From 1ad262c7cbe700159a2c7973e08d83711c9b0786 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 4 Dec 2002 00:02:25 +0000 Subject: [PATCH] 1.3.11 release changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/INSTALL | 8 +- STABLE/documentation/FAQ.htm | 1395 +++++---- STABLE/documentation/News.htm | 2724 +++++++++-------- STABLE/documentation/download.htm | 669 ++-- STABLE/documentation/errata.htm | 948 +++--- .../documentation/seattlefirewall_index.htm | 587 ++-- STABLE/documentation/shoreline.htm | 156 +- .../shorewall_quickstart_guide.htm | 326 +- STABLE/documentation/support.htm | 206 +- STABLE/documentation/troubleshoot.htm | 299 +- STABLE/fallback.sh | 2 +- STABLE/install.sh | 2 +- STABLE/shorewall.spec | 4 +- STABLE/uninstall.sh | 2 +- 14 files changed, 3739 insertions(+), 3589 deletions(-) diff --git a/STABLE/INSTALL b/STABLE/INSTALL index 9233faf91..58e4501ff 100644 --- a/STABLE/INSTALL +++ b/STABLE/INSTALL @@ -24,8 +24,12 @@ o Unpack the tarball o cd to the shorewall- directory o If you have an earlier version of Shoreline Firewall installed,see the upgrade instructions below -o Edit the files policy, interfaces, rules, nat, proxyarp and masq to - fit your environment. +o Edit the configuration files to fit your environment. + + To do this, I strongly advise you to follow the instructions at: + + http://shorewall.sf.net/shorewall_quickstart_guide.htm + o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or Debian, then type "./install.sh". o For other distributions, determine where your distribution installs diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index 6efbda7b5..b5ba4057b 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -1,896 +1,943 @@ - + - + - + - + Shorewall FAQ - + - + - - - + + - - - + + + +
- +
+ +

Shorewall FAQs

-
- +

1. I want to forward UDP - port 7777 to my my personal PC with IP address 192.168.1.5. I've - looked everywhere and can't find how to do it.

- + port 7777 to my my personal PC with IP address 192.168.1.5. +I've looked everywhere and can't find how to do it.

+

1a. Ok -- I followed those instructions - but it doesn't work.
-

- + but it doesn't work.
+

+

1b. I'm still having problems with - port forwarding

- + port forwarding

+

2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my -local network. External clients can browse http://www.mydomain.com -but internal clients can't.

- + to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my + local network. External clients can browse http://www.mydomain.com + but internal clients can't.

+

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses -to hosts in Z. Hosts in Z cannot communicate with each other using their - external (non-RFC1918 addresses) so they can't access each other using - their DNS names.

- + subnet and I use static NAT to assign non-RFC1918 addresses + to hosts in Z. Hosts in Z cannot communicate with each other using +their external (non-RFC1918 addresses) so they can't access each +other using their DNS names.

+

3. I want to use Netmeeting/MSN - Messenger with Shorewall. What do I do?

- + Messenger with Shorewall. What do I do?

+

4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' rather -than 'blocked'. Why?

- + to check my firewall and it shows some ports as 'closed' rather + than 'blocked'. Why?

+

4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

- + of my firewall and it showed 100s of ports as open!!!!

+

5. I've installed Shorewall and now - I can't ping through the firewall

- + I can't ping through the firewall

+

6. Where are the log messages - written and how do I change the destination?

- + written and how do I change the destination?

+

6a. Are there any log parsers - that work with Shorewall?

- + that work with Shorewall?

+

7. When I stop Shorewall using 'shorewall stop', I can't connect to anything. Why doesn't that command - work?

- + work?

+

8. When I try to start Shorewall - on RedHat 7.x, I get messages about insmod failing -- what's wrong?

- + on RedHat 7.x, I get messages about insmod failing -- what's wrong?

+

9. Why can't Shorewall detect - my interfaces properly?

- + my interfaces properly?

+

10. What distributions does - it work with?

- + it work with?

+

11. What features does it support?

- +

12. Why isn't there a GUI

- +

13. Why do you call it "Shorewall"?

- +

14. I'm connected via a cable modem - and it has an internel web server that allows me to configure/monitor - it but as expected if I enable rfc1918 blocking for my eth0 interface, - it also blocks the cable modems web server.

- + and it has an internel web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 + interface, it also blocks the cable modems web server.

+

14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable - RFC 1918 filtering on my external interface, my DHCP client cannot - renew its lease.

- + IP addresses, my ISP's DHCP server has an RFC 1918 address. If I +enable RFC 1918 filtering on my external interface, my DHCP client +cannot renew its lease.

+

15. My local systems can't see - out to the net

- + out to the net

+

16. Shorewall is writing log messages - all over my console making it unusable!
-

- 17. How do I find out why - this is getting logged?
+ all over my console making it unusable!
+

+ 17. How do I find out why + this is getting logged?
+
+ 18. Is there any way to use aliased ip + addresses with Shorewall, and maintain separate rulesets for different + IPs?

- 18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different IPs?
-
- 19. I have added entries to /etc/shorewall/tcrules -but they don't seem to do anything. Why?
-
-20. I have just set up a server. -Do I have to change Shorewall to allow access to my server from the internet?
- -
+ 19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?
+
+ 20. I have just set up a +server. Do I have to change Shorewall to allow access to my server from +the internet?
+
+ 21. I see these strange log entries occasionally; + what are they?
+
+ +

1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've looked everywhere - and can't find how to do it.

- + my my personal PC with IP address 192.168.1.5. I've looked everywhere + and can't find how to do it. +

Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a port-forwarding -rule to a local system is as follows:

- -
+ do port forwarding under Shorewall. The format of a port-forwarding + rule to a local system is as follows:

+ +
- - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local -port>]<protocol><port #>
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local + port>]<protocol><port #>
+
+
-
- +
+

So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

- -
+ the rule is:

+ +
- - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
+
+
-
- -
+
+ +
     DNAT net loc:192.168.1.5 udp 7777
-
- + +

If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system:

- -
+ +
- - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local -port>]<protocol><port #>-<external IP>
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local + port>]<protocol><port #>-<external IP>
-
- +
+

1a. Ok -- I followed those instructions - but it doesn't work

- + but it doesn't work +

Answer: That is usually the result of one of two things:

- + - +

1b. I'm still having problems with port - forwarding

- Answer: To further diagnose this problem:
- - + + + +
    +
  • The /etc/shorewall/blacklist file now contains three + columns. In addition to the SUBNET/ADDRESS column, there are optional + PROTOCOL and PORT columns to block only certain applications from +the blacklisted addresses.
    +
    • + +
+ +

9/11/2002 - Debian 1.3.7c Packages Available

+

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

9/2/2002 - Shorewall 1.3.7c

- -

This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).

- + +

This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).

+

8/31/2002 - I'm not available

- -

I'm currently on vacation  -- please respect my need for a couple of - weeks free of Shorewall problem reports.

- + +

I'm currently on vacation  -- please respect my need for a couple of +weeks free of Shorewall problem reports.

+

-Tom

- +

8/26/2002 - Shorewall 1.3.7b

- -

This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.

- + +

This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

+

8/26/2002 - French FTP Mirror is Operational

- +

ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

- + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available.

+

8/25/2002 - Shorewall Mirror in France

- -

Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.

- + +

Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

+

8/25/2002 - Shorewall 1.3.7a Debian Packages Available

- -

Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a releasedLorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released -

- -

1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.

- +

+ +

1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.

+

8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

- +

Features in this release include:

- +
    -
  • The 'icmp.def' file is now empty! The rules in that - file were required in ipchains firewalls but are not required +
  • The 'icmp.def' file is now empty! The rules in +that file were required in ipchains firewalls but are not required in Shorewall. Users who have ALLOWRELATED=No in shorewall.conf should see the Upgrade Issues.
    • -
  • A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting - this variable to Yes is the same as the effect of adding an ACCEPT - rule for ICMP echo-request in /etc/shorewall/icmpdef. Users - who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
    • -
  • The loopback CLASS A Network (127.0.0.0/8) has been - added to the rfc1918 file.
    • -
  • Shorewall now works with iptables 1.2.7
    • -
  • The documentation and web site no longer uses FrontPage +
  • A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting + this variable to Yes is the same as the effect of adding an +ACCEPT rule for ICMP echo-request in /etc/shorewall/icmpdef. Users + who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
    • +
  • The loopback CLASS A Network (127.0.0.0/8) has +been added to the rfc1918 file.
    • +
  • Shorewall now works with iptables 1.2.7
    • +
  • The documentation and web site no longer uses FrontPage themes.
    • - -
- -

I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input has led to marked - improvement in Shorewall in the last two releases.

- -

8/13/2002 - Documentation in the CVS Repository

- -

The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.

- -

8/7/2002 - STABLE branch added to CVS Repository

- -

This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get the latest stable - tree.

- -

8/7/2002 - Upgrade Issues section added - to the Errata Page

- -

Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.

- -

8/7/2002 - Shorewall 1.3.6

- -

This is primarily a bug-fix rollup with a couple of new features:

- - -

7/30/2002 - Shorewall 1.3.5b Released

- -

This interim release:

- -
    -
  • Causes the firewall script to remove the lock file - if it is killed.
    • -
  • Once again allows lists in the second column of -the /etc/shorewall/hosts file.
    • -
  • Includes the latest QuickStart Guides.
    • - -
- -

7/29/2002 - New Shorewall Setup Guide Available

- -

The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are setting up Shorewall - to manage multiple public IP addresses and by people who want to -learn more about Shorewall than is described in the single-address -guides. Feedback on the new guide is welcome.

- -

7/28/2002 - Shorewall 1.3.5 Debian Package Available

- -

Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

7/27/2002 - Shorewall 1.3.5a Released

- -

This interim release restores correct handling of REDIRECT rules.

- -

7/26/2002 - Shorewall 1.3.5 Released

- -

This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.

- -

 In this version:

- -
    -
  • Empty and invalid source and destination qualifiers - are now detected in the rules file. It is a good idea to use -the 'shorewall check' command before you issue a 'shorewall restart' - command be be sure that you don't have any configuration problems - that will prevent a successful restart.
    • -
  • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior - of the /etc/shorewall/hosts file.
    • -
  • The time that the counters were last reset is now - displayed in the heading of the 'status' and 'show' commands.
    • -
  • A proxyarp option has been added for entries - in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in the - Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes Shorewall - to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
    • -
  • The Samples have been updated to reflect the new -capabilities in this release.
    • - -
- -

7/16/2002 - New Mirror in Argentina

- -

Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!

- -

7/16/2002 - Shorewall 1.3.4 Released

- -

In this version:

- -
    -
  • A new - /etc/shorewall/routestopped file has been added. This file -is intended to eventually replace the routestopped option - in the /etc/shorewall/interface and /etc/shorewall/hosts files. -This new file makes remote firewall administration easier by allowing - any IP or subnet to be enabled while Shorewall is stopped.
    • -
  • An /etc/shorewall/stopped extension script has been added. - This script is invoked after Shorewall has stopped.
    • -
  • A DETECT_DNAT_ADDRS option has been added -to /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply when the destination - address is the external interface's primary IP address.
    • -
  • The QuickStart - Guide has been broken into three guides and has been almost - entirely rewritten.
    • -
  • The Samples have been updated to reflect the new -capabilities in this release.
    • - -
- -

7/8/2002 - Shorewall 1.3.3 Debian Package Available

- -

Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

7/6/2002 - Shorewall 1.3.3 Released

- -

In this version:

- -
    -
  • Entries in /etc/shorewall/interface that use the -wildcard character ("+") now have the "multi" option assumed.
    • -
  • The 'rfc1918' chain in the mangle table has been -renamed 'man1918' to make log messages generated from that chain -distinguishable from those generated by the 'rfc1918' chain in -the filter table.
    • -
  • Interface names appearing in the hosts file are -now validated against the interfaces file.
    • -
  • The TARGET column in the rfc1918 file is now checked - for correctness.
    • -
  • The chain structure in the nat table has been changed - to reduce the number of rules that a packet must traverse and -to correct problems with NAT_BEFORE_RULES=No
    • -
  • The "hits" command has been enhanced.
    • - -
- -

6/25/2002 - Samples Updated for 1.3.2

- -

The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.

- -

6/25/2002 - Shorewall 1.3.1 Debian Package Available

- -

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

6/19/2002 - Documentation Available in PDF Format

- -

Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.

- -

6/16/2002 - Shorewall 1.3.2 Released

- -

In this version:

- - - -

6/6/2002 - Why CVS Web access is Password Protected

- -

Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:

- -
    -
  • Ignore robot.txt files.
    • -
  • Recursively copy everything that they find.
    • -
  • Should be classified as weapons rather than tools.
    • - -
- -

These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the cgi-generated HTML - resulting in 1000s of executions of the cvsweb.cgi script. Yesterday, - I spend several hours implementing measures to block these tools but - unfortunately, these measures resulted in my server OOM-ing under -even moderate load.

- -

Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web access will remain - Password Protected.

- -

6/5/2002 - Shorewall 1.3.1 Debian Package Available

- -

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

6/2/2002 - Samples Corrected

- -

The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems have been corrected - in the 1.3.1 samples.

- -

6/1/2002 - Shorewall 1.3.1 Released

- -

Hot on the heels of 1.3.0, this release:

- -
    -
  • Corrects a serious problem with "all <zone> - CONTINUE" policies. This problem is present in all versions of - Shorewall that support the CONTINUE policy. These previous versions - optimized away the "all2<zone>" chain and replaced it - with the "all2all" chain with the usual result that a policy of REJECT - was enforced rather than the intended CONTINUE policy.
    • -
  • Adds an /etc/shorewall/rfc1918 - file for defining the exact behavior of the 'norfc1918' interface option.
    • - -
- -

5/29/2002 - Shorewall 1.3.0 Released

- -

In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:

- -
    -
  • A 'filterping' interface option that allows ICMP -echo-request (ping) requests addressed to the firewall to be handled -by entries in /etc/shorewall/rules and /etc/shorewall/policy.
    • - -
- -

5/23/2002 - Shorewall 1.3 RC1 Available

- -

In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:

- -
    -
  • Support for the /etc/shorewall/whitelist file has - been withdrawn. If you need whitelisting, see these instructions.
    • - -
- -

5/19/2002 - Shorewall 1.3 Beta 2 Available

- -

In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:

- -
    -
  • The structure of the firewall is changed markedly. - There is now an INPUT and a FORWARD chain for each interface; this - reduces the number of rules that a packet must traverse, especially - in complicated setups.
    • -
  • Sub-zones may - now be excluded from DNAT and REDIRECT rules.
    • -
  • The names of the columns in a number of the configuration - files have been changed to be more consistent and self-explanatory - and the documentation has been updated accordingly.
    • -
  • The sample configurations have been updated for -1.3.
    • - -
- -

5/17/2002 - Shorewall 1.3 Beta 1 Available

- -

Beta 1 carries the version designation 1.2.90 and implements the following - features:

- -
    -
  • Simplified rule syntax which makes the intent of -each rule clearer and hopefully makes Shorewall easier to learn.
    • -
  • Upward compatibility with 1.2 configuration files - has been maintained so that current users can migrate to the -new syntax at their convenience.
    • -
  • WARNING:  Compatibility -with the old parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate to the - new sample configurations before upgrading to 1.3 Beta 1.
    • - -
- -

5/4/2002 - Shorewall 1.2.13 is Available

- -

In this version:

- - - -

4/30/2002 - Shorewall Debian News

- -

Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.

