<br> 2. Try making the connection that is failing.<br>
3.<b><font color="#009900"> /sbin/shorewall <br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br> status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br> the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time, secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in a hacker could derive them anyway from information contained
the SMTP headers of your post).<br> in the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages <li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>") ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems? when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of If so, include the message(s) in your post along with a copy of your
your /etc/shorewall/interfaces file.<br> /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br> one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to <li>If an error occurs when you try to
"<font color="#009900"><b>shorewall start</b></font>", include "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so <li><b>The list server limits posts to 120kb so
don't post GIFs of your network layout, don't post GIFs of your network layout,
etc. to the Mailing List -- your post will be rejected.</b></li> etc. to the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> The author gratefully acknowleges that the above list was <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a <em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are rejecting <blockquote> A growing number of MTAs serving list subscribers are
all HTML traffic. At least one MTA has gone so far as to blacklist rejecting all HTML traffic. At least one MTA has gone so far as to
shorewall.net "for continuous abuse" because it has been my policy blacklist shorewall.net "for continuous abuse" because it has been
to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML I think that blocking all HTML
is a Draconian way to control spam and that the ultimate is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list
wrote to me privately "These e-mail admin's need to get a <i>(expletive subscriber wrote to me privately "These e-mail admin's need
deleted)</i> life instead of trying to rid the planet of HTML to get a <i>(expletive deleted)</i> life instead of trying to
based e-mail". Nevertheless, to allow subscribers to receive rid the planet of HTML based e-mail". Nevertheless, to allow
list posts as must as possible, I have now configured the list subscribers to receive list posts as must as possible, I have now
server at shorewall.net to strip all HTML from outgoing posts.<br> configured the list server at shorewall.net to strip all HTML from
<br> outgoing posts.<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server <br>
and it doesn't have a valid DNS PTR record, your email won't reach the lists <big><font color="#cc0000"><b>If you run your own outgoing mail server
unless/until the postmaster notices that your posts are being rejected. and it doesn't have a valid DNS PTR record, your email won't reach the lists
To avoid this problem, you should configure your MTA to forward posts to unless/until the postmaster notices that your posts are being rejected. To
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such avoid this problem, you should configure your MTA to forward posts to shorewall.net
as the one at your ISP). </b></font></big><br> through an MTA that <u>does</u> have a valid PTR record (such as the one
</blockquote> at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -299,7 +291,7 @@ as the one at your ISP). </b></font></big><br>
to the <a to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under <b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a post non MNF-specific Shorewall questions to the </b><a
@ -313,18 +305,19 @@ as the one at your ISP). </b></font></big><br>
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 6/24/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 7/6/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

447
Shorewall-docs/upgrade_issues.htm
View File

@ -17,109 +17,123 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
<p>It is important that you read all of the sections on this page where the <p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you version number mentioned in the section title is later than what you
are currently running.<br> are currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers <p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br> be a host address) accessed through a particular interface.<br>
</p> </p>
<p>Examples:<br> <p>Examples:<br>
    <br>     <br>
    eth0:0.0.0.0/0<br>     eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>     eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>     eth3:192.0.2.123<br>
</p> </p>
<p> You can use the "shorewall check" command to see the groups associated <p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br> with each of your zones.<br>
</p> </p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.6</h3> <h3>Version &gt;= 1.4.6</h3>
The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed from <ul>
shorewall.conf. These capabilities are now automatically detected by Shorewall.<br> <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
from shorewall.conf. These capabilities are now automatically detected by
Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the host
file as follows:<br>
<br>
<i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
<i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3> <h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then you <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
must set the new LOGFORMAT variable appropriately and remove your setting you must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br> of LOGMARKER<br>
<br> <br>
<h3>Version 1.4.4<br> <h3>Version 1.4.4<br>
</h3> </h3>
If you have zone names that are 5 characters long, you may experience problems If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long. starting Shorewall because the --log-prefix in a logging rule is too long.
