extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

1.3.11 release changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-04 00:02:25 +00:00
parent a237911ebc
commit 1ad262c7cb
14 changed files with 3739 additions and 3589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
STABLE/INSTALL
View File

@ -24,8 +24,12 @@ o Unpack the tarball
o cd to the shorewall-<version> directory o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below upgrade instructions below
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to o Edit the configuration files to fit your environment.
fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://shorewall.sf.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh". Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs o For other distributions, determine where your distribution installs

999
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

1320
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

523
STABLE/documentation/download.htm
View File

@ -17,372 +17,385 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.<br>
</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>The entire set of Shorewall documentation is also available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
<br>
Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a Linux PPC</b> or <b> TurboLinux</b> distribution with
2.4 kernel, you can use the RPM version (note: the RPM should a 2.4 kernel, you can use the RPM version (note: the RPM
also work with other distributions that store init scripts should also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might <li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li> also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Testing Branch</a> and the <a Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module <li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li> (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p> file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p> to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">SourceForge<br> <td valign="top">SourceForge<br>
</td> </td>
<td valign="top">sf.net<br> <td valign="top">sf.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a target="_blank"
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br> Download .rpm</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>Documentation in PDF format:</b><br> <p align="left"><b>Documentation in PDF format:</b><br>
</p> </p>
<blockquote> <blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p> in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote><a <blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a
<td><a target="_blank" href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td> target="_blank">Browse</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at
all.<br> all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a <p align="left"><font size="2">Last Updated 12/3/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

544
STABLE/documentation/errata.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -17,13 +18,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -31,83 +32,113 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can <p align="left"> <b>If you are installing Shorewall for the first
untar the archive, replace the 'firewall' script in the untarred directory time and plan to use the .tgz and install.sh script, you can untar
with the one you downloaded below, and then run install.sh.</b></p> the archive, replace the 'firewall' script in the untarred directory
</li> with the one you downloaded below, and then run install.sh.</b></p>
<li> </li>
<li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p> with the corrected script.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br> example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in <li> <b><a href="#V1.3">Problems
Version 1.3</a></b></li> in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems <li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li> in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a <li> <b><font color="#660066">
href="errata_1.htm">Problems in Version 1.1</a></font></b></li> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a <li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li> href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li> <li><b><a href="#SuSE">Problems installing/upgrading RPM on
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 SuSE</a></b></li>
and MULTIPORT=Yes</a></b></li> <li><b><a href="#Multiport">Problems with iptables version
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br> 1.2.7 and MULTIPORT=Yes</a></b></li>
</li> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive the following
warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the .rpm
from shorewall.net or mirrors should no longer see these warnings as the
.rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains !
followed by a sub-zone list) result in an error message and Shorewall fails
to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running on <li>If you experience problems connecting to a PPTP server running
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br> is the real script now and not just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.9a</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
the following message appears during "shorewall [re]start":</li> then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
@ -116,283 +147,283 @@ is the real script now and not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
above.<br> described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common functions <li>The installer (install.sh) issues a misleading message "Common
installed in /var/lib/shorewall/functions" whereas the file is installed functions installed in /var/lib/shorewall/functions" whereas the file is
in /usr/lib/shorewall/functions. The installer also performs incorrectly installed in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions. when updating old configurations that had the file /etc/shorewall/functions.
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li> of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but <li>A DNAT rule with the same original and new IP addresses but
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running a <li>If the firewall is running
DHCP server, the client won't be able a DHCP server, the client won't be
to obtain an IP address lease from that able to obtain an IP address lease
server.</li> from that server.</li>
<li>With this order of checking, <li>With this order of checking,
the "dhcp" option cannot be used as a the "dhcp" option cannot be used as
noise-reduction measure where there are a noise-reduction measure where there
both dynamic and static clients on a LAN are both dynamic and static clients
segment.</li> on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an an error occurs when the firewall script attempts to add an
SNAT alias. </p> SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This possible to  include a single host specification on each line. This
problem is corrected by <a problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy file
file have been previously defined in the /etc/shorewall/zones have been previously defined in the /etc/shorewall/zones file.
file. The "shorewall check" command does perform this verification The "shorewall check" command does perform this verification so
so it's a good idea to run that command after you have made configuration it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p> message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct version
version has a size of 38126 bytes.</p> has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry in <li>The code to detect a duplicate interface entry
/etc/shorewall/interfaces contained a typo that prevented it in /etc/shorewall/interfaces contained a typo that prevented
from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just <li>"NAT_BEFORE_RULES=No" was broken; it behaved
like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li> packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li> generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface <li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option, in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the Shorewall may ignore all but the first appearence of the
option. For example:<br> option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior <li>Update 17 June 2002 - The bug described in the
bullet affects the following options: dhcp, dropunclean, logunclean, prior bullet affects the following options: dhcp, dropunclean,
norfc1918, routefilter, multi, filterping and noping. An logunclean, norfc1918, routefilter, multi, filterping and
additional bug has been found that affects only the 'routestopped' noping. An additional bug has been found that affects only
option.<br> the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior to 1850 Users who downloaded the corrected script prior to
GMT today should download and install the corrected script 1850 GMT today should download and install the corrected
again to ensure that this second problem is corrected.</li> script again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on the <li>Folks who downloaded 1.3.0 from the links on
download page before 23:40 GMT, 29 May 2002 may have downloaded the download page before 23:40 GMT, 29 May 2002 may have
1.2.13 rather than 1.3.0. The "shorewall version" command downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
will tell you which version that you have installed.</li> command will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
@ -404,127 +435,122 @@ will tell you which version that you have installed.</li>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released prevent it from working with Shorewall. Regrettably, RedHat
this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also corrected 1.2.3 rpm which you can download here</a>  and I have also
built an <a built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> running RedHat 7.1, you can install either of these RPMs
</b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p> </font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by installing
<a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of this iptables RPM</a>. If you are already running a 1.2.5 version
iptables, you will need to specify the --oldpackage option to rpm (e.g., of iptables, you will need to specify the --oldpackage option to rpm
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall <li>if you are running Shorewall
1.3.6 you may install 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in Shorewall /etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br> being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes The solution is to put "no" in the LOCAL column. Kernel support for
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
contains corrected support under a new kernel configuraiton option; see 2.4.19 kernel contains corrected support under a new kernel configuraiton
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 11/24/2002 - <p><font size="2"> Last updated 12/3/2002 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