- -

4/20/2002 - Shorewall 1.2.12 is Available

- -
    -
  • The 'try' command works again
    • -
  • There is now a single RPM that also works with SuSE.
    • - -
- -

4/17/2002 - Shorewall Debian News

- -

Lorenzo Marignoni reports that:

- - - -

Thanks, Lorenzo!

- -

4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

- -

Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.

- -

4/13/2002 - Shorewall 1.2.11 Available

- -

In this version:

- -
    -
  • The 'try' command now accepts an optional timeout. - If the timeout is given in the command, the standard configuration - will automatically be restarted after the new configuration has -been running for that length of time. This prevents a remote admin -from being locked out of the firewall in the case where the new configuration - starts but prevents access.
    • -
  • Kernel route filtering may now be enabled globally - using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
    • -
  • Individual IP source addresses and/or subnets may - now be excluded from masquerading/SNAT.
    • -
  • Simple "Yes/No" and "On/Off" values are now case-insensitive - in /etc/shorewall/shorewall.conf.
    • - -
- -

4/13/2002 - Hamburg Mirror now has FTP

- -

Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  - Thanks Stefan!

- -

4/12/2002 - New Mirror in Hamburg

- -

Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net.

- -

4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

- -

Version 1.1 of the QuickStart - Guide is now available. Thanks to those who have read version - 1.0 and offered their suggestions. Corrections have also been made - to the sample scripts.

- -

4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

- -

Version 1.0 of the QuickStart - Guide is now available. This Guide and its accompanying sample - configurations are expected to provide a replacement for the recently - withdrawn parameterized samples.

- -

4/8/2002 - Parameterized Samples Withdrawn

- -

Although the parameterized - samples have allowed people to get a firewall up and running - quickly, they have unfortunately set the wrong level of expectation - among those who have used them. I am therefore withdrawing support - for the samples and I am recommending that they not be used in new -Shorewall installations.

- -

4/2/2002 - Updated Log Parser

- -

John Lodge has provided an updated - version of his CGI-based log parser - with corrected date handling.

- -

3/30/2002 - Shorewall Website Search Improvements

- -

The quick search on the home page now excludes the mailing list archives. - The Extended Search allows excluding - the archives or restricting the search to just the archives. An archive - search form is also available on the mailing - list information page.

- -

3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

- - - -

3/25/2002 - Log Parser Available

- -

John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.

- -

3/20/2002 - Shorewall 1.2.10 Released

- -

In this version:

- -
    -
  • A "shorewall try" command has been added (syntax: - shorewall try <configuration directory>). This - command attempts "shorewall -c <configuration directory> - start" and if that results in the firewall being stopped due to an - error, a "shorewall start" command is executed. The 'try' command - allows you to create a new configuration - and attempt to start it; if there is an error that leaves your -firewall in the stopped state, it will automatically be restarted using - the default configuration (in /etc/shorewall).
    • -
  • A new variable ADD_SNAT_ALIASES has been added to - /etc/shorewall/shorewall.conf. - If this variable is set to "Yes", Shorewall will automatically - add IP addresses listed in the third column of the /etc/shorewall/masq file.
    • -
  • Copyright notices have been added to the documenation.
    • - -
- -

3/11/2002 - Shorewall 1.2.9 Released

- -

In this version:

- - - -

3/1/2002 - 1.2.8 Debian Package is Available

- -

See http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/25/2002 - New Two-interface Sample

- -

I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

- -

2/23/2002 - Shorewall 1.2.8 Released

- -

Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies for any inconvenience - my carelessness may have caused.

- -

2/22/2002 - Shorewall 1.2.7 Released

- -

In this version:

- -
    -
  • UPnP probes (UDP destination port 1900) are now -silently dropped in the common chain
    • -
  • RFC 1918 checking in the mangle table has been streamlined - to no longer require packet marking. RFC 1918 checking in the filter - table has been changed to require half as many rules as previously.
    • -
  • A 'shorewall check' command has been added that -does a cursory validation of the zones, interfaces, hosts, rules -and policy files.
    • - -
- -

2/18/2002 - 1.2.6 Debian Package is Available

- -

See http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/8/2002 - Shorewall 1.2.6 Released

- -

In this version:

- -
    -
  • $-variables may now be used anywhere in the configuration - files except /etc/shorewall/zones.
    • -
  • The interfaces and hosts files now have their contents - validated before any changes are made to the existing Netfilter - configuration. The appearance of a zone name that isn't defined -in /etc/shorewall/zones causes "shorewall start" and "shorewall restart" - to abort without changing the Shorewall state. Unknown options in -either file cause a warning to be issued.
    • -
  • A problem occurring when BLACKLIST_LOGLEVEL was -not set has been corrected.
    • - -
- -

2/4/2002 - Shorewall 1.2.5 Debian Package Available

- -

see http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/1/2002 - Shorewall 1.2.5 Released

- -

Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.

- -

In version 1.2.5:

- -
    -
  • The installation problems have been corrected.
    • -
  • SNAT is now -supported.
    • -
  • A "shorewall version" command has been added
    • -
  • The default value of the STATEDIR variable in - /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall -in order to conform to the GNU/Linux File Hierarchy Standard, Version -2.2.
    • - -
- -

1/28/2002 - Shorewall 1.2.4 Released

- -
    -
  • The "fw" zone may -now be given a different name.
    • -
  • You may now place end-of-line comments (preceded -by '#') in any of the configuration files
    • -
  • There is now protection against against two state -changing operations occuring concurrently. This is implemented -using the 'lockfile' utility if it is available (lockfile is part -of procmail); otherwise, a less robust technique is used. The lockfile -is created in the STATEDIR defined in /etc/shorewall/shorewall.conf -and has the name "lock".
    • -
  • "shorewall start" no longer fails if "detect" is - specified in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
    • - -
- -

1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

- -

1/20/2002 - Corrected firewall script available 

- -

Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.

- -

1/19/2002 - Shorewall 1.2.3 Released

- -

This is a minor feature and bugfix release. The single new feature is:

- -
    -
  • Support for TCP MSS Clamp to PMTU -- This support -is usually required when the internet connection is via PPPoE or -PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
    • - -
- -

The following problems were corrected:

- -
    -
  • The "shorewall status" command no longer hangs.
    • -
  • The "shorewall monitor" command now displays the -icmpdef chain
    • -
  • The CLIENT PORT(S) column in tcrules is no longer -ignored
    • - -
- -

1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

- -

Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.

- -

1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There is a link to Lorenzo's - site from the Shorewall download page.

- -

1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

- -

1/8/2002 - Shorewall 1.2.2 Released

- -

In version 1.2.2

- -
    -
  • Support for IP blacklisting has been added - - -
      -
    • You specify whether you want packets from blacklisted - hosts dropped or rejected using the BLACKLIST_DISPOSITION setting - in /etc/shorewall/shorewall.conf
      • -
    • You specify whether you want packets from blacklisted - hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in /etc/shorewall/shorewall.conf
      • -
    • You list the IP addresses/subnets that you wish -to blacklist in /etc/shorewall/blacklist
      • -
    • You specify the interfaces you want checked against - the blacklist using the new "blacklist" option in - /etc/shorewall/interfaces.
      • -
    • The black list is refreshed from /etc/shorewall/blacklist - by the "shorewall refresh" command.
      • - - -
    -
    • -
  • Use of TCP RST replies has been expanded  - - -
      -
    • TCP connection requests rejected because of a REJECT - policy are now replied with a TCP RST packet.
      • -
    • TCP connection requests rejected because of a protocol=all - rule in /etc/shorewall/rules are now replied with a TCP RST - packet.
      • - - -
    -
    • -
  • A LOGFILE -specification has been added to /etc/shorewall/shorewall.conf. -LOGFILE is used to tell the /sbin/shorewall program where to look -for Shorewall messages.
    • - -
- -

1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two new rules added:

- -
    -
  • Unless you have explicitly enabled Auth connections - (tcp port 113) to your firewall, these connections will be REJECTED - rather than DROPPED. This speeds up connection establishment -to some servers.
    • -
  • Orphan DNS replies are now silently dropped.
    • - -
- -

See the README file for upgrade instructions.

- -

1/1/2002 - Shorewall Mailing List Moving

- -

The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you are a current -subscriber to the list at Sourceforge, please see these instructions. - If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

- -

12/31/2001 - Shorewall 1.2.1 Released

- -

In version 1.2.1:

- - - -

12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001

- -

Version 1.2 contains the following new features:

- - - -

For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x users will not - be forced into a quick upgrade to 1.2.0 just to have access to bug -fixes.

- -

For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading to 1.2.0:

- -
-

rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

-
- -

12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. This web - site is mirrored at http://www.infohiiway.com/shorewall and the ftp site -is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

- -

11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:

- -
    -
  • Ping is now allowed between the zones.
    • -
  • In the three-interface configuration, it is now possible - to configure the internet services that are to be available to - servers in the DMZ. 
    • - -
- -

11/20/2001 - The current version of Shorewall is 1.1.18. 

- -

In this version:

- -
    -
  • The spelling of ADD_IP_ALIASES has been corrected -in the shorewall.conf file
    • -
  • The logic for deleting user-defined chains has been - simplified so that it avoids a bug in the LRP version of the 'cut' - utility.
    • -
  • The /var/lib/lrpkg/shorwall.conf file has been corrected - to properly display the NAT entry in that file.
    • - -
- -

11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror in the Slovak - Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

- -

11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:

- -
    -
  • One Interface -- for a standalone system.
    • -
  • Two Interfaces -- A masquerading firewall.
    • -
  • Three Interfaces -- A masquerading firewall with -DMZ.
    • -
+

I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input has led to marked + improvement in Shorewall in the last two releases.

+ +

8/13/2002 - Documentation in the CVS Repository

+ +

The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.

+ +

8/7/2002 - STABLE branch added to CVS Repository

+ +

This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable + tree.

+ +

8/7/2002 - Upgrade Issues section +added to the Errata Page

+ +

Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.

+ +

8/7/2002 - Shorewall 1.3.6

+ +

This is primarily a bug-fix rollup with a couple of new features:

+ + + +

7/30/2002 - Shorewall 1.3.5b Released

+ +

This interim release:

+ +
    +
  • Causes the firewall script to remove the lock file + if it is killed.
    • +
  • Once again allows lists in the second column of +the /etc/shorewall/hosts file.
    • +
  • Includes the latest QuickStart Guides.
    • + +
+ +

7/29/2002 - New Shorewall Setup Guide Available

+ +

The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are setting up Shorewall + to manage multiple public IP addresses and by people who want to + learn more about Shorewall than is described in the single-address + guides. Feedback on the new guide is welcome.

+ +

7/28/2002 - Shorewall 1.3.5 Debian Package Available

+ +

Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/27/2002 - Shorewall 1.3.5a Released

+ +

This interim release restores correct handling of REDIRECT rules.

+ +

7/26/2002 - Shorewall 1.3.5 Released

+ +

This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.

+ +

 In this version:

+ +
    +
  • Empty and invalid source and destination qualifiers + are now detected in the rules file. It is a good idea to use the + 'shorewall check' command before you issue a 'shorewall restart' + command be be sure that you don't have any configuration problems + that will prevent a successful restart.
    • +
  • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior + of the /etc/shorewall/hosts file.
    • +
  • The time that the counters were last reset is now + displayed in the heading of the 'status' and 'show' commands.
    • +
  • A proxyarp option has been added for entries + in /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in the + Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall + to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
    • +
  • The Samples have been updated to reflect the new + capabilities in this release.
    • + +
+ +

7/16/2002 - New Mirror in Argentina

+ +

Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!

+ +

7/16/2002 - Shorewall 1.3.4 Released

+ +

In this version:

+ +
    +
  • A new + /etc/shorewall/routestopped file has been added. This file is + intended to eventually replace the routestopped option + in the /etc/shorewall/interface and /etc/shorewall/hosts files. + This new file makes remote firewall administration easier by allowing + any IP or subnet to be enabled while Shorewall is stopped.
    • +
  • An /etc/shorewall/stopped extension script has been added. + This script is invoked after Shorewall has stopped.
    • +
  • A DETECT_DNAT_ADDRS option has been added + to /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply when the +destination address is the external interface's primary IP address.
    • +
  • The QuickStart + Guide has been broken into three guides and has been almost + entirely rewritten.
    • +
  • The Samples have been updated to reflect the new + capabilities in this release.
    • + +
+ +

7/8/2002 - Shorewall 1.3.3 Debian Package Available

+ +

Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/6/2002 - Shorewall 1.3.3 Released

+ +

In this version:

+ +
    +
  • Entries in /etc/shorewall/interface that use the + wildcard character ("+") now have the "multi" option assumed.
    • +
  • The 'rfc1918' chain in the mangle table has been + renamed 'man1918' to make log messages generated from that chain + distinguishable from those generated by the 'rfc1918' chain in + the filter table.
    • +
  • Interface names appearing in the hosts file are +now validated against the interfaces file.
    • +
  • The TARGET column in the rfc1918 file is now checked + for correctness.
    • +
  • The chain structure in the nat table has been changed + to reduce the number of rules that a packet must traverse and to + correct problems with NAT_BEFORE_RULES=No
    • +
  • The "hits" command has been enhanced.
    • + +
+ +

6/25/2002 - Samples Updated for 1.3.2

+ +

The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.

+ +

6/25/2002 - Shorewall 1.3.1 Debian Package Available

+ +

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

6/19/2002 - Documentation Available in PDF Format

+ +

Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.

+ +

6/16/2002 - Shorewall 1.3.2 Released

+ +

In this version:

+ + + +

6/6/2002 - Why CVS Web access is Password Protected

+ +

Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:

+ +
    +
  • Ignore robot.txt files.
    • +
  • Recursively copy everything that they find.
    • +
  • Should be classified as weapons rather than tools.
    • + +
+ +

These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated HTML + resulting in 1000s of executions of the cvsweb.cgi script. Yesterday, + I spend several hours implementing measures to block these tools +but unfortunately, these measures resulted in my server OOM-ing under + even moderate load.

+ +

Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain + Password Protected.

+ +

6/5/2002 - Shorewall 1.3.1 Debian Package Available

+ +

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

6/2/2002 - Samples Corrected

+ +

The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have been corrected + in the 1.3.1 samples.

+ +

6/1/2002 - Shorewall 1.3.1 Released

+ +

Hot on the heels of 1.3.0, this release:

+ +
    +
  • Corrects a serious problem with "all <zone> + CONTINUE" policies. This problem is present in all versions +of Shorewall that support the CONTINUE policy. These previous +versions optimized away the "all2<zone>" chain and +replaced it with the "all2all" chain with the usual result that a +policy of REJECT was enforced rather than the intended CONTINUE policy.
    • +
  • Adds an /etc/shorewall/rfc1918 + file for defining the exact behavior of the 'norfc1918' interface option.
    • + +
+ +

5/29/2002 - Shorewall 1.3.0 Released

+ +

In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

+ +
    +
  • A 'filterping' interface option that allows ICMP + echo-request (ping) requests addressed to the firewall to be +handled by entries in /etc/shorewall/rules and /etc/shorewall/policy.
    • + +
+ +

5/23/2002 - Shorewall 1.3 RC1 Available

+ +

In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

+ +
    +
  • Support for the /etc/shorewall/whitelist file has + been withdrawn. If you need whitelisting, see these instructions.
    • + +
+ +

5/19/2002 - Shorewall 1.3 Beta 2 Available

+ +

In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:

+ +
    +
  • The structure of the firewall is changed markedly. + There is now an INPUT and a FORWARD chain for each interface; +this reduces the number of rules that a packet must traverse, +especially in complicated setups.
    • +
  • Sub-zones may + now be excluded from DNAT and REDIRECT rules.
    • +
  • The names of the columns in a number of the configuration + files have been changed to be more consistent and self-explanatory + and the documentation has been updated accordingly.
    • +
  • The sample configurations have been updated for +1.3.
    • + +
+ +

5/17/2002 - Shorewall 1.3 Beta 1 Available

+ +

Beta 1 carries the version designation 1.2.90 and implements the following + features:

+ +
    +
  • Simplified rule syntax which makes the intent of + each rule clearer and hopefully makes Shorewall easier to learn.
    • +
  • Upward compatibility with 1.2 configuration files + has been maintained so that current users can migrate to the new + syntax at their convenience.
    • +
  • WARNING:  Compatibility + with the old parameterized sample configurations has NOT been +maintained. Users still running those configurations should migrate +to the new sample configurations before upgrading to 1.3 Beta +1.
    • + +
+ +

5/4/2002 - Shorewall 1.2.13 is Available

+ +

In this version:

+ + + +

4/30/2002 - Shorewall Debian News

+ +

Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.

+ +

4/20/2002 - Shorewall 1.2.12 is Available

+ +
    +
  • The 'try' command works again
    • +
  • There is now a single RPM that also works with +SuSE.
    • + +
+ +

4/17/2002 - Shorewall Debian News

+ +

Lorenzo Marignoni reports that:

+ + + +

Thanks, Lorenzo!

+ +

4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

+ +

Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 + SuSE RPM available.

+ +

4/13/2002 - Shorewall 1.2.11 Available

+ +

In this version:

+ +
    +
  • The 'try' command now accepts an optional timeout. + If the timeout is given in the command, the standard configuration + will automatically be restarted after the new configuration has +been running for that length of time. This prevents a remote admin +from being locked out of the firewall in the case where the new configuration + starts but prevents access.
    • +
  • Kernel route filtering may now be enabled globally + using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
    • +
  • Individual IP source addresses and/or subnets may + now be excluded from masquerading/SNAT.
    • +
  • Simple "Yes/No" and "On/Off" values are now case-insensitive + in /etc/shorewall/shorewall.conf.
    • + +
+ +

4/13/2002 - Hamburg Mirror now has FTP

+ +

Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  + Thanks Stefan!

+ +

4/12/2002 - New Mirror in Hamburg

+ +

Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at http://germany.shorewall.net. +

+ +

4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

+ +

Version 1.1 of the QuickStart + Guide is now available. Thanks to those who have read version + 1.0 and offered their suggestions. Corrections have also been made + to the sample scripts.

+ +

4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

+ +

Version 1.0 of the QuickStart + Guide is now available. This Guide and its accompanying sample + configurations are expected to provide a replacement for the recently + withdrawn parameterized samples.

+ +

4/8/2002 - Parameterized Samples Withdrawn

+ +

Although the parameterized + samples have allowed people to get a firewall up and running + quickly, they have unfortunately set the wrong level of expectation + among those who have used them. I am therefore withdrawing support + for the samples and I am recommending that they not be used in new + Shorewall installations.

+ +

4/2/2002 - Updated Log Parser

+ +

John Lodge has provided an updated + version of his CGI-based log +parser with corrected date handling.

+ +

3/30/2002 - Shorewall Website Search Improvements

+ +

The quick search on the home page now excludes the mailing list archives. + The Extended Search allows excluding + the archives or restricting the search to just the archives. An +archive search form is also available on the mailing list information page.

+ +

3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

+ + + +

3/25/2002 - Log Parser Available

+ +

John Lodge has provided a CGI-based log parser for Shorewall. Thanks + John.

+ +

3/20/2002 - Shorewall 1.2.10 Released

+ +

In this version:

+ +
    +
  • A "shorewall try" command has been added (syntax: + shorewall try <configuration directory>). This + command attempts "shorewall -c <configuration directory> + start" and if that results in the firewall being stopped due to an + error, a "shorewall start" command is executed. The 'try' command + allows you to create a new configuration + and attempt to start it; if there is an error that leaves your firewall + in the stopped state, it will automatically be restarted using +the default configuration (in /etc/shorewall).
    • +
  • A new variable ADD_SNAT_ALIASES has been added +to /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will automatically + add IP addresses listed in the third column of the /etc/shorewall/masq file.
    • +
  • Copyright notices have been added to the documenation.
    • + +
+ +

3/11/2002 - Shorewall 1.2.9 Released

+ +

In this version:

+ + + +

3/1/2002 - 1.2.8 Debian Package is Available

+ +

See http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/25/2002 - New Two-interface Sample

+ +

I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

+ +

2/23/2002 - Shorewall 1.2.8 Released

+ +

Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for any +inconvenience my carelessness may have caused.

+ +

2/22/2002 - Shorewall 1.2.7 Released

+ +

In this version:

+ +
    +
  • UPnP probes (UDP destination port 1900) are now +silently dropped in the common chain
    • +
  • RFC 1918 checking in the mangle table has been +streamlined to no longer require packet marking. RFC 1918 checking +in the filter table has been changed to require half as many rules +as previously.
    • +
  • A 'shorewall check' command has been added that +does a cursory validation of the zones, interfaces, hosts, rules +and policy files.
    • + +
+ +

2/18/2002 - 1.2.6 Debian Package is Available

+ +

See http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/8/2002 - Shorewall 1.2.6 Released

+ +

In this version:

+ +
    +
  • $-variables may now be used anywhere in the configuration + files except /etc/shorewall/zones.
    • +
  • The interfaces and hosts files now have their contents + validated before any changes are made to the existing Netfilter + configuration. The appearance of a zone name that isn't defined + in /etc/shorewall/zones causes "shorewall start" and "shorewall +restart" to abort without changing the Shorewall state. Unknown options +in either file cause a warning to be issued.
    • +
  • A problem occurring when BLACKLIST_LOGLEVEL was +not set has been corrected.
    • + +
+ +

2/4/2002 - Shorewall 1.2.5 Debian Package Available

+ +

see http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/1/2002 - Shorewall 1.2.5 Released

+ +

Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.

+ +

In version 1.2.5:

+ +
    +
  • The installation problems have been corrected.
    • +
  • SNAT is now +supported.
    • +
  • A "shorewall version" command has been added
    • +
  • The default value of the STATEDIR variable in + /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall + in order to conform to the GNU/Linux File Hierarchy Standard, +Version 2.2.
    • + +
+ +

1/28/2002 - Shorewall 1.2.4 Released

+ +
    +
  • The "fw" zone may +now be given a different name.
    • +
  • You may now place end-of-line comments (preceded +by '#') in any of the configuration files
    • +
  • There is now protection against against two state + changing operations occuring concurrently. This is implemented + using the 'lockfile' utility if it is available (lockfile is part + of procmail); otherwise, a less robust technique is used. The lockfile + is created in the STATEDIR defined in /etc/shorewall/shorewall.conf + and has the name "lock".
    • +
  • "shorewall start" no longer fails if "detect" is + specified in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
    • + +
+ +

1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

1/20/2002 - Corrected firewall script available 

+ +

Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.

+ +

1/19/2002 - Shorewall 1.2.3 Released

+ +

This is a minor feature and bugfix release. The single new feature is:

+ +
    +
  • Support for TCP MSS Clamp to PMTU -- This support + is usually required when the internet connection is via PPPoE +or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
    • + +
+ +

The following problems were corrected:

+ +
    +
  • The "shorewall status" command no longer hangs.
    • +
  • The "shorewall monitor" command now displays the +icmpdef chain
    • +
  • The CLIENT PORT(S) column in tcrules is no longer + ignored
    • + +
+ +

1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

+ +

Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.

+ +

1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There is a link to Lorenzo's + site from the Shorewall download page.

+ +

1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores + the "shorewall status" command to health.

+ +

1/8/2002 - Shorewall 1.2.2 Released

+ +

In version 1.2.2

+ +
    +
  • Support for IP blacklisting has been added + + +
      +
    • You specify whether you want packets from blacklisted + hosts dropped or rejected using the BLACKLIST_DISPOSITION setting + in /etc/shorewall/shorewall.conf
      • +
    • You specify whether you want packets from blacklisted + hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting + in /etc/shorewall/shorewall.conf
      • +
    • You list the IP addresses/subnets that you wish + to blacklist in /etc/shorewall/blacklist
      • +
    • You specify the interfaces you want checked against + the blacklist using the new "blacklist" option in + /etc/shorewall/interfaces.
      • +
    • The black list is refreshed from /etc/shorewall/blacklist + by the "shorewall refresh" command.
      • + + +
    +
    • +
  • Use of TCP RST replies has been expanded  + + +
      +
    • TCP connection requests rejected because of a +REJECT policy are now replied with a TCP RST packet.
      • +
    • TCP connection requests rejected because of a +protocol=all rule in /etc/shorewall/rules are now replied +with a TCP RST packet.
      • + + +
    +
    • +
  • A LOGFILE + specification has been added to /etc/shorewall/shorewall.conf. + LOGFILE is used to tell the /sbin/shorewall program where to look + for Shorewall messages.
    • + +
+ +

1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates + to the previously-released samples. There are two new rules added:

+ +
    +
  • Unless you have explicitly enabled Auth connections + (tcp port 113) to your firewall, these connections will be REJECTED + rather than DROPPED. This speeds up connection establishment to + some servers.
    • +
  • Orphan DNS replies are now silently dropped.
    • + +
+ +

See the README file for upgrade instructions.

+ +

1/1/2002 - Shorewall Mailing List Moving

+ +

The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If you are a current + subscriber to the list at Sourceforge, please see these instructions. + If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

+ +

12/31/2001 - Shorewall 1.2.1 Released

+ +

In version 1.2.1:

+ + + +

12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001

+ +

Version 1.2 contains the following new features:

+ + + +

For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will not + be forced into a quick upgrade to 1.2.0 just to have access to bug +fixes.

+ +

For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading to 1.2.0:

+ +
+

rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

+
+ +

12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This web + site is mirrored at http://www.infohiiway.com/shorewall and the ftp site is +at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

+ + +

11/30/2001 - A new set of the parameterized Sample + Configurations has been released. In this version:

+ +
    +
  • Ping is now allowed between the zones.
    • +
  • In the three-interface configuration, it is now +possible to configure the internet services that are to be available +to servers in the DMZ. 
    • + +
+ +

11/20/2001 - The current version of Shorewall is 1.1.18. 

+ +

In this version:

+ +
    +
  • The spelling of ADD_IP_ALIASES has been corrected + in the shorewall.conf file
    • +
  • The logic for deleting user-defined chains has been + simplified so that it avoids a bug in the LRP version of the +'cut' utility.
    • +
  • The /var/lib/lrpkg/shorwall.conf file has been corrected + to properly display the NAT entry in that file.
    • + +
+ + +

11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak + Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

+ +

11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:

+ +
    +
  • One Interface -- for a standalone system.
    • +
  • Two Interfaces -- A masquerading firewall.
    • +
  • Three Interfaces -- A masquerading firewall with +DMZ.
    • + +
+

Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 . See the README file for instructions.

- -

11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + +

11/1/2001 - The current version of Shorewall is 1.1.17.  I intend this to be the last of the 1.1 Shorewall releases.

- +

In this version:

- + - -

10/22/2001 - The current version of Shorewall is 1.1.16. In this + +

10/22/2001 - The current version of Shorewall is 1.1.16. In this version:

- +
    -
  • A new "shorewall show connections" command has been - added.
    • -
  • In the "shorewall monitor" output, the currently +
  • A new "shorewall show connections" command has been + added.
    • +
  • In the "shorewall monitor" output, the currently tracked connections are now shown on a separate page.
    • -
  • Prior to this release, Shorewall unconditionally -added the external IP adddress(es) specified in /etc/shorewall/nat. +
  • Prior to this release, Shorewall unconditionally +added the external IP adddress(es) specified in /etc/shorewall/nat. Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set - to "no" (or "No") to inhibit this behavior. This allows IP aliases - created using your distribution's network configuration tools + href="Documentation.htm#Aliases">ADD_IP_ALIASES) may be set + to "no" (or "No") to inhibit this behavior. This allows IP aliases + created using your distribution's network configuration tools to be used in static NAT. 
    • - +
- -

10/15/2001 - The current version of Shorewall is 1.1.15. In this + +

10/15/2001 - The current version of Shorewall is 1.1.15. In this version:

+ +
    +
  • Support for nested zones has been improved. See + the documentation for details
    • +
  • Shorewall now correctly checks the alternate configuration + directory for the 'zones' file.
    • + +
+ +

10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

    -
  • Support for nested zones has been improved. See the documentation for details
    • -
  • Shorewall now correctly checks the alternate configuration - directory for the 'zones' file.
    • - -
- -

10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

- -
    -
  • Shorewall now supports alternate configuration directories. - When an alternate directory is specified when starting or restarting - Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall - will first look for configuration files in the alternate directory - then in /etc/shorewall. To create an alternate configuration simply:
    - 1. Create a New Directory
    - 2. Copy to that directory any of your configuration -files that you want to change.
    - 3. Modify the copied files as needed.
    - 4. Restart Shorewall specifying the new directory.
    • -
  • The rules for allowing/disallowing icmp echo-requests - (pings) are now moved after rules created when processing the -rules file. This allows you to add rules that selectively allow/deny -ping based on source or destination address.
    • -
  • Rules that specify multiple client ip addresses or - subnets no longer cause startup failures.
    • -
  • Zone names in the policy file are now validated against - the zones file.
    • -
  • If you have packet mangling support - enabled, the "norfc1918" - interface option now logs and drops any incoming packets on the interface +
  • Shorewall now supports alternate configuration directories. + When an alternate directory is specified when starting or restarting + Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall + will first look for configuration files in the alternate directory + then in /etc/shorewall. To create an alternate configuration simply:
    + 1. Create a New Directory
    + 2. Copy to that directory any of your configuration + files that you want to change.
    + 3. Modify the copied files as needed.
    + 4. Restart Shorewall specifying the new directory.
    • +
  • The rules for allowing/disallowing icmp echo-requests + (pings) are now moved after rules created when processing the + rules file. This allows you to add rules that selectively allow/deny + ping based on source or destination address.
    • +
  • Rules that specify multiple client ip addresses +or subnets no longer cause startup failures.
    • +
  • Zone names in the policy file are now validated +against the zones file.
    • +
  • If you have packet mangling support + enabled, the "norfc1918" + interface option now logs and drops any incoming packets on the interface that have an RFC 1918 destination address.
    • - +
- -

9/12/2001 - The current version of Shorewall is 1.1.13. In this - version

- + +

9/12/2001 - The current version of Shorewall is 1.1.13. In this + version

+
    -
  • Shell variables can now be used to parameterize Shorewall - rules.
    • -
  • The second column in the hosts file may now contain - a comma-separated list.
    -
    - Example:
    -     sea    eth0:130.252.100.0/24,206.191.149.0/24
    • -
  • Handling of multi-zone interfaces has been improved. - See the documentation - for the /etc/shorewall/interfaces file.
    • - +
  • Shell variables can now be used to parameterize +Shorewall rules.
    • +
  • The second column in the hosts file may now contain + a comma-separated list.
    +
    + Example:
    +     sea    eth0:130.252.100.0/24,206.191.149.0/24
    • +
  • Handling of multi-zone interfaces has been improved. + See the documentation + for the /etc/shorewall/interfaces file.
    • +
- -

8/28/2001 - The current version of Shorewall is 1.1.12. In this - version

- + +

8/28/2001 - The current version of Shorewall is 1.1.12. In this + version

+
    -
  • Several columns in the rules file may now contain -comma-separated lists.
    • -
  • Shorewall is now more rigorous in parsing the options - in /etc/shorewall/interfaces.
    • -
  • Complementation using "!" is now supported in rules.
    • - +
  • Several columns in the rules file may now contain + comma-separated lists.
    • +
  • Shorewall is now more rigorous in parsing the options + in /etc/shorewall/interfaces.
    • +
  • Complementation using "!" is now supported in rules.
    • +
- -

7/28/2001 - The current version of Shorewall is 1.1.11. In this - version

- + +

7/28/2001 - The current version of Shorewall is 1.1.11. In this + version

+
    -
  • A "shorewall refresh" command has been added to allow - for refreshing the rules associated with the broadcast address on - a dynamic interface. This command should be used in place of -"shorewall restart" when the internet interface's IP address changes.
    • -
  • The /etc/shorewall/start file (if any) is now processed - after all temporary rules have been deleted. This change prevents - the accidental removal of rules added during the processing of - that file.
    • -
  • The "dhcp" interface option is now applicable to +
  • A "shorewall refresh" command has been added to +allow for refreshing the rules associated with the broadcast address +on a dynamic interface. This command should be used in place +of "shorewall restart" when the internet interface's IP address changes.
    • +
  • The /etc/shorewall/start file (if any) is now processed + after all temporary rules have been deleted. This change prevents + the accidental removal of rules added during the processing +of that file.
    • +
  • The "dhcp" interface option is now applicable to firewall interfaces used by a DHCP server running on the firewall.
    • -
  • The RPM can now be built from the .tgz file using -"rpm -tb" 
    • - +
  • The RPM can now be built from the .tgz file using + "rpm -tb" 
    • +
- -

7/6/2001 - The current version of Shorewall is 1.1.10. In this version

- + +

7/6/2001 - The current version of Shorewall is 1.1.10. In this +version

+
    -
  • Shorewall now enables Ipv4 Packet Forwarding by default. - Packet forwarding may be disabled by specifying IP_FORWARD=Off - in /etc/shorewall/shorewall.conf. If you don't want Shorewall -to enable or disable packet forwarding, add IP_FORWARDING=Keep -to your /etc/shorewall/shorewall.conf file.
    • -
  • The "shorewall hits" command no longer lists extraneous - service names in its last report.
    • -
  • Erroneous instructions in the comments at the head +
  • Shorewall now enables Ipv4 Packet Forwarding by +default. Packet forwarding may be disabled by specifying IP_FORWARD=Off + in /etc/shorewall/shorewall.conf. If you don't want Shorewall to + enable or disable packet forwarding, add IP_FORWARDING=Keep to +your /etc/shorewall/shorewall.conf file.
    • +
  • The "shorewall hits" command no longer lists extraneous + service names in its last report.
    • +
  • Erroneous instructions in the comments at the head of the firewall script have been corrected.
    • - +
- -

6/23/2001 - The current version of Shorewall is 1.1.9. In this version

- + +

6/23/2001 - The current version of Shorewall is 1.1.9. In this +version

+
    -
  • The "tunnels" file really is in the RPM now.
    • -
  • SNAT can now be applied to port-forwarded connections.
    • -
  • A bug which would cause firewall start failures in - some dhcp configurations has been fixed.
    • -
  • The firewall script now issues a message if you have - the name of an interface in the second column in an entry in -/etc/shorewall/masq and that interface is not up.
    • -
  • You can now configure Shorewall so that it doesn't require the NAT and/or mangle -netfilter modules.
    • -
  • Thanks to Alex  Polishchuk, the "hits" command - from seawall is now in shorewall.
    • -
  • Support for IPIP tunnels has - been added.
    • - +
  • The "tunnels" file really is in the RPM now.
    • +
  • SNAT can now be applied to port-forwarded connections.
    • +
  • A bug which would cause firewall start failures +in some dhcp configurations has been fixed.
    • +
  • The firewall script now issues a message if you +have the name of an interface in the second column in an entry +in /etc/shorewall/masq and that interface is not up.
    • +
  • You can now configure Shorewall so that it doesn't require the NAT and/or +mangle netfilter modules.
    • +
  • Thanks to Alex  Polishchuk, the "hits" command + from seawall is now in shorewall.
    • +
  • Support for IPIP tunnels +has been added.
    • +
- -

6/18/2001 - The current version of Shorewall is 1.1.8. In this version

- + +

6/18/2001 - The current version of Shorewall is 1.1.8. In this +version

+ - +

6/2/2001 - The current version of Shorewall is 1.1.7. In this version

- +
    -
  • The TOS rules are now deleted when the firewall is - stopped.
    • -
  • The .rpm will now install regardless of which version - of iptables is installed.
    • -
  • The .rpm will now install without iproute2 being +
  • The TOS rules are now deleted when the firewall +is stopped.
    • +
  • The .rpm will now install regardless of which version + of iptables is installed.
    • +
  • The .rpm will now install without iproute2 being installed.
    • -
  • The documentation has been cleaned up.
    • -
  • The sample configuration files included in Shorewall - have been formatted to 80 columns for ease of editing on a -VGA console.
    • - +
  • The documentation has been cleaned up.
    • +
  • The sample configuration files included in Shorewall + have been formatted to 80 columns for ease of editing on a VGA + console.
    • +
- -

5/25/2001 - The current version of Shorewall is 1.1.6. In this version

- + +

5/25/2001 - The current version of Shorewall is 1.1.6. In this +version

+
    -
  • You may now rate-limit - the packet log.
    • -
  •  Previous - versions of Shorewall have an implementation of Static NAT which - violates the principle of least surprise.  NAT only occurs for -packets arriving at (DNAT) or send from (SNAT) the interface named -in the INTERFACE column of /etc/shorewall/nat. Beginning with version -1.1.6, NAT effective regardless of which interface packets come from -or are destined to. To get compatibility with prior versions, I have -added a new "ALL "ALL INTERFACES"  column -to /etc/shorewall/nat. By placing "no" or "No" in the new column, - the NAT behavior of prior versions may be retained. 
    • -
  • The treatment of IPSEC - Tunnels where the remote gateway is a standalone system has been - improved. Previously, it was necessary to include an additional - rule allowing UDP port 500 traffic to pass through the tunnel. -Shorewall will now create this rule automatically when you place -the name of the remote peer's zone in a new GATEWAY ZONE column in -/etc/shorewall/tunnels. 
    • - +
  • You may now +rate-limit the packet log.
    • +
  •  Previous + versions of Shorewall have an implementation of Static NAT which + violates the principle of least surprise.  NAT only occurs for + packets arriving at (DNAT) or send from (SNAT) the interface named + in the INTERFACE column of /etc/shorewall/nat. Beginning with version + 1.1.6, NAT effective regardless of which interface packets come +from or are destined to. To get compatibility with prior versions, +I have added a new "ALL "ALL INTERFACES"  +column to /etc/shorewall/nat. By placing "no" or "No" in the +new column, the NAT behavior of prior versions may be retained. 
    • +
  • The treatment of IPSEC Tunnels where the remote +gateway is a standalone system has been improved. Previously, + it was necessary to include an additional rule allowing UDP port +500 traffic to pass through the tunnel. Shorewall will now create + this rule automatically when you place the name of the remote peer's + zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
    • +
- -

5/20/2001 - The current version of Shorewall is 1.1.5. In this version

- + +

5/20/2001 - The current version of Shorewall is 1.1.5. In this +version

+ - -

5/10/2001 - The current version of Shorewall is 1.1.4. In this version

- + +

5/10/2001 - The current version of Shorewall is 1.1.4. In this +version

+
    -
  • Accepting RELATED - connections is now optional.
    • -
  • Corrected problem where if "shorewall start" aborted - early (due to kernel configuration errors for example), superfluous +
  • Accepting RELATED + connections is now optional.
    • +
  • Corrected problem where if "shorewall start" aborted + early (due to kernel configuration errors for example), superfluous 'sed' error messages were reported.
    • -
  • Corrected rules generated for port redirection.
    • -
  • The order in which iptables kernel modules are loaded - has been corrected (Thanks to Mark Pavlidis). 
    • - +
  • Corrected rules generated for port redirection.
    • +
  • The order in which iptables kernel modules are loaded + has been corrected (Thanks to Mark Pavlidis). 
    • +
- -

4/28/2001 - The current version of Shorewall is 1.1.3. In this version

- + +

4/28/2001 - The current version of Shorewall is 1.1.3. In this +version

+
    -
  • Correct message issued when Proxy ARP address added - (Thanks to Jason Kirtland).
    • -
  • /tmp/shorewallpolicy-$$ is now removed if there is - an error while starting the firewall.
    • -
  • /etc/shorewall/icmp.def and /etc/shorewall/common.def - are now used to define the icmpdef and common chains unless overridden - by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
    • -
  • In the .lrp, the file /var/lib/lrpkg/shorwall.conf - has been corrected. An extra space after "/etc/shorwall/policy" -has been removed and "/etc/shorwall/rules" has been added.
    • -
  • When a sub-shell encounters a fatal error and has -stopped the firewall, it now kills the main shell so that the main -shell will not continue.
    • -
  • A problem has been corrected where a sub-shell stopped - the firewall and main shell continued resulting in a perplexing +
  • Correct message issued when Proxy ARP address added + (Thanks to Jason Kirtland).
    • +
  • /tmp/shorewallpolicy-$$ is now removed if there +is an error while starting the firewall.
    • +
  • /etc/shorewall/icmp.def and /etc/shorewall/common.def + are now used to define the icmpdef and common chains unless overridden + by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
    • +
  • In the .lrp, the file /var/lib/lrpkg/shorwall.conf + has been corrected. An extra space after "/etc/shorwall/policy" has + been removed and "/etc/shorwall/rules" has been added.
    • +
  • When a sub-shell encounters a fatal error and has + stopped the firewall, it now kills the main shell so that the main + shell will not continue.
    • +
  • A problem has been corrected where a sub-shell stopped + the firewall and main shell continued resulting in a perplexing error message referring to "common.so" resulted.
    • -
  • Previously, placing "-" in the PORT(S) column in - /etc/shorewall/rules resulted in an error message during start. -This has been corrected.
    • -
  • The first line of "install.sh" has been corrected --- I had inadvertently deleted the initial "#".
    • - -
+
  • Previously, placing "-" in the PORT(S) column in + /etc/shorewall/rules resulted in an error message during start. This + has been corrected.
    • +
  • The first line of "install.sh" has been corrected + -- I had inadvertently deleted the initial "#".
    • + + + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this +version

    -

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    -
      -
    • Port redirection now works again.
      • -
    • The icmpdef and common chains Port redirection now works again.
      • +
    • The icmpdef and common chains may now be user-defined.
      • -
    • The firewall no longer fails to start if "routefilter" - is specified for an interface that isn't started. A warning message - is now issued in this case.
      • -
    • The LRP Version is renamed "shorwall" for 8,3 MSDOS - file system compatibility.
      • -
    • A couple of LRP-specific problems were corrected.
      • - -
    +
  • The firewall no longer fails to start if "routefilter" + is specified for an interface that isn't started. A warning message + is now issued in this case.
    • +
  • The LRP Version is renamed "shorwall" for 8,3 MSDOS + file system compatibility.
    • +
  • A couple of LRP-specific problems were corrected.
    • + +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    - +

    +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - +
      -
    • The common chain is traversed from INPUT, OUTPUT +
    • The common chain is traversed from INPUT, OUTPUT and FORWARD before logging occurs
      • -
    • The source has been cleaned up dramatically
      • -
    • DHCP DISCOVER packets with RFC1918 source addresses - no longer generate log messages. Linux DHCP clients generate such - packets and it's annoying to see them logged. 
      • - -
    +
  • The source has been cleaned up dramatically
    • +
  • DHCP DISCOVER packets with RFC1918 source addresses + no longer generate log messages. Linux DHCP clients generate +such packets and it's annoying to see them logged. 
    • + +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - +
      -
    • Log messages now indicate the packet disposition.
      • -
    • Error messages have been improved.
      • -
    • The ability to define zones consisting of an enumerated - set of hosts and/or subnetworks has been added.
      • -
    • The zone-to-zone chain matrix is now sparse so that - only those chains that contain meaningful rules are defined.
      • -
    • 240.0.0.0/4 and 169.254.0.0/16 have been added to -the source subnetworks whose packets are dropped under the norfc1918 +
    • Log messages now indicate the packet disposition.
      • +
    • Error messages have been improved.
      • +
    • The ability to define zones consisting of an enumerated + set of hosts and/or subnetworks has been added.
      • +
    • The zone-to-zone chain matrix is now sparse so that + only those chains that contain meaningful rules are defined.
      • +
    • 240.0.0.0/4 and 169.254.0.0/16 have been added to + the source subnetworks whose packets are dropped under the norfc1918 interface option.
      • -
    • Exits are now provided for executing an user-defined - script when a chain is defined, when the firewall is initialized, - when the firewall is started, when the firewall is stopped and +
    • Exits are now provided for executing an user-defined + script when a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall is stopped and when the firewall is cleared.
      • -
    • The Linux kernel's route filtering facility can now - be specified selectively on network interfaces.
      • - -
    +
  • The Linux kernel's route filtering facility can +now be specified selectively on network interfaces.
    • + +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - +
      -
    • Allows user-defined zones. Shorewall now has only -one pre-defined zone (fw) with the remaining zones being defined -in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones - file released in this version provides behavior that is compatible - with Shorewall 1.0.3. 
      • -
    • Adds the ability to specify logging in entries in -the /etc/shorewall/rules file.
      • -
    • Correct handling of the icmp-def chain so that only - ICMP packets are sent through the chain.
      • -
    • Compresses the output of "shorewall monitor" if awk - is installed. Allows the command to work if awk isn't installed -(although it's not pretty).
      • - -
    +
  • Allows user-defined zones. Shorewall now has only + one pre-defined zone (fw) with the remaining zones being defined + in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones + file released in this version provides behavior that is compatible + with Shorewall 1.0.3. 
    • +
  • Adds the ability to specify logging in entries in + the /etc/shorewall/rules file.
    • +
  • Correct handling of the icmp-def chain so that only + ICMP packets are sent through the chain.
    • +
  • Compresses the output of "shorewall monitor" if +awk is installed. Allows the command to work if awk isn't installed + (although it's not pretty).
    • -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.

    - +
      -
    • The PATH variable in the firewall script now includes - /usr/local/bin and /usr/local/sbin.
      • -
    • DMZ-related chains are now correctly deleted if the - DMZ is deleted.
      • -
    • The interface OPTIONS for "gw" interfaces are no +
    • The PATH variable in the firewall script now includes + /usr/local/bin and /usr/local/sbin.
      • +
    • DMZ-related chains are now correctly deleted if +the DMZ is deleted.
      • +
    • The interface OPTIONS for "gw" interfaces are no longer ignored.
      • - -
    -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and it supports IPSEC - tunnels with end-points on the firewall. There is also a .lrp available + + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports IPSEC + tunnels with end-points on the firewall. There is also a .lrp available now.

    - -

    Updated 11/24/2002 - Tom Eastep -

    - -

    Copyright2001, 2002 Thomas M. Eastep.

    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    -
    + +

    Updated 12/3/2002 - Tom Eastep +

    + +

    +Copyright © 2001, 2002 Thomas M. Eastep.
    +

    diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm index 479917401..65eb8ae58 100644 --- a/STABLE/documentation/download.htm +++ b/STABLE/documentation/download.htm @@ -1,388 +1,401 @@ - + - + - + - + Download - + - - - + + - - - + + + +
    - +
    +

    Shorewall Download

    -
    - +

    I strongly urge you to read and print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own.

    + href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide + for the configuration that most closely matches your own.
    +

    + +

    The entire set of Shorewall documentation is also available in PDF format + at:

    + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +     rsync://slovakia.shorewall.net/shorewall/pdf/
    +
    + Once you've done that, download one of the modules:

    -

    Once you've done that, download one of the modules:

    -
      -
    • If you run a RedHat, SuSE, Mandrake, - Linux PPC or TurboLinux distribution with a -2.4 kernel, you can use the RPM version (note: the RPM should - also work with other distributions that store init scripts +
    • If you run a RedHat, SuSE, Mandrake, + Linux PPC or TurboLinux distribution with +a 2.4 kernel, you can use the RPM version (note: the RPM +should also work with other distributions that store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me know so that - I can mention them here. See the Installation Instructions - if you have problems installing the RPM.
      • -
    • If you are running LRP, download the .lrp file (you might -also want to download the .tgz so you will have a copy of the documentation).
      • -
    • If you run Debian - and would like a .deb package, Shorewall is in both the Debian -Testing Branch and the Debian - Unstable Branch.
      • -
    • Otherwise, download the shorewall module - (.tgz)
      • - -
    - -

    The documentation in HTML format is included in the .tgz and .rpm files - and there is an documentation .deb that also contains the documentation.

    + href="mailto:teastep@shorewall.net"> me know so that + I can mention them here. See the Installation Instructions + if you have problems installing the RPM. +
  • If you are running LRP, download the .lrp file (you might + also want to download the .tgz so you will have a copy of the documentation).
    • +
  • If you run Debian + and would like a .deb package, Shorewall is in both the Debian Testing +Branch and the Debian +Unstable Branch.
    • +
  • Otherwise, download the shorewall module + (.tgz)
    • + + + +

    The documentation in HTML format is included in the .tgz and .rpm files + and there is an documentation .deb that also contains the documentation.

    + +

    Please verify the version that you have downloaded -- during the + release of a new version of Shorewall, the links below may point + to a newer or an older version than is shown below.

    -

    Please verify the version that you have downloaded -- during the - release of a new version of Shorewall, the links below may point - to a newer or an older version than is shown below.

    -
      -
    • RPM - "rpm -qip LATEST.rpm"
      • -
    • TARBALL - "tar -ztf LATEST.tgz" (the directory name will - contain the version)
      • -
    • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf -<downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
      • - -
    +
  • RPM - "rpm -qip LATEST.rpm"
    • +
  • TARBALL - "tar -ztf LATEST.tgz" (the directory name +will contain the version)
    • +
  • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf + <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
    • -

    Once you have verified the version, check the - errata to see if there are updates that apply to the version - that you have downloaded.

    - -

    WARNING - YOU CAN NOT SIMPLY - INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed -configuration of your firewall, you can enable startup by removing the + + +

    Once you have verified the version, check the + errata to see if there are updates that apply to the version + that you have downloaded.

    + +

    WARNING - YOU CAN NOT SIMPLY + INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed +configuration of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.

    - -

    Download Latest Version (1.3.10): Remember that updates -to the mirrors occur 1-12 hours after an update to the primary site.

    - -
    + +

    Download Latest Version (1.3.11a): Remember that updates + to the mirrors occur 1-12 hours after an update to the primary site.

    + +
    - - - - - - - - - - - + + + + + + + + + - - - - - - + + + + + - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - + Download + .md5sums + + + + + + + + + + + + + + + + + + + + +
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    -     		sf.net
    -     		+
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    +     		sf.net
    +     		Download
    -
    -
    Slovak RepublicShorewall.net +
    +
    Slovak RepublicShorewall.netDownload .rpm
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums    		 Download - .rpm  
    - Download - .tgz 
    - Download - .rpm
    - - Download.md5sums
    Texas, USAInfohiiway.comDownload - .rpm
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums    		 Download + .tgz 
    + Download + .lrp
    + + Download.md5sums    		 Download + .rpm  
    + Download + .tgz 
    + Download + .rpm
    + + Download.md5sums
    Texas, USAInfohiiway.comDownload + .rpm
    + Download + .tgz 
    + Download + .lrp
    + + Download.md5sums    		 Download .rpm  
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums
    Hamburg, GermanyShorewall.net Download - .rpm
    - Download - .tgz
    - Download + Download + .tgz 
    + Download .lrp
    - - Download.md5sums    		 Download - .rpm  
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download - .rpm  
    - Download - .tgz 
    - - Download .lrp
    - Download -.md5sums    		 Download - .rpm  
    - Download - .tgz 
    - - Download .lrp
    - Download -.md5sums
    Paris, FranceShorewall.netDownload - .rpm
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums    		 Download - .rpm  
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    Washington State, USA
    -     		Shorewall.net
    -     		Download .rpm
    - Download + + Download.md5sums
    Hamburg, GermanyShorewall.net Download + .rpm
    + Download + .tgz
    + Download + .lrp
    + + Download.md5sums    		 Download + .rpm  
    + Download .tgz 
    - Download + Download .lrp
    - Download - .md5sums
    -     		- Download .rpm 
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    -
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download + .rpm  
    + Download + .tgz 
    + + Download .lrp
    + Download + .md5sums    		 Download + .rpm  
    + Download + .tgz 
    + + Download .lrp
    + Download + .md5sums
    Paris, FranceShorewall.netDownload .rpm
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums    		 Download + .rpm  
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    Washington State, USA
    +     		Shorewall.net
    +     		Download .rpm
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    +     		+ Download .rpm 
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    +
    -
    - +
    +

    Documentation in PDF format:
    -

    - -
    -

    Juraj Ontkanin has produced a Portable Document Format (PDF) file containing -the Shorewall 1.3.10 documenation (the documentation in HTML format is included -in the .rpm and in the .tgz). The .pdf may be downloaded from

    -
    - -
    +

    + +
    +

    Juraj Ontkanin has produced a Portable Document Format (PDF) file containing + the Shorewall 1.3.10 documenation (the documentation in HTML format is included + in the .rpm and in the .tgz). The .pdf may be downloaded from

    +
    + +
    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    - http://slovakia.shorewall.net/pub/shorewall/pdf/
    -
    -
    - + http://slovakia.shorewall.net/pub/shorewall/pdf/
    +
    + +

    Browse Download Sites:

    - -
    + +
    - - - - - - - - - - - + + + + + + + + + - - - - - - + + + + + - - - - - - + + + - - - - - - - + + + + - - - - - + + + - - - - - - + + + - - - - - - - + + + + - - - + + +
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    -     		sf.net +
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    +     		sf.netBrowseN/A
    Slovak RepublicShorewall.netN/A
    Slovak RepublicShorewall.netBrowse Browse
    Texas, USAInfohiiway.com +
    Texas, USAInfohiiway.comBrowseBrowse
    Hamburg, GermanyShorewall.netBrowse +
    Hamburg, GermanyShorewall.netBrowseBrowse
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar +
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse Browse
    FranceShorewall.net +
    FranceShorewall.netBrowse Browse
    Washington State, USAShorewall.netBrowse +
    Washington State, USAShorewall.netBrowseBrowse
    -
    - +
    +

    CVS:

    - -
    + +

    The CVS repository at - cvs.shorewall.net contains the latest snapshots of the each Shorewall - component. There's no guarantee that what you find there will work at - all.
    -

    -
    - -

    Last Updated 11/11/2002 - CVS repository at + cvs.shorewall.net contains the latest snapshots of the each Shorewall + component. There's no guarantee that what you find there will work at + all.
    +

    +
    + +

    Last Updated 12/3/2002 - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    +
    +

    +



    diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm index bfba7872f..fb757421b 100644 --- a/STABLE/documentation/errata.htm +++ b/STABLE/documentation/errata.htm @@ -1,530 +1,556 @@ - + Shorewall 1.3 Errata + - + - + - + - - - + + - - - + + + +
    - +
    +

    Shorewall Errata/Upgrade Issues

    -
    - +

    IMPORTANT

    - +
      -
    1. -

      If you use a Windows system to download - a corrected script, be sure to run the script through +

    2. + +

      If you use a Windows system to download + a corrected script, be sure to run the script through dos2unix after you have moved - it to your Linux system.

      -
      3. -
    3. -

      If you are installing Shorewall for the -first time and plan to use the .tgz and install.sh script, you can -untar the archive, replace the 'firewall' script in the untarred directory - with the one you downloaded below, and then run install.sh.

      -
      4. -
    4. -

      When the instructions say to install a corrected - firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall - or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite - the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall - or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall - and /var/lib/shorewall/firewall are symbolic links that point - to the 'shorewall' file used by your system initialization scripts -to start Shorewall during boot. It is that file that must be overwritten - with the corrected script.

      -
      5. -
    5. -

      DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For + style="text-decoration: none;"> dos2unix after you have moved + it to your Linux system.

      +
      6. +
    6. + +

      If you are installing Shorewall for the first +time and plan to use the .tgz and install.sh script, you can untar +the archive, replace the 'firewall' script in the untarred directory + with the one you downloaded below, and then run install.sh.

      +
      7. +
    7. + +

      When the instructions say to install a corrected + firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall + or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite + the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall + and /var/lib/shorewall/firewall are symbolic links that point + to the 'shorewall' file used by your system initialization scripts + to start Shorewall during boot. It is that file that must be overwritten + with the corrected script.

      +
      8. +
    8. +

      DO NOT INSTALL CORRECTED COMPONENTS + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
      -

      -
      9. - +

      + +
    - + - -
    + +

    Problems in Version 1.3

    - -

    Version 1.3.10

    - + +

    Version 1.3.11

    +
      -
    • If you experience problems connecting to a PPTP server running on -your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, - this -version of the firewall script may help. Please report any cases where -installing this script in /usr/lib/shorewall/firewall solved your connection -problems. Beginning with version 1.3.10, it is safe to save the old version -of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall -is the real script now and not just a symbolic link to the real script.
      +
    • When installing/upgrading using the .rpm, you may receive the following + warnings:
      +
      +      user teastep does not exist - using root
      +      group teastep does not exist - using root
      +
      + These warnings are harmless and may be ignored. Users downloading the .rpm + from shorewall.net or mirrors should no longer see these warnings as the +.rpm you will get from there has been corrected.
      • +
    • DNAT rules that exclude a source subzone (SOURCE column contains ! +followed by a sub-zone list) result in an error message and Shorewall fails +to start.
      +
      + Install this +corrected script in /usr/lib/shorewall/firewall to correct this problem. +Thanks go to Roger Aich who analyzed this problem and provided a fix.
      +
      +This problem is corrected in version 1.3.11a.
      • - -
    - -

    Version 1.3.9a

    + + +

    Version 1.3.10

    +
      -
    • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then - the following message appears during "shorewall [re]start":
      • - +
    • If you experience problems connecting to a PPTP server running +on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, + this + version of the firewall script may help. Please report any cases where + installing this script in /usr/lib/shorewall/firewall solved your connection + problems. Beginning with version 1.3.10, it is safe to save the old version + of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall + is the real script now and not just a symbolic link to the real script.
      +
      • +
    - + +

    Version 1.3.9a

    + +
      +
    • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No + then the following message appears during "shorewall [re]start":
      • + +
    + 
              recalculate_interfacess: command not found
    - +
    The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described - above.
    -
    - -
    Alternatively, edit /usr/lob/shorewall/firewall and change the - single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' - to 'recalculate_interface'.
    -
    - -
      -
    • The installer (install.sh) issues a misleading message "Common functions - installed in /var/lib/shorewall/functions" whereas the file is installed -in /usr/lib/shorewall/functions. The installer also performs incorrectly -when updating old configurations that had the file /etc/shorewall/functions. - Here - is an updated version that corrects these problems.
      -
      • - -
    - -

    Version 1.3.9

    - TUNNELS Broken in 1.3.9!!! There is an updated firewall script - at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall as described above.
    -
    - Version 1.3.8 -
      -
    • Use of shell variables in the LOG LEVEL or SYNPARMS columns -of the policy file doesn't work.
      • -
    • A DNAT rule with the same original and new IP addresses but -with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 -tcp 25 - 10.1.1.1")
      -
      • - -
    - Installing - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects these problems. - -

    Version 1.3.7b

    - -

    DNAT rules where the source zone is 'fw' ($FW) - result in an error message. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.

    - -

    Version 1.3.7a

    - -

    "shorewall refresh" is not creating the proper - rule for FORWARDPING=Yes. Consequently, after - "shorewall refresh", the firewall will not forward - icmp echo-request (ping) packets. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.

    - -

    Version <= 1.3.7a

    - -

    If "norfc1918" and "dhcp" are both specified as - options on a given interface then RFC 1918 - checking is occurring before DHCP checking. This - means that if a DHCP client broadcasts using an - RFC 1918 source address, then the firewall will - reject the broadcast (usually logging it). This - has two problems:

    - -
      -
    1. If the firewall is running a -DHCP server, the client won't be able -to obtain an IP address lease from that -server.
      2. -
    2. With this order of checking, -the "dhcp" option cannot be used as a -noise-reduction measure where there are -both dynamic and static clients on a LAN -segment.
      3. - -
    - -

    - This version of the 1.3.7a firewall script - corrects the problem. It must be installed - in /var/lib/shorewall as described above.

    - -

    Version 1.3.7

    - -

    Version 1.3.7 dead on arrival -- please use - version 1.3.7a and check your version against - these md5sums -- if there's a difference, please - download again.

    - -
    	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
    	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
    	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
    - -

    In other words, type "md5sum <whatever package you downloaded> - and compare the result with what you see above.

    - -

    I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the - .7 version in each sequence from now on.

    - -

    Version 1.3.6

    - -
      -
    • - -

      If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, - an error occurs when the firewall script attempts to add an - SNAT alias.

      -
      • -
    • + target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + corrects this problem.Copy the script to /usr/lib/shorewall/firewall as + described above.
      + -

      The logunclean and dropunclean options - cause errors during startup when Shorewall is run with iptables - 1.2.7.

      -
      • - -
    - -

    These problems are fixed in - this correct firewall script which must be installed in - /var/lib/shorewall/ as described above. These problems are also - corrected in version 1.3.7.

    - -

    Two-interface Samples 1.3.6 (file two-interfaces.tgz)

    - -

    A line was inadvertently deleted from the "interfaces - file" -- this line should be added back in if the version that you - downloaded is missing it:

    - -

    net    eth0    detect    routefilter,dhcp,norfc1918

    - -

    If you downloaded two-interfaces-a.tgz then the above - line should already be in the file.

    - -

    Version 1.3.5-1.3.5b

    - -

    The new 'proxyarp' interface option doesn't work :-( - This is fixed in - this corrected firewall script which must be installed in - /var/lib/shorewall/ as described above.

    - -

    Versions 1.3.4-1.3.5a

    - -

    Prior to version 1.3.4, host file entries such as the - following were allowed:

    - -
    -
    	adm	eth0:1.2.4.5,eth0:5.6.7.8
    -
    - -
    -

    That capability was lost in version 1.3.4 so that it is only - possible to  include a single host specification on each line. This - problem is corrected by this - modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall - as instructed above.

    -
    - -
    -

    This problem is corrected in version 1.3.5b.

    -
    - -

    Version 1.3.5

    - -

    REDIRECT rules are broken in this version. Install +

    Alternatively, edit /usr/lob/shorewall/firewall and change the + single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' + to 'recalculate_interface'.
    +
    + +
      +
    • The installer (install.sh) issues a misleading message "Common +functions installed in /var/lib/shorewall/functions" whereas the file is +installed in /usr/lib/shorewall/functions. The installer also performs incorrectly +when updating old configurations that had the file /etc/shorewall/functions. - this corrected firewall script in /var/lib/pub/shorewall/firewall - as instructed above. This problem is corrected in version + href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here + is an updated version that corrects these problems.
      +
      • + +
    + +

    Version 1.3.9

    + TUNNELS Broken in 1.3.9!!! There is an updated firewall script + at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall as described above.
    +
    + Version 1.3.8 +
      +
    • Use of shell variables in the LOG LEVEL or SYNPARMS columns + of the policy file doesn't work.
      • +
    • A DNAT rule with the same original and new IP addresses but + with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 + tcp 25 - 10.1.1.1")
      +
      • + +
    + Installing + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects these problems. + +

    Version 1.3.7b

    + +

    DNAT rules where the source zone is 'fw' ($FW) + result in an error message. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this problem.

    + +

    Version 1.3.7a

    + +

    "shorewall refresh" is not creating the proper + rule for FORWARDPING=Yes. Consequently, after + "shorewall refresh", the firewall will not forward + icmp echo-request (ping) packets. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this problem.

    + +

    Version <= 1.3.7a

    + +

    If "norfc1918" and "dhcp" are both specified as + options on a given interface then RFC 1918 + checking is occurring before DHCP checking. This + means that if a DHCP client broadcasts using an + RFC 1918 source address, then the firewall will + reject the broadcast (usually logging it). This + has two problems:

    + +
      +
    1. If the firewall is running + a DHCP server, the client won't be +able to obtain an IP address lease +from that server.
      2. +
    2. With this order of checking, + the "dhcp" option cannot be used as +a noise-reduction measure where there +are both dynamic and static clients +on a LAN segment.
      3. + +
    + +

    + This version of the 1.3.7a firewall script + corrects the problem. It must be installed + in /var/lib/shorewall as described above.

    + +

    Version 1.3.7

    + +

    Version 1.3.7 dead on arrival -- please use + version 1.3.7a and check your version against + these md5sums -- if there's a difference, please + download again.

    + +
    	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
    	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
    	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
    + +

    In other words, type "md5sum <whatever package you downloaded> + and compare the result with what you see above.

    + +

    I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the + .7 version in each sequence from now on.

    + +

    Version 1.3.6

    + +
      +
    • + +

      If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, + an error occurs when the firewall script attempts to add an + SNAT alias.

      +
      • +
    • + +

      The logunclean and dropunclean options + cause errors during startup when Shorewall is run with iptables + 1.2.7.

      +
      • + +
    + +

    These problems are fixed in + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also + corrected in version 1.3.7.

    + +

    Two-interface Samples 1.3.6 (file two-interfaces.tgz)

    + +

    A line was inadvertently deleted from the "interfaces + file" -- this line should be added back in if the version that you + downloaded is missing it:

    + +

    net    eth0    detect    routefilter,dhcp,norfc1918

    + +

    If you downloaded two-interfaces-a.tgz then the above + line should already be in the file.

    + +

    Version 1.3.5-1.3.5b

    + +

    The new 'proxyarp' interface option doesn't work :-( + This is fixed in + this corrected firewall script which must be installed in + /var/lib/shorewall/ as described above.

    + +

    Versions 1.3.4-1.3.5a

    + +

    Prior to version 1.3.4, host file entries such as the + following were allowed:

    + +
    +
    	adm	eth0:1.2.4.5,eth0:5.6.7.8
    +
    + +
    +

    That capability was lost in version 1.3.4 so that it is only + possible to  include a single host specification on each line. This + problem is corrected by this + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall + as instructed above.

    +
    + +
    +

    This problem is corrected in version 1.3.5b.

    +
    + +

    Version 1.3.5

    + +

    REDIRECT rules are broken in this version. Install + + this corrected firewall script in /var/lib/pub/shorewall/firewall + as instructed above. This problem is corrected in version 1.3.5a.

    - +

    Version 1.3.n, n < 4

    - -

    The "shorewall start" and "shorewall restart" commands - to not verify that the zones named in the /etc/shorewall/policy -file have been previously defined in the /etc/shorewall/zones -file. The "shorewall check" command does perform this verification -so it's a good idea to run that command after you have made configuration - changes.

    - + +

    The "shorewall start" and "shorewall restart" commands + to not verify that the zones named in the /etc/shorewall/policy file + have been previously defined in the /etc/shorewall/zones file. +The "shorewall check" command does perform this verification so +it's a good idea to run that command after you have made configuration + changes.

    +

    Version 1.3.n, n < 3

    - -

    If you have upgraded from Shorewall 1.2 and after - "Activating rules..." you see the message: "iptables: No chains/target/match - by that name" then you probably have an entry in /etc/shorewall/hosts - that specifies an interface that you didn't include in /etc/shorewall/interfaces. - To correct this problem, you must add an entry to /etc/shorewall/interfaces. - Shorewall 1.3.3 and later versions produce a clearer error -message in this case.

    - + +

    If you have upgraded from Shorewall 1.2 and after + "Activating rules..." you see the message: "iptables: No chains/target/match + by that name" then you probably have an entry in /etc/shorewall/hosts + that specifies an interface that you didn't include in /etc/shorewall/interfaces. + To correct this problem, you must add an entry to /etc/shorewall/interfaces. + Shorewall 1.3.3 and later versions produce a clearer error + message in this case.

    +

    Version 1.3.2

    - -

    Until approximately 2130 GMT on 17 June 2002, the - download sites contained an incorrect version of the .lrp file. That - file can be identified by its size (56284 bytes). The correct -version has a size of 38126 bytes.

    - + +

    Until approximately 2130 GMT on 17 June 2002, the + download sites contained an incorrect version of the .lrp file. That + file can be identified by its size (56284 bytes). The correct version + has a size of 38126 bytes.

    +
      -
    • The code to detect a duplicate interface entry in - /etc/shorewall/interfaces contained a typo that prevented it -from working correctly.
      • -
    • "NAT_BEFORE_RULES=No" was broken; it behaved just - like "NAT_BEFORE_RULES=Yes".
      • - +
    • The code to detect a duplicate interface entry + in /etc/shorewall/interfaces contained a typo that prevented +it from working correctly.
      • +
    • "NAT_BEFORE_RULES=No" was broken; it behaved +just like "NAT_BEFORE_RULES=Yes".
      • +
    - +

    Both problems are corrected in - this script which should be installed in /var/lib/shorewall - as described above.

    - + href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> + this script which should be installed in /var/lib/shorewall + as described above.

    +
      -
    • - -

      The IANA have just announced the allocation of subnet - 221.0.0.0/8. This - updated rfc1918 file reflects that allocation.

      -
      • - +
    • + +

      The IANA have just announced the allocation of subnet + 221.0.0.0/8. This + updated rfc1918 file reflects that allocation.

      +
      • +
    - +

    Version 1.3.1

    - +
      -
    • TCP SYN packets may be double counted when - LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each - packet is sent through the limit chain twice).
      • -
    • An unnecessary jump to the policy chain is sometimes - generated for a CONTINUE policy.
      • -
    • When an option is given for more than one interface - in /etc/shorewall/interfaces then depending on the option, - Shorewall may ignore all but the first appearence of the +
    • TCP SYN packets may be double counted when + LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each + packet is sent through the limit chain twice).
      • +
    • An unnecessary jump to the policy chain is sometimes + generated for a CONTINUE policy.
      • +
    • When an option is given for more than one interface + in /etc/shorewall/interfaces then depending on the option, + Shorewall may ignore all but the first appearence of the option. For example:
      -
      - net    eth0    dhcp
      - loc    eth1    dhcp
      -
      - Shorewall will ignore the 'dhcp' on eth1.
      • -
    • Update 17 June 2002 - The bug described in the prior - bullet affects the following options: dhcp, dropunclean, logunclean, - norfc1918, routefilter, multi, filterping and noping. An -additional bug has been found that affects only the 'routestopped' -option.
      -
      - Users who downloaded the corrected script prior to 1850 - GMT today should download and install the corrected script - again to ensure that this second problem is corrected.
      • - +
      + net    eth0    dhcp
      + loc    eth1    dhcp
      +
      + Shorewall will ignore the 'dhcp' on eth1. +
    • Update 17 June 2002 - The bug described in the + prior bullet affects the following options: dhcp, dropunclean, + logunclean, norfc1918, routefilter, multi, filterping and + noping. An additional bug has been found that affects only + the 'routestopped' option.
      +
      + Users who downloaded the corrected script prior to + 1850 GMT today should download and install the corrected + script again to ensure that this second problem is corrected.
      • +
    - +

    These problems are corrected in - this firewall script which should be installed in /etc/shorewall/firewall - as described above.

    - + href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> + this firewall script which should be installed in /etc/shorewall/firewall + as described above.

    +

    Version 1.3.0

    - +
      -
    • Folks who downloaded 1.3.0 from the links on the -download page before 23:40 GMT, 29 May 2002 may have downloaded -1.2.13 rather than 1.3.0. The "shorewall version" command -will tell you which version that you have installed.
      • -
    • The documentation NAT.htm file uses non-existent - wallpaper and bullet graphic files. The - corrected version is here.
      • - +
    • Folks who downloaded 1.3.0 from the links on +the download page before 23:40 GMT, 29 May 2002 may have +downloaded 1.2.13 rather than 1.3.0. The "shorewall version" +command will tell you which version that you have installed.
      • +
    • The documentation NAT.htm file uses non-existent + wallpaper and bullet graphic files. The + corrected version is here.
      • +
    - -
    + +

    Upgrade Issues

    - +

    The upgrade issues have moved to a separate page.