Upgrade to Version 1.4.4a to fix this problem..<br> Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3> <h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous, group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br> there are two cases covered in this documentation where it can occur:<br>
<ol> <ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li> <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent <li><a href="Shorewall_Squid_Usage.html">When running Squid as a
proxy in your local zone.</a></li> transparent proxy in your local zone.</a></li>
</ol> </ol>
If you have either of these cases, you will want to review the current If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br> documentation and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the <li>Beginning with Version 1.4.1, traffic between groups in the
same zone is accepted by default. Previously, traffic from a zone to same zone is accepted by default. Previously, traffic from a zone to itself
itself was treated just like any other traffic; any matching rules were was treated just like any other traffic; any matching rules were applied
applied followed by enforcement of the appropriate policy. With 1.4.1 followed by enforcement of the appropriate policy. With 1.4.1 and later
and later versions, unless you have explicit rules for traffic from Z versions, unless you have explicit rules for traffic from Z to Z or you
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then have an explicit Z to Z policy (where "Z" is some zone) then traffic between
traffic between the groups in zone Z will be accepted. If you do have one the groups in zone Z will be accepted. If you do have one or more explicit
or more explicit rules for Z to Z or if you have an explicit Z to Z policy rules for Z to Z or if you have an explicit Z to Z policy then the behavior
then the behavior is as it was in prior versions.</li> is as it was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li> traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have <li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li> Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that <li>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent traffic has "all" in either the SOURCE or DESTINATION column) to prevent traffic
between two interfaces to a zone Z and you have no rules for Z-&gt;Z then between two interfaces to a zone Z and you have no rules for Z-&gt;Z
you should add an explicit DROP or REJECT policy for Z to Z.<br> then you should add an explicit DROP or REJECT policy for Z to Z.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<ul> <ul>
<li> Sometimes, you want two separate zones on one interface but <li> Sometimes, you want two separate zones on one interface but
you don't want Shorewall to set up any infrastructure to handle traffic you don't want Shorewall to set up any infrastructure to handle traffic
between them. </li> between them. </li>
</ul> </ul>
@ -127,81 +141,81 @@ between them. </li>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with Shorewall to be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to 1.4.1, you can prevent Shorewall from setting up any infrastructure to
handle traffic between z1 and z2 by using the new NONE policy:<br> handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote> the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br> <h3>Version 1.4.1<br>
</h3> </h3>
<ul> <ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal <li>In Version 1.4.1, Shorewall will never create rules to
with traffic from a given group back to itself. The <i>multi</i> interface deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between interface option is no longer available so if you want to route traffic
two subnetworks on the same interface then I recommend that you upgrade between two subnetworks on the same interface then I recommend that you
to Version 1.4.2 and use the 'routeback' interface or host option. </li> upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
</ul> </ul>
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br> iproute package ('ip' utility).</b><br>
<br> <br>
<b>Note: </b>Unfortunately, some distributions call this package <b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface <li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li> like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li> there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and <li>The <b>routestopped</b> option in the interfaces and
hosts file has been eliminated; use entries in the routestopped file hosts file has been eliminated; use entries in the routestopped file
instead.</li> instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li> is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf <li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with is no longer supported. Shorewall 1.4 behavior is the same as 1.3
ALLOWRELATED=Yes.</li> with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped <li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li> simply to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' <li value="6">The 'firewall', 'functions' and 'version'
file have been moved to /usr/share/shorewall.</li> file have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you <li value="6">The icmp.def file has been removed. If you
include it from /etc/shorewall/icmpdef, you will need to modify that include it from /etc/shorewall/icmpdef, you will need to modify that
file.</li> file.</li>
<ul> <ul>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address <li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br> in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li> </li>
</ul> </ul>
@ -212,187 +226,189 @@ file.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported. <li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same  Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li> interface that they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to <li>There is an <u>explicit</u> policy for the source zone
or from the destination zone. An explicit policy names both zones and to or from the destination zone. An explicit policy names both zones