393
STABLE/documentation/seattlefirewall_index.htm
View File

@ -11,7 +11,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -20,9 +20,9 @@
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%" height="90"> width="100%" height="90">
@ -33,9 +33,9 @@
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1> made easy"</i></font></font></h1>
@ -45,10 +45,11 @@
<div align="center"><a <div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
@ -62,15 +63,16 @@
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td <td
width="90%"> width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -79,10 +81,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -91,21 +93,21 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program This program
is distributed in the hope that it will be useful, is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br> See the GNU General Public License for more details.<br>
<br> <br>
You should You should
have received a copy of the GNU General Public License have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p> USA</p>
@ -121,22 +123,24 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques </a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18. <i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering <p><b>Congratulations to Jacques and Eric on the recent release of
1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -159,147 +163,168 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0" <p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p> <p>In this version:</p>
<ul> <ul>
<li>A 'tcpflags' option has been added to entries in <a <li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
This option causes Shorewall to make a set of sanity check on TCP packet option causes Shorewall to make a set of sanity check on TCP packet header
header flags.</li> flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in <li>It is now allowed to use 'all' in the SOURCE or DEST column
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
When used, 'all' must appear by itself (in may not be qualified) and it does appear by itself (in may not be qualified) and it does not enable intra-zone
not enable intra-zone traffic. For example, the rule <br> traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with <li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li> bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw
generate a warning and are ignored</li> rules generate a warning and are ignored</li>
</ul> </ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p> </b></p>
<p>The main Shorewall web site is now back at SourceForge at <a <p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p> </p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> <p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p> </b></p>
<p>In this version:</p> <p>In this version:</p>
<ul> <ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the <li>You may now <a href="IPSEC.htm#Dynamic">define
contents of a zone dynamically</a> with the <a the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li> updown scripts.</li>
<li>Shorewall can now do<a <li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments. href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li> you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall <li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use <li>A new 'ipsecnat' tunnel type is supported for
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind use when the <a href="IPSEC.htm">remote IPSEC endpoint is
a NAT gateway</a>.</li> behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <li>The PATH used by Shorewall may now be specified
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall. <li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li> that tends to have distribution-dependent code.</li>
</ul> </ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote> </blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br> href="http://www.gentoo.org"><br>
</a></p> </a></p>
Alexandru Hartmann reports that his Shorewall package Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br> Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p> <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br> In this version:<br>
<ul> <ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define <li>You may now <a
the contents of a zone dynamically</a> with the <a href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
delete" commands</a>. These commands are expected to be used primarily "shorewall delete" commands</a>. These commands are expected
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> to be used primarily within <a
updown scripts.</li> href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
<li>Shorewall can now do<a scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments. href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and You can specify the set of allowed MAC addresses on the segment
you can optionally tie each MAC address to one or more IP addresses.</li> and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the <li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li> file.</li>
<li>A new 'ipsecnat' tunnel type is supported <li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li> is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified <li>The PATH used by Shorewall may now be
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall. <li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li> that tends to have distribution-dependent code.</li>
</ul> </ul>
You may download the Beta from:<br> You may download the Beta from:<br>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li> href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a <li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li> </li>
@ -308,8 +333,8 @@ firewall system may now be defined in the<a href="PPTP.htm"> /etc/shore
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b> <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br> </b><br>
</p> </p>
@ -319,88 +344,94 @@ firewall system may now be defined in the<a href="PPTP.htm"> /etc/shore
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0" <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
This release rolls up fixes to the installer This release rolls up fixes to the installer
and to the firewall script.<br> and to the firewall script.<br>
<b><br> <b><br>
10/6/2002 - Shorewall.net now running on RH8.0 10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28" </b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)"> height="12" alt="(New)">
</b><br> </b><br>
<br> <br>
The firewall and server here at shorewall.net The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br> are now running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b> <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p> </b></p>
Roles up the fix for broken tunnels.<br> Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b> <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p> </b></p>
<img src="images/j0233056.gif" <img
alt="Brown Paper Bag" width="50" height="86" align="left"> src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
There is an updated firewall script at align="left">
<a There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br> -- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br> <p><b><br>
</b></p> </b></p>
<p><b><br> <p><b><br>
</b></p> </b></p>
<p><b><br> <p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b> 9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p> </b></p>
<p>In this version:<br> <p>In this version:<br>
</p> </p>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against allowed in Shorewall config files (although I recommend
using them).</li> against using them).</li>
<li>The connection SOURCE <li>The connection SOURCE
may now be qualified by both interface and IP address in may now be qualified by both interface and IP address
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li> in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is <li>Shorewall startup
now disabled after initial installation until the file is now disabled after initial installation until the
/etc/shorewall/startup_disabled is removed. This avoids nasty file /etc/shorewall/startup_disabled is removed. This avoids
surprises at reboot for users who install Shorewall but don't nasty surprises at reboot for users who install Shorewall
configure it.</li> but don't configure it.</li>
<li>The 'functions' and 'version' <li>The 'functions' and
files and the 'firewall' symbolic link have been moved 'version' files and the 'firewall' symbolic link have been
from /var/lib/shorewall to /usr/lib/shorewall to appease moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br> the LFS police at Debian.<br>
</li> </li>
@ -415,6 +446,7 @@ the LFS police at Debian.<br>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -423,29 +455,31 @@ the LFS police at Debian.<br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td <td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%" style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
@ -455,19 +489,21 @@ the LFS police at Debian.<br>
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation <p align="center"><font size="4" color="#ffffff">Shorewall is free
to <a href="http://www.starlight.org"><font but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p> color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -475,12 +511,9 @@ if you try it and find it useful, please consider making a donation
</table> </table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

92
STABLE/documentation/shoreline.htm
View File

@ -17,74 +17,75 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington <li>Born 1945 in <a
State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University <li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li> of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> <li>Burroughs Corporation (now <a
) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li> (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a ipchains and developed the scripts which are now collectively known as
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p> Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li> RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- My personal Linux System which runs Samba configured as a WINS server. NIC - My personal Linux System which runs Samba configured as a WINS
This system also has <a href="http://www.vmware.com/">VMware</a> installed server. This system also has <a href="http://www.vmware.com/">VMware</a>
and can run both <a href="http://www.debian.org">Debian Woody</a> installed and can run both <a href="http://www.debian.org">Debian
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li> (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li> server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li> personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li> and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul> </ul>
@ -97,18 +98,19 @@ and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0" </a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20"> src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p> </a> </font></p>
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a <p><font size="2">Last updated 11/24/2002 - </font><font size="2">
href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br> <br>
<br> <br>
<br> <br>

226
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -19,209 +19,213 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.</p> we must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System <li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li> acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System <li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li> acting as a firewall/router for a small local network and a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public the steps necessary to set up a firewall where <b>there are multiple
IP addresses involved or if you want to learn more about Shorewall than public IP addresses involved or if you want to learn more about Shorewall
is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br> <li><br>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li> Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a> your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li> ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li> <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li> and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li> Starting and Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p> documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common configuration
file features</a> file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li>Comments in configuration files</li>
<li>Line Continuation</li> <li>Line Continuation</li>
<li>Port Numbers/Service Names</li> <li>Port Numbers/Service Names</li>
<li>Port Ranges</li> <li>Port Ranges</li>
<li>Using Shell Variables</li> <li>Using Shell Variables</li>
<li>Using DNS Names<br> <li>Using DNS Names<br>
</li> </li>
<li>Complementing an IP address or Subnet</li> <li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li> <li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li> <li>Using MAC Addresses in Shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a> <li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
(How to extend Shorewall without modifying Shorewall code)</li> to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally <li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li> use Shorewall)</li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li> firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a <p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