    - -
    -

    Problem with - iptables version 1.2.3

    - -
    -

    There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat released - this buggy iptables in RedHat 7.2. 

    - + +
    +

    Problem with + iptables version 1.2.3

    + +
    +

    There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, RedHat + released this buggy iptables in RedHat 7.2. 

    +

    I have built a - corrected 1.2.3 rpm which you can download here  and I have also -built an -iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs before - you upgrade to RedHat 7.2.

    - -

    Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can download - from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works fine.

    - -

    If you would like to patch iptables 1.2.3 yourself, - the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification - while this patch - corrects a problem in handling the  TOS target.

    - -

    To install one of the above patches:

    - -
      -
    • cd iptables-1.2.3/extensions
      • -
    • patch -p0 < the-patch-file
      • - -
    -
    + href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> + corrected 1.2.3 rpm which you can download here  and I have also + built an + iptables-1.2.4 rpm which you can download here. If you are currently + running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.

    -

    Problems with kernels >= 2.4.18 - and RedHat iptables

    - -
    -

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 - may experience the following:

    - -
    +

    Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can download + from http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM on my firewall and it works fine.

    + +

    If you would like to patch iptables 1.2.3 yourself, + the patches are available for download. This patch + which corrects a problem with parsing of the --log-level specification + while this patch + corrects a problem in handling the  TOS target.

    + +

    To install one of the above patches:

    + +
      +
    • cd iptables-1.2.3/extensions
      • +
    • patch -p0 < the-patch-file
      • + +
    +
    + +

    Problems with kernels >= 2.4.18 + and RedHat iptables

    + +
    +

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + may experience the following:

    + +
    + 
    # shorewall start
    Processing /etc/shorewall/shorewall.conf ...
    Processing /etc/shorewall/params ...
    Starting Shorewall...
    Loading Modules...
    Initializing...
    Determining Zones...
    Zones: net
    Validating interfaces file...
    Validating hosts file...
    Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    -
    - -

    The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by installing - - this iptables RPM. If you are already running a 1.2.5 version of - iptables, you will need to specify the --oldpackage option to rpm (e.g., - "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    -
    +
    + +

    The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in + the Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version + of iptables, you will need to specify the --oldpackage option to rpm + (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    +
    - -

    Problems installing/upgrading - RPM on SuSE

    - -

    If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to - rpm.

    - + +

    Problems installing/upgrading + RPM on SuSE

    + +

    If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.

    +

    Installing: rpm -ivh --nodeps <shorewall rpm>

    - +

    Upgrading: rpm -Uvh --nodeps <shorewall rpm>

    - -

    Problems with - iptables version 1.2.7 and MULTIPORT=Yes

    - -

    The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running - Shorewall 1.3.7a or later or:

    - + +

    Problems with + iptables version 1.2.7 and MULTIPORT=Yes

    + +

    The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running + Shorewall 1.3.7a or later or:

    +
      -
    • set MULTIPORT=No in - /etc/shorewall/shorewall.conf; or
      • -
    • if you are running Shorewall -1.3.6 you may install - - this firewall script in /var/lib/shorewall/firewall - as described above.
      • - +
    • set MULTIPORT=No in + /etc/shorewall/shorewall.conf; or
      • +
    • if you are running Shorewall + 1.3.6 you may install + + this firewall script in /var/lib/shorewall/firewall + as described above.
      • +
    - +

    Problems with RH Kernel 2.4.18-10 and NAT
    -

    - /etc/shorewall/nat entries of the following form will result in Shorewall - being unable to start:
    -
    - -
    #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
    192.0.2.22      eth0            192.168.9.22    yes                     yes
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - Error message is:
    - -
    Setting up NAT...
    iptables: Invalid argument
    Terminated

    - The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes - has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel - contains corrected support under a new kernel configuraiton option; see -http://www.shorewall.net/Documentation.htm#NAT
    - -

    Last updated 11/24/2002 - - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    -
    -
    + + /etc/shorewall/nat entries of the following form will result in Shorewall + being unable to start:

    -
    -
    -
    -
    + +
    #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
    192.0.2.22      eth0            192.168.9.22    yes                     yes
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + Error message is:
    + +
    Setting up NAT...
    iptables: Invalid argument
    Terminated

    + The solution is to put "no" in the LOCAL column. Kernel support for + LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The +2.4.19 kernel contains corrected support under a new kernel configuraiton +option; see http://www.shorewall.net/Documentation.htm#NAT
    + +

    Last updated 12/3/2002 - + Tom Eastep

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.
    +



    diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index a5014f5cd..df5a3430b 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -4,73 +4,75 @@ - + Shoreline Firewall (Shorewall) 1.3 - + - + - - - + + - + +
    + + - + +
    +
    - +

    Shorwall Logo - Shorewall 1.3 - "iptables - made easy"

    + Shorewall 1.3 - "iptables + made easy" - + -
    -
    - -
    - -
    + +
    + +
    - - - + + - - - - - -
    +
    - + +

    What is it?

    @@ -78,41 +80,41 @@ - -

    The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

    + +

    The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

    - -

    This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General -Public License as published by the Free Software Foundation.
    -
    - This program - is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty - of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - See the GNU General Public License for more details.
    -
    - You should - have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - USA

    + +

    This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU +General Public License as published by the Free Software Foundation.
    +
    + This program + is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License for more details.
    +
    + You should + have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, + USA

    - +

    Copyright 2001, 2002 Thomas M. Eastep

    @@ -120,23 +122,24 @@ Public License as published by the Free Software Foundation.
    - + +

    - Jacques - Nilo and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution called + Jacques + Nilo and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.10 and Kernel-2.4.18. - You can find their work at: http://leaf.sourceforge.net/devel/jnilo
    -

    - -

    Congratulations to Jacques and Eric on the recent release of Bering -1.0 Final!!!
    -

    - -

    This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

    +

    + +

    Congratulations to Jacques and Eric on the recent release of +Bering 1.0 Final!!!
    +

    + +

    This is a mirror of the main Shorewall web site at SourceForge +(http://shorewall.sf.net)

    @@ -145,7 +148,8 @@ Public License as published by the Free Software Foundation.
    - + +

    News

    @@ -153,259 +157,286 @@ Public License as published by the Free Software Foundation.
    - +

    - -

    11/24/2002 - Shorewall 1.3.11 12/3/2002 - Shorewall 1.3.11a (New) -

    +

    -

    In this version:

    +

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT +with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who +don't need rules of this type need not upgrade to 1.3.11.

    -
      -
    • A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. -This option causes Shorewall to make a set of sanity check on TCP packet -header flags.
      • -
    • It is now allowed to use 'all' in the SOURCE or DEST column in -a rule. -When used, 'all' must appear by itself (in may not be qualified) and it does -not enable intra-zone traffic. For example, the rule
      -
      -     ACCEPT loc all tcp 80
      -
      - does not enable http traffic from 'loc' to 'loc'.
      • -
    • Shorewall's use of the 'echo' command is now compatible with -bash clones such as ash and dash.
      • -
    • fw->fw policies now generate a startup error. fw->fw rules -generate a warning and are ignored
      • -
    - -

    11/14/2002 - Shorewall Documentation in PDF Format -

    - -

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 - documenation. the PDF may be downloaded from

    - +

    11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format +

    + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 + documenation. the PDF may be downloaded from

    +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -

    - -

    11/09/2002 - Shorewall is Back at SourceForge -

    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +

    + +

    11/24/2002 - Shorewall 1.3.11  +

    + +

    In this version:

    + +
      +
    • A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. This +option causes Shorewall to make a set of sanity check on TCP packet header +flags.
      • +
    • It is now allowed to use 'all' in the SOURCE or DEST column + in a rule. When used, 'all' must +appear by itself (in may not be qualified) and it does not enable intra-zone +traffic. For example, the rule
      +
      +     ACCEPT loc all tcp 80
      +
      + does not enable http traffic from 'loc' to 'loc'.
      • +
    • Shorewall's use of the 'echo' command is now compatible with + bash clones such as ash and dash.
      • +
    • fw->fw policies now generate a startup error. fw->fw +rules generate a warning and are ignored
      • + +
    + +

    11/14/2002 - Shorewall Documentation in PDF Format +

    + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 + documenation. the PDF may be downloaded from

    + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +

    + +

    11/09/2002 - Shorewall is Back at SourceForge +

    - +

    The main Shorewall web site is now back at SourceForge at http://shorewall.sf.net.
    -

    - - -

    11/09/2002 - Shorewall 1.3.10 -

    +

    - + +

    11/09/2002 - Shorewall 1.3.10 +

    + +

    In this version:

    - + - If you have installed the 1.3.10 Beta 1 RPM and are now upgrading - to version 1.3.10, you will need to use the '--force' option:
    - - -
    - 
    rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
    -
    + + If you have installed the 1.3.10 Beta 1 RPM and are now upgrading + to version 1.3.10, you will need to use the '--force' option:
    - + +
    + + + 
    rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
    +
    + +

    10/24/2002 - Shorewall is now in Gentoo Linux
    -

    - Alexandru Hartmann reports that his Shorewall package -is now a part of the Gentoo +

    + Alexandru Hartmann reports that his Shorewall package + is now a part of the Gentoo Linux distribution. Thanks Alex!
    - +

    10/23/2002 - Shorewall 1.3.10 Beta 1

    - In this version:
    + In this version:
    - + - You may download the Beta from:
    + You may download the Beta from:
    - + - -

    10/10/2002 -  Debian 1.3.9b Packages Available  -
    -

    + +

    10/10/2002 -  Debian 1.3.9b Packages Available  +
    +

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - + +

    10/9/2002 - Shorewall 1.3.9b (New) -

    - This release rolls up fixes to the installer -and to the firewall script.
    -
    - 10/6/2002 - Shorewall.net now running on RH8.0 -

    + This release rolls up fixes to the installer + and to the firewall script.
    +
    + 10/6/2002 - Shorewall.net now running on RH8.0 +     (New) -
    -
    - The firewall and server here at shorewall.net - are now running RedHat release 8.0.
    +
    +
    + The firewall and server here at shorewall.net + are now running RedHat release 8.0.
    - -

    9/30/2002 - Shorewall 1.3.9a -

    - Roles up the fix for broken tunnels.
    + +

    9/30/2002 - Shorewall 1.3.9a +

    + Roles up the fix for broken tunnels.
    - -

    9/30/2002 - TUNNELS Broken in 1.3.9!!! -

    - Brown Paper Bag - There is an updated firewall script at - 9/30/2002 - TUNNELS Broken in 1.3.9!!! +

    + Brown Paper Bag + There is an updated firewall script +at     ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
    + target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
    - + +


    -

    +

    + + + + + +


    +

    + + + + + +


    + 9/28/2002 - Shorewall 1.3.9      +

    + -


    -

    - - - - -


    - 9/28/2002 - Shorewall 1.3.9      -

    - - - - -

    In this version:
    -

    +

    - +
      -
    • DNS Names are now - allowed in Shorewall config files (although I recommend against - using them).
      • -
    • The connection SOURCE -may now be qualified by both interface and IP address in -a Shorewall rule.
      • -
    • Shorewall startup is -now disabled after initial installation until the file -/etc/shorewall/startup_disabled is removed. This avoids nasty - surprises at reboot for users who install Shorewall but don't -configure it.
      • -
    • The 'functions' and 'version' - files and the 'firewall' symbolic link have been moved -from /var/lib/shorewall to /usr/lib/shorewall to appease -the LFS police at Debian.
      -
      • +
    • DNS Names are now + allowed in Shorewall config files (although I recommend +against using them).
      • +
    • The connection SOURCE + may now be qualified by both interface and IP address +in a Shorewall rule.
      • +
    • Shorewall startup +is now disabled after initial installation until the +file /etc/shorewall/startup_disabled is removed. This avoids + nasty surprises at reboot for users who install Shorewall + but don't configure it.
      • +
    • The 'functions' and +'version' files and the 'firewall' symbolic link have been + moved from /var/lib/shorewall to /usr/lib/shorewall to appease + the LFS police at Debian.
      +
      • - +
    @@ -414,7 +445,8 @@ the LFS police at Debian.
    - + +

    More News

    @@ -422,65 +454,66 @@ the LFS police at Debian.
    - -

    Donations

    - -     		M
    -
    -
    +

    Donations

    - + + M + + + + + + + +
    +
    + + + - - - + + - + + - - + + +
    +
    + -

    -  

    +  

    - -

    Shorewall is free but -if you try it and find it useful, please consider making a donation - to Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight Children's Foundation. Thanks!

    -
    - -

    Updated 11/24/2002 - Tom Eastep - + +

    Updated 12/3/2002 - Tom Eastep +
    -

    -
    -
    -
    +

    diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index ddb722719..6a9cb3f2d 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -1,114 +1,116 @@ - + About the Shorewall Author - + - - + + - + - - - + + - - - + + + +
    - +
    +

    Tom Eastep

    -
    - +

    Tom on the PCT - 1991 -

    - +

    +

    Tarry & Tom -- August 2002
    -
    -

    - +
    +

    + - -

    I am currently a member of the design team for the next-generation - operating system from the NonStop Enterprise Division of HP.

    - -

    I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated -ipchains and developed the scripts which are now collectively known as Seattle Firewall. Expanding - on what I learned from Seattle Firewall, I then designed and wrote - Shorewall.

    - -

    I telework from our home in Shoreline, - Washington where I live with my wife Tarry.

    - -

    Our current home network consists of:

    +
  • Married 1969 - no children.
    • -
      -
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE -HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has -RedHat 8.0 installed.
      • -
    • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - - My personal Linux System which runs Samba configured as a WINS server. - This system also has VMware installed - and can run both Debian Woody -and SuSE 8.1 in virtual machines.
      • -
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail - (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server - (Bind).
      • -
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  - (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP - server.  Also runs PoPToP for road warrior access.
      • -
    • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's - personal system.
      • -
    • PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 - and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.
      • -
    - + +

    I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.

    + +

    I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated + ipchains and developed the scripts which are now collectively known as + Seattle Firewall. Expanding + on what I learned from Seattle Firewall, I then designed and wrote + Shorewall.

    + +

    I telework from our home in Shoreline, + Washington where I live with my wife Tarry.