does not use the 'all' reserved word.</li> and does not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source
to or from the destination zone including rules that use the 'all' reserved zone to or from the destination zone including rules that use the 'all'
word. Exception: if the source zone and destination zone are the same reserved word. Exception: if the source zone and destination zone are
then the rule must be explicit - it must name the zone in both the SOURCE the same then the rule must be explicit - it must name the zone in both
and DESTINATION columns.</li> the SOURCE and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" <img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
     Beginning in version 1.3.14, Shorewall treats entries      Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b> The change involves entries with an <b>interface name</b> in the
(second) <b>column</b>:<br> <b>SUBNET</b> (second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST <li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>") subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to routed through eth1 needed their own entry in /etc/shorewall/masq
be masqueraded or to have SNAT applied.</li> to be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the <li>Beginning with Shorewall 1.3.14, Shorewall uses
firewall's routing table to determine ALL subnets routed through the the firewall's routing table to determine ALL subnets routed through
named interface. Traffic originating in ANY of those subnets is masqueraded the named interface. Traffic originating in ANY of those subnets
or has SNAT applied.</li> is masqueraded or has SNAT applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq <li>You have one or more entries in /etc/shorewall/masq
with an interface name in the SUBNET (second) column; and</li> with an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is  <b>Example 1</b> -- Suppose that your current config
as follows:<br> is as follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is <b>Example 2</b>-- What if your current configuration
like this?<br> is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" <img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be is used to specify that the old (pre-1.3.14) ping handling is to
used (If the option is not set in your /etc/shorewall/shorewall.conf be used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
old handling indefinitely so I urge current users to migrate to using the old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping' the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br> handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br> upgrading to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your If you have an application that uses functions from that file,
application will need to be changed to reflect this change of location.<br> your application will need to be changed to reflect this change of
location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8, versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p> file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3> <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p> <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have <li>Be sure you
a backup -- you will need to transcribe have a backup -- you will need
any Shorewall configuration changes to transcribe any Shorewall configuration
that you have made to the new configuration.</li> changes that you have made to the new
<li>Replace the shorwall.lrp configuration.</li>
package provided on the Bering <li>Replace the
floppy with the later one. If you did shorwall.lrp package provided on
not obtain the later version from Jacques's site, see additional the Bering floppy with the later one. If you did
instructions below.</li> not obtain the later version from Jacques's
<li>Edit the /var/lib/lrpkg/root.exclude.list site, see additional instructions below.</li>
file and remove the /var/lib/shorewall <li>Edit the /var/lib/lrpkg/root.exclude.list
entry if present. Then do not forget file and remove the /var/lib/shorewall
to backup root.lrp !</li> entry if present. Then do not
forget to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a Jacques's. You need to follow the <a
href="two-interface.htm">instructions for setting up a two-interface href="two-interface.htm">instructions for setting up a two-interface
firewall</a> plus you also need to add the following two Bering-specific firewall</a> plus you also need to add the following two Bering-specific
rules to /etc/shorewall/rules:</p> rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions your firewall setup slightly under Shorewall versions 1.3.6
1.3.6 and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can -j RETURN # So that the connection tracking table can
be rebuilt<br> be rebuilt<br>
                                    #                                     #
from non-SYN packets after takeover.<br> from non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common <font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept
Acks to rebuild connection<br> Acks to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
@ -405,43 +421,44 @@ Acks to rebuild connection<br>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall' <p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those
applications should be modified accordingly.</p> applications should be modified accordingly.</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom <p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom Eastep</a></font>
Eastep</a></font> </p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6Beta1 VERSION=1.4.6Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6Beta1 VERSION=1.4.6Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.6 %define version 1.4.6
%define release 0Beta1 %define release 0Beta2
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta2
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net> * Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta1 - Changed version to 1.4.6-0Beta1
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net> * Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6Beta1 VERSION=1.4.6Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {