extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 12:42:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.4b

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@576 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-29 14:48:09 +00:00
parent df6a59cf68
commit 1905dd9d1c
17 changed files with 5017 additions and 4949 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Lrp/usr/share/shorewall/firewall
View File

@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
esac esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
esac esac

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.4a 1.4.4b

2
STABLE/changelog.txt
View File

@ -10,4 +10,6 @@ Changes since 1.4.3a
4. Don't include log rule number when LOGFORMAT doesn't include "%d". 4. Don't include log rule number when LOGFORMAT doesn't include "%d".
5. Add --log-level to LOG rules.

1206
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

2621
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

213
STABLE/documentation/errata.htm
View File

@ -19,13 +19,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -33,58 +33,58 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the
time and plan to use the .tgz and install.sh script, you can untar first time and plan to use the .tgz and install.sh script, you can
the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p> may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</font></b><br> running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade <li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li> Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li> href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and
iptables</a></b></li> RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with <li><b><a href="#Multiport">Problems with
iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -93,81 +93,95 @@ iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h3></h3> <h3></h3>
<h3>1.4.4<br> <h3>1.4.4-1.4.4a</h3>
</h3>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may experience <li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule is problems starting Shorewall because the --log-prefix in a logging rule is
too long. Upgrade to Version 1.4.4a to fix this problem..</li> too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul> </ul>
<h3>1.4.3</h3> <h3>1.4.3</h3>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended to <li>The LOGMARKER variable introduced in version 1.4.3 was intended to
allow integration of Shorewall with Fireparse (http://www.firewparse.com). allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I have Unfortunately, LOGMARKER only solved part of the integration problem. I
implimented a new LOGFORMAT variable which will replace LOGMARKER which has have implimented a new LOGFORMAT variable which will replace LOGMARKER which
completely solved this problem and is currently in production with fireparse has completely solved this problem and is currently in production with fireparse
here at shorewall.net. The updated files may be found at <a here at shorewall.net. The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
</li> </li>
</ul> </ul>
<h3>1.4.2</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory <li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by installing created in /tmp is not being removed. This problem may be corrected by
<a installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in /usr/share/shorewall/firewall
described ablve. <br> as described above. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP <li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST response. port-unreachable response rather than the more appropriate TCP RST response.
This problem is corrected in <a This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br> /etc/shorewall/common.def.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" produces <li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br> the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator      /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br> expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br> as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>When running under certain shells Shorewall will attempt to
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove create ECN rules even when /etc/shorewall/ecn is empty. You may either
/etc/shorewall/ecn or you can install <a just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
@ -191,16 +205,16 @@ expected<br>
corrected 1.2.3 rpm which you can download here</a>  and I corrected 1.2.3 rpm which you can download here</a>  and I
have also built an <a have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you has released an iptables-1.2.4 RPM of their own which you can
can download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it </font>I have installed this RPM on my firewall and it works
works fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
@ -213,14 +227,14 @@ works fine.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -228,71 +242,72 @@ RedHat iptables</h3>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 this iptables RPM</a>. If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;= <p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" 2.2 yet you have a 2.4 kernel installed, simply use the
option to rpm.</p> "--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and <h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3> MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as change to the syntax used to specify multiport match rules;
a consequence, if you install iptables 1.2.7 you must as a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p> be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf; or
</li> </li>
<li>if you are <li>if you are
running Shorewall 1.3.6 you may running Shorewall 1.3.6 you may
install <a install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will /etc/shorewall/nat entries of the following form
result in Shorewall being unable to start:<br> will result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column.
support for LOCAL=yes has never worked properly and 2.4.18-10 Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support under has disabled it. The 2.4.19 kernel contains corrected support under
a new kernel configuraiton option; see <a a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 5/29/2003 - <a href="support.htm">Tom
</p> Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

220
STABLE/documentation/mailing_list.htm
View File

@ -19,101 +19,105 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle"
align="left"> align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%">
href="http://www.postfix.org/"> <img <a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="124" src="images/postfix-white.gif" align="right" border="0" width="124"
height="66" alt="(Postfix Logo)"> height="66" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
   </font></b><br>    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:postmaster@shorewall.net">me</a> know</p> let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep <p align="left">You can report such problems by sending mail to tmeastep at
at hotmail dot com.</p> hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a <h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net <p>Please note that the mail server at shorewall.net checks
checks incoming mail:<br> incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully
<li>to verify that the sender's domain has an A qualified.</li>
<li>to verify that the sender's domain has an A
or MX record in DNS.</li> or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO <li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the client system has a valid PTR record in DNS.<br>
</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to shorewall.net "for continuous abuse" because it has been my policy
allow HTML in list posts!!<br> to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to one list subscriber wrote to me privately "These e-mail admin's need
get a <i>(explitive deleted)</i> life instead of trying to rid the planet to get a <i>(explitive deleted)</i> life instead of trying to rid the
of HTML based e-mail". Nevertheless, to allow subscribers to receive list planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
posts as must as possible, I have now configured the list server at shorewall.net list posts as must as possible, I have now configured the list server
to strip all HTML from outgoing posts. This means that HTML-only posts at shorewall.net to strip all HTML from outgoing posts. This means that
will be bounced by the list server.<br> HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start hurt more than they help but I'm not prepared to go so far as to start
@ -129,12 +133,12 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -143,46 +147,46 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by If you want to trust X.509 certificates issued
Shoreline Firewall (such as the one used on my web site), you by Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates
you can either use unencrypted access when subscribing to Shorewall then you can either use unencrypted access when subscribing to
mailing lists or you can use secure access (SSL) and accept the server's Shorewall mailing lists or you can use secure access (SSL) and
certificate when prompted by your browser.<br> accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also posted
to this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem
guidelines</a>.</b></p> reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -194,45 +198,45 @@ may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for
ongoing Shorewall Development.</p> coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -245,30 +249,31 @@ may be found at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
password reminder, or change your subscription options enter a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options"
</li> button.</p>
<li> </li>
<li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be
to you.</p> emailed to you.</p>
</li> </li>
</ul> </ul>
@ -277,12 +282,13 @@ may be found at <a
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 3/24/2003 - <a <p align="left"><font size="2">Last updated 5/29/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

143
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

312
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,7 +7,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base <base
target="_self"> target="_self">
</head> </head>
<body> <body>
@ -16,11 +16,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -29,11 +29,11 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a href="http://www.shorewall.net" </a></i></font><a href="http://www.shorewall.net"
target="_top"><img border="1" src="images/shorewall.jpg" width="119" target="_top"><img border="1" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
@ -41,20 +41,22 @@
<div align="center"> <div align="center">
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font <h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br> href="1.3" target="_top"><font color="#ffffff"><br>
</font></a><br> </font></a><br>
</h1> </h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p> <p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -65,11 +67,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -78,37 +80,37 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the hope
that it will be useful, but WITHOUT ANY that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of the
GNU General Public License along GNU General Public License along
with this program; if not, write to the Free with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p> Ave, Cambridge, MA 02139, USA</p>
@ -123,139 +125,154 @@ General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly to
your setup. If you want to use the documentation that you find here, it your setup. If you want to use the documentation that you find here, it
is best if you uninstall what you have and install a setup that matches is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2> <h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2>News</h2> <h2>News</h2>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0" <p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
that the code in 1.4.4 restricts the length of short zone names to 4 characters. that the code in 1.4.4 restricts the length of short zone names to 4 characters.
I've produced version 1.4.4a that restores the previous 5-character limit I've produced version 1.4.4a that restores the previous 5-character limit
by conditionally omitting the log rule number when the LOGFORMAT doesn't by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'. contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0" <p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b><b> </b></p>
I apologize for the rapid-fire releases but since there is a potential I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to make configuration change required to go from 1.4.3a to 1.4.4, I decided to
it a full release rather than just a bug-fix release. <br> make it a full release rather than just a bug-fix release. <br>
<br> <br>
<b>    Problems corrected:</b><br> <b>    Problems corrected:</b><br>
<blockquote>None.<br> <blockquote>None.<br>
</blockquote> </blockquote>
<b>    New Features:<br> <b>    New Features:<br>
</b> </b>
<ol> <ol>
<li>A REDIRECT- rule target has been added. This target behaves <li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br> rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and has
been changed to a 'printf' formatting template which accepts three arguments been changed to a 'printf' formatting template which accepts three arguments
(the chain name, logging rule number and the disposition). To use LOGFORMAT (the chain name, logging rule number and the disposition). To use LOGFORMAT
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br>  <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>        LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>  <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log messages in string (up to but not including the first '%') to find log messages in the
the 'show log', 'status' and 'hits' commands. This part should not be omitted 'show log', 'status' and 'hits' commands. This part should not be omitted
(the LOGFORMAT should not begin with "%") and the leading part should be (the LOGFORMAT should not begin with "%") and the leading part should be
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
<br> <br>
</li> </li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, <li>When logging is specified on a DNAT[-] or REDIRECT[-] rule,
the logging now takes place in the nat table rather than in the filter table. the logging now takes place in the nat table rather than in the filter table.
This way, only those connections that actually undergo DNAT or redirection This way, only those connections that actually undergo DNAT or redirection
will be logged.<br> will be logged.<br>
</li> </li>
</ol> </ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br> <p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in the .tgz
and in the .rpm. In addition: <br> and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you are <li>(This change is in 1.4.3 but is not documented) If you
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
replies as follows:<br> reject replies as follows:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>    b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>    c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>    d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's traditional
convention:<br> convention:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>    b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain. <li>UDP port 135 is now silently dropped in the common.def
Remember that this chain is traversed just before a DROP or REJECT policy chain. Remember that this chain is traversed just before a DROP or REJECT
is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail to
remove a temporary directory from /tmp. These cases have been corrected.</li> remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. have been moved to before the rule that drops status=INVALID packets.
This insures that all loopback traffic is allowed even if Netfilter connection This insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li> tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
supported in the /etc/shorewall/tunnels file.</li> now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix <li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By default, used by Shorewall using the LOGMARKER variable in shorewall.conf. By default,
"Shorewall:" is used.<br> "Shorewall:" is used.<br>
</li> </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
@ -264,7 +281,7 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
@ -274,12 +291,12 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is Shorewall presentation to GSLUG</a>. The presentation
in HTML format but was generated from Microsoft PowerPoint and is best is in HTML format but was generated from Microsoft PowerPoint and
viewed using Internet Explorer (although Konqueror also seems to work is best viewed using Internet Explorer (although Konqueror also seems
reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
work well to view the presentation.<br> Netscape work well to view the presentation.<br>
</blockquote> </blockquote>
@ -293,7 +310,7 @@ work well to view the presentation.<br>
</ol> </ol>
</blockquote> </blockquote>
@ -303,48 +320,50 @@ work well to view the presentation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy, a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14 <i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their and Kernel-2.4.20. You can find their
work at: <a work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent release <b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br> of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font color="#ffffff"><b>Note: <font color="#ffffff"><b>Note:
</b></font></strong><font color="#ffffff">Search is unavailable </b></font></strong><font color="#ffffff">Search is unavailable
Daily 0200-0330 GMT.</font><br> Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font <font
face="Arial" size="-1"> <input type="text" name="words" face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial" size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font> name="config" value="htdig"> <input type="submit" value="Search"></font>
</p> </p>
<font <font
face="Arial"> <input type="hidden" name="exclude" face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
@ -352,26 +371,27 @@ of Bering 1.2!!! </b><br>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -379,29 +399,27 @@ of Bering 1.2!!! </b><br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

99
STABLE/documentation/shoreline.htm
View File

@ -17,83 +17,83 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a <li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li> href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, <li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a href="http://www.hp.com">The Incorporated</a> (now part of the <a href="http://www.hp.com">The
New HP</a>) 1980 - present</li> New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation operating <p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p> system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed Expanding on what I learned from Seattle Firewall, I then
and wrote Shorewall. </p> designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where href="http://www.cityofshoreline.com">Shoreline, Washington</a>
I live with my wife Tarry.  </p> where I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB
&amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows
system. Serves as a PPTP server for Road Warrior access. Dual boots <a system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured NIC - My personal Linux System which runs Samba configured as
as a WINS server. This system also has <a a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both href="http://www.vmware.com/">VMware</a> installed and can run
<a href="http://www.debian.org">Debian Woody</a> and <a both <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
(Pure_ftpd), DNS server (Bind 9).</li> (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.2  and a DHCP server.</li> 1.4.4a  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li> work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br> WET11 - Our Laptop.<br>
</li> </li>
</ul> </ul>
@ -106,30 +106,31 @@ WAC11 - Our Laptop.<br>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img
src="images/pure.jpg" width="88" height="31"> border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170" border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20"> height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" </a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4"> alt="Protected by Shorewall" width="125" height="40" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png" <a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0"> alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img </a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120" src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0"> height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p> </a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a <p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br> M. Eastep.</font></a></font><br>
<br>
<br> <br>
<br> <br>
<br> <br>

326
STABLE/documentation/sourceforge_index.htm
View File

@ -7,8 +7,8 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -16,11 +16,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -29,17 +29,16 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.4 </a></i></font><font color="#ffffff">Shorewall 1.4
- <font size="4">"<i>iptables made - <font size="4">"<i>iptables made easy"</i></font></font><br>
easy"</i></font></font><br> <a target="_top" href="1.3/index.html"><font
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top" color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a> </small></small></small></font></a>
</h1> </h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -50,11 +49,11 @@ easy"</i></font></font><br>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -64,37 +63,37 @@ easy"</i></font></font><br>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used (iptables) based firewall that can be used
on a dedicated firewall system, a multi-function on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the hope
that it will be useful, but WITHOUT ANY that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of the
GNU General Public License along GNU General Public License along
with this program; if not, write to the Free with this program; if not, write to the
Software Foundation, Inc., 675 Mass Free Software Foundation, Inc., 675
Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -105,140 +104,153 @@ General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly to
your setup. If you want to use the documentation that you find here, it your setup. If you want to use the documentation that you find here, it
is best if you uninstall what you have and install a setup that matches is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0" <p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
that the code in 1.4.4 restricts the length of short zone names to 4 characters. out that the code in 1.4.4 restricts the length of short zone names to 4
I've produced version 1.4.4a that restores the previous 5-character limit characters. I've produced version 1.4.4a that restores the previous 5-character
by conditionally omitting the log rule number when the LOGFORMAT doesn't limit by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'. contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0" <p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b><b> </b></p>
I apologize for the rapid-fire releases but since there is a potential I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to make configuration change required to go from 1.4.3a to 1.4.4, I decided to make
it a full release rather than just a bug-fix release. <br> it a full release rather than just a bug-fix release. <br>
<br> <br>
<b>    Problems corrected:</b><br> <b>    Problems corrected:</b><br>
<blockquote>None.<br> <blockquote>None.<br>
</blockquote> </blockquote>
<b>    New Features:<br> <b>    New Features:<br>
</b> </b>
<ol> <ol>
<li>A REDIRECT- rule target has been added. This target behaves <li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br> rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and has
been changed to a 'printf' formatting template which accepts three arguments been changed to a 'printf' formatting template which accepts three arguments
(the chain name, logging rule number and the disposition). To use LOGFORMAT (the chain name, logging rule number and the disposition). To use LOGFORMAT
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br>  <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>        LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>  <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log messages in string (up to but not including the first '%') to find log messages in the
the 'show log', 'status' and 'hits' commands. This part should not be omitted 'show log', 'status' and 'hits' commands. This part should not be omitted
(the LOGFORMAT should not begin with "%") and the leading part should be (the LOGFORMAT should not begin with "%") and the leading part should be
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
<br> <br>
</li> </li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, <li>When logging is specified on a DNAT[-] or REDIRECT[-] rule,
the logging now takes place in the nat table rather than in the filter table. the logging now takes place in the nat table rather than in the filter table.
This way, only those connections that actually undergo DNAT or redirection This way, only those connections that actually undergo DNAT or redirection
will be logged.</li> will be logged.</li>
</ol> </ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b> <p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br> </b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in the .tgz
and in the .rpm. In addition: <br> and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you are <li>(This change is in 1.4.3 but is not documented) If you
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
replies as follows:<br> reject replies as follows:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>    b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>    c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>    d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's traditional
convention:<br> convention:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>    b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain. <li>UDP port 135 is now silently dropped in the common.def
Remember that this chain is traversed just before a DROP or REJECT policy chain. Remember that this chain is traversed just before a DROP or REJECT
is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail to
remove a temporary directory from /tmp. These cases have been corrected.</li> remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. have been moved to before the rule that drops status=INVALID packets.
This insures that all loopback traffic is allowed even if Netfilter connection This insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li> tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4) <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li> (6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li value="2">You may now change the leading portion of the <li value="2">You may now change the leading portion of the
--log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf. --log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf.
By default, "Shorewall:" is used.<br> By default, "Shorewall:" is used.<br>
</li> </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
@ -246,7 +258,7 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
@ -256,10 +268,10 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<blockquote> This morning, I gave <a href="GSLUG.htm" <blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
work well to view the presentation.</blockquote> Netscape work well to view the presentation.</blockquote>
@ -273,22 +285,22 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
@ -296,41 +308,42 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, have a LEAF (router/firewall/gateway on
CD or compact flash) distribution called a floppy, CD or compact flash) distribution
<i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You
their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br> on the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
@ -338,53 +351,53 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 <font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br> GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input <input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p> type="submit" value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -392,30 +405,27 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

318
STABLE/documentation/support.htm
View File

@ -13,47 +13,47 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There There
are a number of sources of Shorewall information. Please try these are a number of sources of Shorewall information. Please try these
before you post. before you post.
<ul> <ul>
<li>Shorewall versions earlier <li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br> that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li> solutions to more than 20 common problems. </li>
<li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help
you solve common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
Information contains a number of tips to help
you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li> to download updated components. </li>
<li> The Site <li> The
and Mailing List Archives search facility can locate documents Site and Mailing List Archives search facility can locate
and posts about similar problems: </li> documents and posts about similar problems: </li>
</ul> </ul>
@ -68,13 +68,13 @@ solutions to more than 20 common problems. </li>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -84,7 +84,7 @@ solutions to more than 20 common problems. </li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives: size="-1"> Include Mailing List Archives:
@ -92,43 +92,43 @@ solutions to more than 20 common problems. </li>
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br> value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what <li>Please remember we only know what
is posted in your message. Do not leave out any information is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous post. that appears to be correct, or was mentioned in a previous
There have been countless posts by people who were sure that post. There have been countless posts by people who were sure
some part of their configuration was correct when it actually that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is contained a small error. We tend to be skeptics where detail
lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that you're
asking for <strong>free</strong> technical support. Any asking for <strong>free</strong> technical support.
help we offer is an act of generosity, not an obligation. Try Any help we offer is an act of generosity, not an obligation.
to make it easy for us to help you. Follow good, courteous practices Try to make it easy for us to help you. Follow good, courteous
in writing and formatting your e-mail. Provide details that we need practices in writing and formatting your e-mail. Provide details that
if you expect good answers. <em>Exact quoting </em> of error messages, we need if you expect good answers. <em>Exact quoting </em> of
log entries, command output, and other output is better than a paraphrase error messages, log entries, command output, and other output is better
or summary.<br> than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask us Please don't describe your environment and then ask
to send you custom configuration files. We're here us to send you custom configuration files. We're
to answer your questions but we can't do your here to answer your questions but we can't do
job for you.<br> your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li> include this information:</li>
</ul> </ul>
@ -136,53 +136,54 @@ job for you.<br>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall <li>the exact version of Shorewall
you are running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall <b><font color="#009900">shorewall
version</font><br> version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you <li>the exact kernel version you
are running<br> are running<br>
<br> <br>
<font color="#009900"><b>uname <font color="#009900"><b>uname
-a<br> -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr <font color="#009900"><b>ip addr
show<br> show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route <font color="#009900"><b>ip route
show<br> show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, <li>If your kernel is modularized,
the exact output from<br> the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
</li> </li>
</ul> </ul>
@ -191,92 +192,92 @@ are running<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection <li><font color="#ff0000"><u><i><big><b>If you are having
problems of any kind then:</b></big></i></u></font><br> connection problems of any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status 3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br> &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br> the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As <li>As
a general matter, please <strong>do not edit the diagnostic a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time, secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br> the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If you exercise the function that is giving you problems? If so,
so, include the message(s) in your post along with a copy of your include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
/etc/shorewall/interfaces file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless /etc/shorewall/policy as well (rules are meaningless unless one
one also knows the policies).<br> also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> (See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't <li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc. post GIFs of your network layout, etc.
to the Mailing List -- your post will be rejected.</b></li> to the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> The author gratefully acknowleges that the above list was <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a <em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are rejecting <blockquote> A growing number of MTAs serving list subscribers are
all HTML traffic. At least one MTA has gone so far as to blacklist rejecting all HTML traffic. At least one MTA has gone so far as to
shorewall.net "for continuous abuse" because it has been my policy blacklist shorewall.net "for continuous abuse" because it has been
to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is I think that blocking all HTML
a Draconian way to control spam and that the ultimate losers is a Draconian way to control spam and that the ultimate
here are not the spammers but the list subscribers whose losers here are not the spammers but the list subscribers
MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML deleted)</i> life instead of trying to rid the planet of HTML based
based e-mail". Nevertheless, to allow subscribers to receive e-mail". Nevertheless, to allow subscribers to receive list posts
list posts as must as possible, I have now configured the list as must as possible, I have now configured the list server at
server at shorewall.net to strip all HTML from outgoing posts.<br> shorewall.net to strip all HTML from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -286,7 +287,7 @@ list posts as must as possible, I have now configured the list
to the <a to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased Multi Network Firewall (MNF) and you have not purchased
an MNF license from MandrakeSoft then you can post non MNF-specific an MNF license from MandrakeSoft then you can post non MNF-specific
Shorewall questions to the </b><a Shorewall questions to the </b><a
@ -300,17 +301,18 @@ an MNF license from MandrakeSoft then you can post non MNF-specifi
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 5/19/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 5/28/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.4a VERSION=1.4.4b
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
STABLE/firewall
View File

@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
esac esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
esac esac

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.4a VERSION=1.4.4b
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.4a %define version 1.4.4b
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4b-1
* Tue May 27 2003 Tom Eastep <tom@shorewall.net> * Tue May 27 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4a-1 - Changed version to 1.4.4a-1
* Thu May 22 2003 Tom Eastep <tom@shorewall.net> * Thu May 22 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.4a VERSION=1.4.4b
usage() # $1 = exit status usage() # $1 = exit status
{ {