    + +

    Our current home network consists of:

    + +
      +
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE + HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has +RedHat 8.0 installed.
      • +
    • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) +NIC - My personal Linux System which runs Samba configured as a WINS +server. This system also has VMware +installed and can run both Debian +Woody and SuSE 8.1 in virtual +machines.
      • +
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail + (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server + (Bind).
      • +
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  + (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP + server.  Also runs PoPToP for road warrior access.
      • +
    • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's + personal system.
      • +
    • PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100 + and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.
      • + +
    +

    For more about our network see my Shorewall Configuration.

    - +

    All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

    - +

    - - - -

    - -

    Last updated 10/28/2002 - Tom Eastep

    - Copyright - © 2001, 2002 Thomas M. Eastep.
    +

    + +

    Last updated 11/24/2002 - +Tom Eastep

    + Copyright © 2001, 2002 Thomas M. Eastep.
    +



    diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm index 88372508b..1b5b7144b 100644 --- a/STABLE/documentation/shorewall_quickstart_guide.htm +++ b/STABLE/documentation/shorewall_quickstart_guide.htm @@ -1,227 +1,231 @@ - + - + - + - + Shorewall QuickStart Guide - + - + - - - + + - - - + Version 3.1 + + + +
    - +
    +

    Shorewall QuickStart Guides
    - Version 3.1

    -
    - -

    With thanks to Richard who reminded me once again that we -must all first walk before we can run.

    - + +

    With thanks to Richard who reminded me once again that +we must all first walk before we can run.

    +

    The Guides

    - -

    These guides provide step-by-step instructions for configuring Shorewall - in common firewall setups.

    - + +

    These guides provide step-by-step instructions for configuring Shorewall + in common firewall setups.

    +

    The following guides are for users who have a single public IP address:

    - + - -

    The above guides are designed to get your first firewall up and running - quickly in the three most common Shorewall configurations.

    - -

    The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple public - IP addresses involved or if you want to learn more about Shorewall than - is explained in the single-address guides above.

    - + +

    The above guides are designed to get your first firewall up and running + quickly in the three most common Shorewall configurations.

    + +

    The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple +public IP addresses involved or if you want to learn more about Shorewall +than is explained in the single-address guides above.

    +
      -
    • 1.0 Introduction
      • -
    • 2.0 Shorewall +
    • 1.0 Introduction
      • +
    • 2.0 Shorewall Concepts
      • -
    • 3.0 Network +
    • 3.0 Network Interfaces
      • -
    • 4.0 Addressing, - Subnets and Routing +
    • 4.0 Addressing, + Subnets and Routing - + -
      • -
    • 5.0 Setting up -your Network +
      • +
    • 5.0 Setting up +your Network - + - +

      Documentation Index

      - -

      The following documentation covers a variety of topics and supplements - the QuickStart Guides described - above. Please review the appropriate guide before trying to use this + +

      The following documentation covers a variety of topics and supplements + the QuickStart Guides described + above. Please review the appropriate guide before trying to use this documentation directly.

      - + - +

      If you use one of these guides and have a suggestion for improvement please let me know.

      - -

      Last modified 11/19/2002 - Tom Eastep

      - + +

      Last modified 11/19/2002 - Tom Eastep

      +

      Copyright 2002 Thomas M. Eastep
      -

      +

      +
      diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index a278e2be4..9eb6dc0c2 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -1,85 +1,85 @@ - + - + - + - + Support - + - + - - - + + - - - + + + +
      - +
      +

      Shorewall Support

      -
      - -

      "It is -easier to post a problem than to use your own brain" -- "It +is easier to post a problem than to use your own brain" -- Wietse Venema (creator of Postfix)

      - -

      "Any sane computer will tell you how it works -- you just - have to ask it the right questions" -- Tom Eastep

      - + +

      "Any sane computer will tell you how it works -- you +just have to ask it the right questions" -- Tom Eastep

      +
      - -

      "It irks me when people believe that - free software comes at no cost. The cost is incredibly high." - - Wietse Venem
      -

      +

      "It irks me when people believe that + free software comes at no cost. The cost is incredibly high." + - Wietse Venem
      +

      +

      Before Reporting a Problem

      - "Reading the documentation fully is a prerequisite to getting help -for your particular situation. I know it's harsh but you will have to get -so far on your own before you can get reasonable help from a list full of -busy people. A mailing list is not a tool to speed up your day by being spoon -fed". -- Simon White
      - + "Reading the documentation fully is a prerequisite to getting help + for your particular situation. I know it's harsh but you will have to get + so far on your own before you can get reasonable help from a list full of + busy people. A mailing list is not a tool to speed up your day by being +spoon fed". -- Simon White
      +

      There are also a number of sources for problem solution information.

      - +
        -
      • The FAQ has solutions to common problems.
        • -
      • The Troubleshooting Information +
      • The FAQ has solutions to common problems.
        • +
      • The Troubleshooting Information contains a number of tips to help you solve common problems.
        • -
      • The Errata has links to download +
      • The Errata has links to download updated components.
        • -
      • The Mailing List Archives search facility can locate posts +
      • The Mailing List Archives search facility can locate posts about similar problems:
        • - +
      - -

      Mailing List Archive Search

      - -
      -

      Match: +

      Mailing List Archive Search

      + + + +

      Match: - Format: + Format: - Sort by: + Sort by: -
      - Search:

      - - + +

      Problem Reporting Guideline

      - +
        -
      • When reporting a problem, give as much information as you can. - Reports that say "I tried XYZ and it didn't work" are not at all helpful.
        • -
      • Please don't describe your environment and then ask us to send - you custom configuration files. We're here to answer your questions - but we can't do your job for you.
        • -
      • Do you see any "Shorewall" messages in /var/log/messages +
      • When reporting a problem, give as much information as you +can. Reports that say "I tried XYZ and it didn't work" are not at all +helpful.
        • +
      • Please don't describe your environment and then ask us to +send you custom configuration files. We're here to answer your +questions but we can't do your job for you.
        • +
      • Do you see any "Shorewall" messages in /var/log/messages when you exercise the function that is giving you problems?
        • -
      • Have you looked at the packet flow with a tool like tcpdump - to try to understand what is going on?
        • -
      • Have you tried using the diagnostic capabilities of the - application that isn't working? For example, if "ssh" isn't able -to connect, using the "-v" option gives you a lot of valuable diagnostic -information.
        • -
      • Please include any of the Shorewall configuration files (especially - the /etc/shorewall/hosts file if you have modified that file) that you - think are relevant. If an error occurs when you try to "shorewall start", - include a trace (See the Troubleshooting - section for instructions).
        • -
      • The list server limits posts to 120kb so don't post GIFs of -your network layout, etc to the Mailing List -- your post will -be rejected.
        • - +
      • Have you looked at the packet flow with a tool like tcpdump + to try to understand what is going on?
        • +
      • Have you tried using the diagnostic capabilities of the + application that isn't working? For example, if "ssh" isn't able + to connect, using the "-v" option gives you a lot of valuable diagnostic + information.
        • +
      • Please include any of the Shorewall configuration files (especially + the /etc/shorewall/hosts file if you have modified that file) that +you think are relevant. If an error occurs when you try to "shorewall +start", include a trace (See the Troubleshooting + section for instructions).
        • +
      • The list server limits posts to 120kb so don't post GIFs of + your network layout, etc to the Mailing List -- your post will + be rejected.
        • +
      - +

      Where to Send your Problem Report or to Ask for Help

      - If you run Shorewall on Mandrake 9.0 -- send your problem - reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set - on October 3, 2002; MandrakeSoft issued a charge against my credit card -on October 4, 2002 (they are really effecient at that part of the order -process) and I haven't heard a word from them since (although their news -letters boast that 9.0 boxed sets have been shipping for the last two weeks). -If they can't fill my 9.0 order within 6 weeks after they have billed -my credit card then I refuse to spend my free time supporting of their -product for them.
      - -

      If you run Shorewall under Bering -- please - post your question or problem to the If you run Shorewall on Mandrake 9.0 -- send your problem + reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set + on October 3, 2002; MandrakeSoft issued a charge against my credit card on + October 4, 2002 (they are very effecient at that part of the order process) + and I haven't heard a word from them since (although their news letters +boast that 9.0 boxed sets have been shipping for the last two weeks). If +they can't fill my 9.0 order within 6 weeks after they have billed my +credit card then I refuse to spend my free time supporting their product +for them.
      +
      +Mandrake Update - 11/26/2002 - Mandrake have informed me that "Your +order is part of a batch of which was not correctly sent to our shipping +handler, and so unfortunately was not processed". They further assure me +that these mishandled orders will begin shipping on 12/2/2002.
      + +

      If you run Shorewall under Bering -- please + post your question or problem to the LEAF Users mailing list.

      - +

      Otherwise, please post your question or problem to the Shorewall users mailing list; - there are lots of folks there who are willing to help you. Your question/problem - description and their responses will be placed in the mailing list archives - to help people who have a similar question or problem in the future.

      - -

      I don't look at problems sent to me directly but I try to spend some amount - of time each day responding to problems posted on the mailing list.

      - + href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list; + there are lots of folks there who are willing to help you. Your question/problem + description and their responses will be placed in the mailing list archives + to help people who have a similar question or problem in the future.

      + +

      I don't look at problems sent to me directly but I try to spend some amount + of time each day responding to problems posted on the mailing list.

      +

      -Tom

      - +

      To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users + href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users .

      - -

      Last Updated 11/19//2002 - Tom Eastep

      - + +

      Last Updated 12/2/2002 - Tom Eastep

      +

      Copyright © 2001, 2002 Thomas M. Eastep.
      -

      - +

      +
      diff --git a/STABLE/documentation/troubleshoot.htm b/STABLE/documentation/troubleshoot.htm index 23bb7faf8..431461699 100644 --- a/STABLE/documentation/troubleshoot.htm +++ b/STABLE/documentation/troubleshoot.htm @@ -1,205 +1,212 @@ - + Shorewall Troubleshooting - + - + - + - - - - - - + + + + + +
      -

      Shorewall Troubleshooting

      -
      +

      Shorewall TroubleshootingBeating head on table +

      +
      - +

      Check the Errata

      - +

      Check the Shorewall Errata to be - sure that there isn't an update that you are missing for your version + sure that there isn't an update that you are missing for your version of the firewall.

      - +

      Check the FAQs

      - +

      Check the FAQs for solutions to common - problems.

      - + problems.

      +

      If the firewall fails to start

      - If you receive an error message when starting or restarting the firewall - and you can't determine the cause, then do the following: + If you receive an error message when starting or restarting the +firewall and you can't determine the cause, then do the following: + - +

      Your network environment

      - +

      Many times when people have problems with Shorewall, the problem is actually an ill-conceived network setup. Here are several popular snafus: -

      - +

      +
        -
      • Port Forwarding where client and server are in the same - subnet. See FAQ 2.
        • -
      • Changing the IP address of a local system to be in the external - subnet, thinking that Shorewall will suddenly believe that the system - is in the 'net' zone.
        • -
      • Multiple interfaces connected to the same HUB or Switch. Given -the way that the Linux kernel respond to ARP "who-has" requests, this -type of setup does NOT work the way that you expect it to.
        • - +
      • Port Forwarding where client and server are in the +same subnet. See FAQ 2.
        • +
      • Changing the IP address of a local system to be in the external + subnet, thinking that Shorewall will suddenly believe that the system + is in the 'net' zone.
        • +
      • Multiple interfaces connected to the same HUB or Switch. Given + the way that the Linux kernel respond to ARP "who-has" requests, this + type of setup does NOT work the way that you expect it to.
        • +
      - +

      If you are having connection problems:

      - +

      If the appropriate policy for the connection that you are - trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING - TO MAKE IT WORK. Such additional rules will NEVER make it work, they add -clutter to your rule set and they represent a big security hole in the event -that you forget to remove them later.

      - + trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING + TO MAKE IT WORK. Such additional rules will NEVER make it work, they add + clutter to your rule set and they represent a big security hole in the event + that you forget to remove them later.

      +

      I also recommend against setting all of your policies to ACCEPT in an effort to make something work. That robs you of one of - your best diagnostic tools - the "Shorewall" messages that Netfilter - will generate when you try to connect in a way that isn't permitted - by your rule set.

      - -

      Check your log. If you don't see Shorewall messages, then - your problem is probably NOT a Shorewall problem. If you DO see packet messages, - it may be an indication that you are missing one or more rules -- see FAQ 17.

      - + your best diagnostic tools - the "Shorewall" messages that Netfilter + will generate when you try to connect in a way that isn't permitted + by your rule set.

      + +

      Check your log ("/sbin/shorewall show log"). If you don't +see Shorewall messages, then your problem is probably NOT a Shorewall problem. +If you DO see packet messages, it may be an indication that you are missing +one or more rules -- see FAQ 17.

      +

      While you are troubleshooting, it is a good idea to clear - two variables in /etc/shorewall/shorewall.conf:

      - + two variables in /etc/shorewall/shorewall.conf:

      +

      LOGRATE=""
      - LOGBURST=""

      - + LOGBURST=""

      +

      This way, you will see all of the log messages being generated (be sure to restart shorewall after clearing these variables).

      - +

      Example:

      - +

      Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 - LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

      -       + LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 +LEN=47

      +

      Let's look at the important parts of this message:

      - +
        -
      • all2all:REJECT - This packet was REJECTed out of the all2all chain - -- the packet was rejected under the "all"->"all" REJECT policy (see - FAQ 17).
        • -
      • IN=eth2 - the packet entered the firewall via eth2
        • -
      • OUT=eth1 - if accepted, the packet would be sent on eth1
        • -
      • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
        • -
      • DST=192.168.1.3 - the packet is destined for 192.168.1.3
        • -
      • PROTO=UDP - UDP Protocol
        • -
      • DPT=53 - DNS
        • - +
      • all2all:REJECT - This packet was REJECTed out of the all2all +chain -- the packet was rejected under the "all"->"all" REJECT policy +(see FAQ 17).
        • +
      • IN=eth2 - the packet entered the firewall via eth2
        • +
      • OUT=eth1 - if accepted, the packet would be sent on eth1
        • +
      • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
        • +
      • DST=192.168.1.3 - the packet is destined for 192.168.1.3
        • +
      • PROTO=UDP - UDP Protocol
        • +
      • DPT=53 - DNS
        • +
      - +

      In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 - is in the "loc" zone. I was missing the rule:

      - -

      ACCEPT    dmz    loc    udp    53
      -

      - -

      See FAQ 17 for additional information -about how to interpret the chain name appearing in a Shorewall log message.
      -

      - -

      Other Gotchas

      - -