extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.4b

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@576 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-29 14:48:09 +00:00
parent df6a59cf68
commit 1905dd9d1c
17 changed files with 5017 additions and 4949 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Lrp/usr/share/shorewall/firewall
View File

@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;;
*)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;;
esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;;
*)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;;
esac

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.4a
1.4.4b

2
STABLE/changelog.txt
View File

@ -10,4 +10,6 @@ Changes since 1.4.3a
4. Don't include log rule number when LOGFORMAT doesn't include "%d".
5. Add --log-level to LOG rules.

302
STABLE/documentation/FAQ.htm
View File

@ -49,9 +49,9 @@
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect
to port 1022</b> on my firewall and have the <b>firewall forward the connection
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
<b>connect to port 1022</b> on my firewall and have the <b>firewall forward
the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p>
<h1><b>DNS and PORT FORWARDING/NAT<br>
@ -65,10 +65,10 @@ to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign
non-RFC1918 addresses to hosts in Z. Hosts in Z
cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other
using their DNS names.</b></a></p>
non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918
addresses) so they <b>can't access each other using their
DNS names.</b></a></p>
<h1><b>NETMEETING/MSN<br>
</b></h1>
@ -136,8 +136,8 @@ out to the net</b></a></p>
<h1>STARTING AND STOPPING<br>
</h1>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 'shorewall
stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -151,9 +151,9 @@ out to the net</b></a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly at startup?</a></p>
<b>22. </b><a href="#faq22">I have
some <b>iptables commands </b>that I want to <b>run when Shorewall
starts.</b> Which file do I put them in?</a><br>
<b>22. </b><a href="#faq22">I
have some <b>iptables commands </b>that I want to <b>run when
Shorewall starts.</b> Which file do I put them in?</a><br>
<h1>ABOUT SHOREWALL<br>
</h1>
@ -161,8 +161,7 @@ out to the net</b></a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -195,8 +194,9 @@ external interface, <b>my DHCP client cannot renew its lease</b>
<h1>MISCELLANEOUS<br>
</h1>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<b>19. </b><a href="#faq19">I have added <b>entries to
/etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I
have just set up a server. <b>Do I have to change Shorewall
@ -323,8 +323,8 @@ to allow access to my server from the internet?</b></a><br>
</tbody>
</table>
</blockquote>
Finally, if you need to forward a range of ports, in
the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
Finally, if you need to forward a range of ports,
in the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
@ -333,13 +333,13 @@ to allow access to my server from the internet?</b></a><br>
things:</p>
<ul>
<li>You are trying
to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You are
trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have
a more basic problem with your local system such as
an incorrect default gateway configured (it should be
set to the IP address of your firewall's internal interface).</li>
an incorrect default gateway configured (it should be set
to the IP address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -354,8 +354,8 @@ diagnose this problem:<br>
<li>As root, type "iptables
-t nat -Z". This clears the NetFilter counters in the
nat table.</li>
<li>Try to connect to the
redirected port from an external host.</li>
<li>Try to connect to
the redirected port from an external host.</li>
<li>As root type "shorewall
show nat"</li>
<li>Locate the appropriate
@ -363,8 +363,8 @@ diagnose this problem:<br>
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count
in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to
the server. In this case, the problem is usually a missing
request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing
or incorrect default gateway setting on the server (the server's
default gateway should be the IP address of the firewall's
interface to the server).</li>
@ -377,12 +377,12 @@ is zero:</li>
by your ISP); or</li>
<li>you are trying to
connect to a secondary IP address on your firewall and
your rule is only redirecting the primary IP address (You need
to specify the secondary IP address in the "ORIG. DEST." column
in your DNAT rule); or</li>
your rule is only redirecting the primary IP address (You
need to specify the secondary IP address in the "ORIG. DEST."
column in your DNAT rule); or</li>
<li>your DNAT rule doesn't
match the connection request in some other way. In
that case, you may have to use a packet sniffer such as tcpdump
match the connection request in some other way. In that
case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
</li>
@ -391,8 +391,8 @@ that case, you may have to use a packet sniffer such as tcpdump
</ul>
<h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
to connect to port 1022 on my firewall and have the firewall forward
the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
to connect to port 1022 on my firewall and have the firewall forward the
connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
<div align="left">
<blockquote>
@ -430,8 +430,8 @@ the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
</div>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in
my local network. External clients can browse http://www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my
local network. External clients can browse http://www.mydomain.com
but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
@ -440,12 +440,12 @@ my local network. External clients can browse http://www
<li>Having an
internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If
the server is compromised, there's nothing between that
server and your other internal systems. For the cost of
another NIC and a cross-over cable, you can put your server
in a DMZ such that it is isolated from your local systems -
assuming that the Server can be located near the Firewall, of course
:-)</li>
the server is compromised, there's nothing between
that server and your other internal systems. For the cost
of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility
problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
@ -464,8 +464,8 @@ local systems that use static NAT.</li>
</p>
<p align="left">If you are running Shorewall 1.4.0 or earlier see <a
href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for
those releases.<br>
href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for those
releases.<br>
</p>
<p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
@ -617,21 +617,21 @@ those releases.<br>
so they can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both
external and internal clients to access a NATed
host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using
the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts
in Z have non-RFC1918 addresses and can be accessed
externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
b) Masquerade Z
to itself.<br>
b) Masquerade
Z to itself.<br>
<br>
Example:</p>
@ -722,11 +722,10 @@ to itself.<br>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for
a solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter
mailing list archives at <a
href="http://www.netfilter.org">http://www.netfilter.org</a>.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a
solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -734,15 +733,15 @@ mailing list archives at <a
as 'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP
port 113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services that
use the 'Auth' mechanism for identifying requesting users.
Shorewall also rejects TCP ports 135, 137 and 139 as well
as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than
dropping them cuts down slightly on the amount of Windows chatter
always rejects connection requests on TCP port
113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used
by Windows (Windows <u>can</u> be configured to use the DCE cell
locator on port 135). Rejecting these connection requests rather
than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
@ -755,22 +754,21 @@ server in violation of your Service Agreement.</p>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port
as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT,
as open. If you want to see which UDP ports are really
open, temporarily change your net-&gt;all policy to REJECT,
restart Shorewall and do the nmap UDP scan again.<br>
</p>
<h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
I change my rules. </h4>
I had a rule that allowed telnet from my local network to my firewall;
I removed that rule and restarted Shorewall but my telnet session still
works!!!<br>
I removed that rule and restarted Shorewall but my telnet session still works!!!<br>
<br>
<b>Answer: </b> Rules only govern the establishment of new connections.
Once a connection is established through the firewall it will be usable until
disconnected (tcp) or until it times out (other protocols).  If you stop
telnet and try to establish a new session your firerwall will block that
attempt.<br>
Once a connection is established through the firewall it will be usable
until disconnected (tcp) or until it times out (other protocols).  If you
stop telnet and try to establish a new session your firerwall will block
that attempt.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -796,11 +794,11 @@ the first command in the file is ". /etc/shorewall/common.def"<br>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure
to restart syslogd (on a RedHat system, "service syslog
@ -860,12 +858,12 @@ to log all messages, set: </p>
<li>They are corrupted reply packets.</li>
</ol>
You can distinguish the difference by setting the
<b>logunclean</b> option (<a
You can distinguish the difference by setting
the <b>logunclean</b> option (<a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:<br>
logged twice, they are corrupted. I solve this problem by using
an /etc/shorewall/common file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -903,10 +901,10 @@ to log all messages, set: </p>
that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed
in /etc/shorewall/routestopped' are activated.
If you want to totally open up your firewall, you must use
the 'shorewall clear' command. </p>
a safe state whereby only those hosts listed in
/etc/shorewall/routestopped' are activated. If
you want to totally open up your firewall, you must use the
'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
@ -950,9 +948,9 @@ the 'shorewall clear' command. </p>
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -983,8 +981,8 @@ the 'shorewall clear' command. </p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows
me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the internet
me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
@ -992,8 +990,9 @@ one), it also blocks the cable modems web server.</h4>
address of the modem in/out but still block all other
rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -1030,9 +1029,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address,
you must also make an entry in /etc/shorewall/rfc1918
for that address. For example, if you configure the address
interface to correspond to the modem address, you
must also make an entry in /etc/shorewall/rfc1918 for
that address. For example, if you configure the address
192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
@ -1071,10 +1070,10 @@ for that address. For example, if you configure the address
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
</div>
<div align="left">
@ -1115,7 +1114,9 @@ firewall to the internet.</p>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
<p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent
to the console is specified in /etc/sysconfig/init in
@ -1125,12 +1126,12 @@ the LOGLEVEL variable.<br>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging
occurs out of a number of chains (as indicated in the
log message) in Shorewall:<br>
occurs out of a number of chains (as indicated in
the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The
destination address is listed in /etc/shorewall/rfc1918
<li><b>man1918 -
</b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b>
@ -1139,19 +1140,18 @@ the LOGLEVEL variable.<br>
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a>
that specifies a log level and this packet is being
logged under that policy. If you intend to ACCEPT this
traffic then you need a <a href="Documentation.htm#Rules">rule</a> to
that effect.<br>
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged
under that policy. If you intend to ACCEPT this traffic
then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that
includes a log level.</li>
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
<li><b>&lt;interface&gt;_mac</b>
- The packet is being logged under the <b>maclist</b>
<a href="Documentation.htm#Interfaces">interface option</a>.<br>
@ -1168,17 +1168,18 @@ includes a log level.</li>
- The packet is being logged because the source IP
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>-
The packet is being logged because it is a TCP packet
that is not part of any current connection yet it is not a
syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>newnotsyn
</b>- The packet is being logged because it is a
TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such
packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
</b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or
<b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD
and the destination IP isn't in any of your defined zones.</li>
and look at the printed zone definitions) or the chain is
FORWARD and the destination IP isn't in any of your defined
zones.</li>
<li><b>logflags </b>- The packet
is being logged because it failed the checks implemented
by the <b>tcpflags </b><a
@ -1204,9 +1205,9 @@ the tcrules file are simply being ignored.<br>
the internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
you used during your initial setup for information about how to set
up rules for your server.<br>
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
used during your initial setup for information about how to set up
rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
@ -1221,10 +1222,10 @@ you used during your initial setup for information about how to set
<b>Answer: </b>While most people
associate the Internet Control Message Protocol (ICMP)
with 'ping', ICMP is a key piece of the internet. ICMP is
used to report problems back to the sender of a packet; this
is what is happening here. Unfortunately, where NAT is involved
(including SNAT, DNAT and Masquerade), there are a lot of broken
implementations. That is what you are seeing with these messages.<br>
used to report problems back to the sender of a packet; this is
what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br>
<br>
Here is my interpretation of what
is happening -- to confirm this analysis, one would have
@ -1233,22 +1234,22 @@ to have packet sniffers placed a both ends of the connection.<br>
Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as
a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the
packet to 172.16.1.10 who no longer had a connection on UDP port
2857. This causes a port unreachable (type 3, code 3) to be generated
back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
is in the brackets -- note source port 53 which marks this as a
DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
to 172.16.1.10 who no longer had a connection on UDP port 2857.
This causes a port unreachable (type 3, code 3) to be generated back
to 192.0.2.3. As this packet is sent back through 206.124.146.179,
that box correctly changes the source address in the packet to 206.124.146.179
but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result
is that the packet gets logged and dropped in the all2all chain. I
have also seen cases where the source IP in the ICMP itself isn't set
back to the external IP of the remote NAT gateway; that causes your
firewall to log and drop the packet out of the rfc1918 chain because
the source IP is reserved by RFC 1918.<br>
is that the packet gets logged and dropped in the all2all chain. I have
also seen cases where the source IP in the ICMP itself isn't set back
to the external IP of the remote NAT gateway; that causes your firewall
to log and drop the packet out of the rfc1918 chain because the source
IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do
@ -1258,22 +1259,21 @@ one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s) that
you will be modifying with your commands to be sure that the
commands will do what they are intended. Many iptables commands
published in HOWTOs and other instructional material use the -A command
which adds the rules to the end of the chain. Most chains that Shorewall
constructs end with an unconditional DROP, ACCEPT or REJECT rule and
any rules that you add after that will be ignored. Check "man iptables"
and look at the -I (--insert) command.<br>
published in HOWTOs and other instructional material use the -A
command which adds the rules to the end of the chain. Most chains
that Shorewall constructs end with an unconditional DROP, ACCEPT or
REJECT rule and any rules that you add after that will be ignored.
Check "man iptables" and look at the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font neutral
(it doesn't explicitly specify fonts except on a few pages) so
the fonts you see are largely the default fonts configured in your
browser. If you don't like them then reconfigure your browser.<br>
(it doesn't explicitly specify fonts except on a few pages)
so the fonts you see are largely the default fonts configured in
your browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the
internet?</h4>
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
In the SOURCE column of the rule, follow "net"
by a colon and a list of the host/subnet addresses as a comma-separated
list.<br>
@ -1292,14 +1292,10 @@ internet?</h4>
<br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 4/14/2003 - <a
<font size="2">Last updated 5/29/2003 - <a
href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

689
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

77
STABLE/documentation/errata.htm
View File

@ -41,9 +41,9 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
@ -76,8 +76,8 @@ running 1.3.7c.</font></b><br>
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with
@ -93,21 +93,35 @@ iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h3></h3>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule is
too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended to
allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I have
implimented a new LOGFORMAT variable which will replace LOGMARKER which has
completely solved this problem and is currently in production with fireparse
Unfortunately, LOGMARKER only solved part of the integration problem. I
have implimented a new LOGFORMAT variable which will replace LOGMARKER which
has completely solved this problem and is currently in production with fireparse
here at shorewall.net. The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
@ -120,11 +134,11 @@ See the 0README.txt file for details.<br>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by installing
<a
created in /tmp is not being removed. This problem may be corrected by
installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
@ -162,9 +176,9 @@ expected<br>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install <a
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
@ -196,11 +210,11 @@ have also built an <a
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you
can download from<font color="#ff6633"> <a
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it
works fine.</p>
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
@ -219,8 +233,8 @@ works fine.</p>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -244,8 +258,8 @@ RedHat iptables</h3>
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -255,8 +269,8 @@ RedHat iptables</h3>
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
<ul>
@ -274,25 +288,26 @@ be running Shorewall 1.3.7a or later or:</p>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
/etc/shorewall/nat entries of the following form
will result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support under
a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 5/29/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

84
STABLE/documentation/mailing_list.htm
View File

@ -33,14 +33,15 @@
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img
<td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="124"
height="66" alt="(Postfix Logo)">
</a><br>
@ -71,43 +72,46 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
<ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to ensure that the sender address is fully
qualified.</li>
<li>to verify that the sender's domain has an A
or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the client system has a valid PTR record in DNS.<br>
</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(explitive deleted)</i> life instead of trying to rid the
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list server
at shorewall.net to strip all HTML from outgoing posts. This means that
HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
@ -151,19 +155,19 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by
Shoreline Firewall (such as the one used on my web site), you
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's
certificate when prompted by your browser.<br>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
@ -173,8 +177,8 @@ may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p>
the <a href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br>
</p>
@ -194,9 +198,9 @@ may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -223,8 +227,8 @@ may be found at <a
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p>
the exchange of ideas about the future of Shorewall and for
coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
@ -258,16 +262,17 @@ may be found at <a
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed
to you.</p>
there is another button that will cause your password to be
emailed to you.</p>
</li>
</ul>
@ -277,13 +282,14 @@ may be found at <a
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 3/24/2003 - <a
<p align="left"><font size="2">Last updated 5/29/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

37
STABLE/documentation/myfiles.htm
View File

@ -35,10 +35,10 @@
<p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
use a combination of Static NAT and Proxy ARP, neither of which are relevant
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here won't
apply to your setup so beware of copying parts of this configuration and
expecting them to work for you. What you copy may or may not work in your
configuration.<br>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this configuration
and expecting them to work for you. What you copy may or may not work in
your configuration.<br>
</small></b></big></p>
<p><big><b><small><big><font color="#ff0000">Warning 2:</font></big> </small></b></big><b>My
@ -60,7 +60,14 @@ configuration uses features introduced in Shorewall version 1.4.1.</b><br>
192.168.1.3 and external address 206.124.146.179.</li>
<li>SNAT through the primary gateway address (206.124.146.176)
for  my Wife's system (Tarry) and our  laptop (Tipper) which connects
through the Wireless Access Point (wap)</li>
through the Wireless Access Point (wap) via a Wireless Bridge (bridge). <b><br>
<br>
Note:</b> While the distance between the WAP and where I usually use the
laptop isn't very far (25 feet or so), using a WAC11 (CardBus wireless card)
has proved very unsatisfactory (lots of lost connections). By replacing the
WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems
(I was also able to eliminate them by hanging a piece of aluminum foil on
the family room wall but Tarry rejected that as a permanent solution :-).</li>
</ul>
@ -69,15 +76,16 @@ through the Wireless Access Point (wap)</li>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
software and is managed by Proxy ARP. It connects to the local network
through a PPTP server running on Ursa. </p>
<p> My work laptop (easteplaptop) is connected to eth3 using a cross-over
cable. It runs its own <a href="http://www.sygate.com"> Sygate</a>
firewall software and is managed by Proxy ARP. It connects to the local
network through a PPTP server. running on Ursa. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd). The system also runs fetchmail to fetch our email
from our old and current ISPs. That server is managed through Proxy ARP.</p>
from our old and current ISPs. That server is managed through Proxy
ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local
network.</p>
@ -140,8 +148,8 @@ TEXAS=<i>&lt;ip address of gateway in Dallas&gt;<br></i>LOG=ULOG<br></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
</blockquote>
<blockquote>
@ -172,8 +180,8 @@ my Ethernet interfaces. </p>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors
with laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<blockquote>
@ -216,5 +224,6 @@ my Ethernet interfaces. </p>
<p><font size="2"><a href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

72
STABLE/documentation/seattlefirewall_index.htm
View File

@ -41,6 +41,7 @@
<div align="center">
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
@ -52,6 +53,7 @@
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
@ -78,9 +80,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -89,8 +91,8 @@
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -139,6 +141,18 @@ QuickStart Guide</a> for details.<br>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
@ -151,8 +165,8 @@ contain '%d'.
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to make
it a full release rather than just a bug-fix release. <br>
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b>    Problems corrected:</b><br>
@ -176,8 +190,8 @@ with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>
       LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log messages in
the 'show log', 'status' and 'hits' commands. This part should not be omitted
string (up to but not including the first '%') to find log messages in the
'show log', 'status' and 'hits' commands. This part should not be omitted
(the LOGFORMAT should not begin with "%") and the leading part should be
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
<br>
@ -196,9 +210,9 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If you are
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject
replies as follows:<br>
<li>(This change is in 1.4.3 but is not documented) If you
are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
reject replies as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
@ -207,9 +221,9 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain.
Remember that this chain is traversed just before a DROP or REJECT policy
is enforced.<br>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
@ -218,6 +232,7 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
</p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to
remove a temporary directory from /tmp. These cases have been corrected.</li>
@ -229,14 +244,16 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
</ol>
    <b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now
supported in the /etc/shorewall/tunnels file.</li>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By default,
"Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
@ -274,11 +291,11 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is
in HTML format but was generated from Microsoft PowerPoint and is best
viewed using Internet Explorer (although Konqueror also seems to work
reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.<br>
Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.<br>
</blockquote>
@ -303,6 +320,7 @@ work well to view the presentation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
@ -321,6 +339,7 @@ work well to view the presentation.<br>
<b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
@ -362,6 +381,7 @@ of Bering 1.2!!! </b><br>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
@ -384,8 +404,8 @@ of Bering 1.2!!! </b><br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
@ -398,10 +418,8 @@ if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>

25
STABLE/documentation/shoreline.htm
View File

@ -59,13 +59,13 @@
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed
and wrote Shorewall. </p>
Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
@ -75,24 +75,24 @@ I live with my wife Tarry.
system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured
as a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a
NIC - My personal Linux System which runs Samba configured as
a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run
both <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
(Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.2  and a DHCP server.</li>
1.4.4a  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br>
WET11 - Our Laptop.<br>
</li>
</ul>
@ -108,8 +108,8 @@ WAC11 - Our Laptop.<br>
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20">
@ -139,5 +139,6 @@ WAC11 - Our Laptop.<br>
<br>
<br>
<br>
<br>
</body>
</html>

84
STABLE/documentation/sourceforge_index.htm
View File

@ -7,8 +7,8 @@
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self">
<base target="_self">
</head>
<body>
@ -30,8 +30,7 @@
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.4
- <font size="4">"<i>iptables made
easy"</i></font></font><br>
- <font size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
@ -75,8 +74,8 @@ on a dedicated firewall system, a multi-function
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -92,9 +91,9 @@ General Public License</a> as published by the Free Software
You should have received a copy of the
GNU General Public License along
with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
with this program; if not, write to the
Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -122,13 +121,24 @@ QuickStart Guide</a> for details.<br>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
that the code in 1.4.4 restricts the length of short zone names to 4 characters.
I've produced version 1.4.4a that restores the previous 5-character limit
by conditionally omitting the log rule number when the LOGFORMAT doesn't
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to 4
characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
@ -159,8 +169,8 @@ with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>
       LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log messages in
the 'show log', 'status' and 'hits' commands. This part should not be omitted
string (up to but not including the first '%') to find log messages in the
'show log', 'status' and 'hits' commands. This part should not be omitted
(the LOGFORMAT should not begin with "%") and the leading part should be
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
<br>
@ -179,9 +189,9 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If you are
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject
replies as follows:<br>
<li>(This change is in 1.4.3 but is not documented) If you
are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
reject replies as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
@ -190,9 +200,9 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain.
Remember that this chain is traversed just before a DROP or REJECT policy
is enforced.<br>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
@ -201,6 +211,7 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
</p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to
remove a temporary directory from /tmp. These cases have been corrected.</li>
@ -212,9 +223,10 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li value="2">You may now change the leading portion of the
--log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf.
By default, "Shorewall:" is used.<br>
@ -258,8 +270,8 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.</blockquote>
@ -296,17 +308,18 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called
<i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on
a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -397,8 +410,8 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
@ -411,11 +424,8 @@ if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

82
STABLE/documentation/support.htm
View File

@ -51,9 +51,9 @@ solutions to more than 20 common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> The Site
and Mailing List Archives search facility can locate documents
and posts about similar problems: </li>
<li> The
Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul>
@ -104,28 +104,28 @@ solutions to more than 20 common problems. </li>
<ul>
<li>Please remember we only know what
is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous post.
There have been countless posts by people who were sure that
some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is
lacking.<br>
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support. Any
help we offer is an act of generosity, not an obligation. Try
to make it easy for us to help you. Follow good, courteous practices
in writing and formatting your e-mail. Provide details that we need
if you expect good answers. <em>Exact quoting </em> of error messages,
log entries, command output, and other output is better than a paraphrase
or summary.<br>
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then ask us
to send you custom configuration files. We're here
to answer your questions but we can't do your
job for you.<br>
Please don't describe your environment and then ask
us to send you custom configuration files. We're
here to answer your questions but we can't do
your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
@ -184,6 +184,7 @@ are running<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
</ul>
</ul>
@ -191,10 +192,10 @@ are running<br>
<ul>
<ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection
problems of any kind then:</b></big></i></u></font><br>
<li><font color="#ff0000"><u><i><big><b>If you are having
connection problems of any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
@ -229,17 +230,17 @@ the SMTP headers of your post).<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your
/etc/shorewall/interfaces file.<br>
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
/etc/shorewall/policy as well (rules are meaningless unless one
also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
@ -262,20 +263,20 @@ to the Mailing List -- your post will be rejected.</b></li>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is
a Draconian way to control spam and that the ultimate losers
here are not the spammers but the list subscribers whose
MTAs are bouncing all shorewall.net mail. As one list subscriber
I think that blocking all HTML
is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML
based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list
server at shorewall.net to strip all HTML from outgoing posts.<br>
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow subscribers to receive list posts
as must as possible, I have now configured the list server at
shorewall.net to strip all HTML from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -307,10 +308,11 @@ an MNF license from MandrakeSoft then you can post non MNF-specifi
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 5/19/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 5/28/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.4a
VERSION=1.4.4b
usage() # $1 = exit status
{

4
STABLE/firewall
View File

@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;;
*)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;;
esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;;
*)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;;
esac

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.4a
VERSION=1.4.4b
usage() # $1 = exit status
{

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.4a
%define version 1.4.4b
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4b-1
* Tue May 27 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4a-1
* Thu May 22 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.4a
VERSION=1.4.4b
usage() # $1 = exit status
{