130
STABLE/documentation/support.htm
View File

@ -19,47 +19,47 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is <h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
easier to post a problem than to use your own brain" </font>-- </i> <font is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3> size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just <p align="left"> <i>"Any sane computer will tell you how it works -- you
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that <p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i> free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venem<br> - <font size="2"> Wietse Venem<br>
</font></span></p> </font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help <b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon busy people. A mailing list is not a tool to speed up your day by being
fed</i></b><i><b>".</b> </i>-- Simon White<br> spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are also a number of sources for problem solution information.</p> <p>There are also a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li> contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download <li>The <a href="errata.htm"> Errata</a> has links to download
updated components.</li> updated components.</li>
<li>The Mailing List Archives search facility can locate posts <li>The Mailing List Archives search facility can locate posts
about similar problems:</li> about similar problems:</li>
</ul> </ul>
@ -74,12 +74,12 @@ about similar problems:</li>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -88,64 +88,70 @@ about similar problems:</li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h3 align="left">Problem Reporting Guideline</h3> <h3 align="left">Problem Reporting Guideline</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. <li>When reporting a problem, give as much information as you
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li> can. Reports that say "I tried XYZ and it didn't work" are not at all
<li>Please don't describe your environment and then ask us to send helpful.</li>
you custom configuration files. We're here to answer your questions <li>Please don't describe your environment and then ask us to
but we can't do your job for you.</li> send you custom configuration files. We're here to answer your
<li>Do you see any "Shorewall" messages in /var/log/messages questions but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li> when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump <li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li> to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the <li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li> information.</li>
<li>Please include any of the Shorewall configuration files (especially <li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you the /etc/shorewall/hosts file if you have modified that file) that
think are relevant. If an error occurs when you try to "shorewall start", you think are relevant. If an error occurs when you try to "shorewall
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li> section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of <li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will your network layout, etc to the Mailing List -- your post will
be rejected.</li> be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card on October 3, 2002; MandrakeSoft issued a charge against my credit card on
on October 4, 2002 (they are really effecient at that part of the order October 4, 2002 (they are very effecient at that part of the order process)
process) and I haven't heard a word from them since (although their news and I haven't heard a word from them since (although their news letters
letters boast that 9.0 boxed sets have been shipping for the last two weeks). boast that 9.0 boxed sets have been shipping for the last two weeks). If
If they can't fill my 9.0 order within <u>6 weeks after they have billed they can't fill my 9.0 order within <u>6 weeks after they have billed my
my credit card</u> then I refuse to spend my free time supporting of their credit card</u> then I refuse to spend my free time supporting their product
product for them.<br> for them.<br>
<br>
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
order is part of a batch of which was not correctly sent to our shipping
handler, and so unfortunately was not processed". They further assure me
that these mishandled orders will begin shipping on 12/2/2002.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p> to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount <p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p> of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
@ -153,11 +159,11 @@ product for them.<br>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

219
STABLE/documentation/troubleshoot.htm
View File

@ -15,12 +15,15 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
</td> src="images/obrasinf.gif" alt="Beating head on table" width="90"
</tr> height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody> </tbody>
</table> </table>
@ -28,22 +31,23 @@
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version sure that there isn't an update that you are missing for your version
of the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall If you receive an error message when starting or restarting the
and you can't determine the cause, then do the following: firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine <li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li> what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a <li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li> href="support.htm">support page</a>.</li>
</ul> </ul>
@ -52,140 +56,141 @@ of the firewall.</p>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus: actually an ill-conceived network setup. Here are several popular snafus:
</p> </p>
<ul> <ul>
<li>Port Forwarding where client and server are in the same <li>Port Forwarding where client and server are in the
subnet. See <a href="FAQ.htm">FAQ 2.</a></li> same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li> is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given <li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li> type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p> that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted will generate when you try to connect in a way that isn't permitted
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
your problem is probably NOT a Shorewall problem. If you DO see packet messages, see Shorewall messages, then your problem is probably NOT a Shorewall problem.
it may be an indication that you are missing one or more rules -- see <a If you DO see packet messages, it may be an indication that you are missing
href="FAQ.htm#faq17">FAQ 17</a>.</p> one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p> LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
</font> LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain <li>all2all:REJECT - This packet was REJECTed out of the all2all
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
<a href="FAQ.htm#faq17">FAQ 17).</a></li> (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p> is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br> <p align="left">ACCEPT    dmz    loc    udp    53<br>
</p> </p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br> about how to interpret the chain name appearing in a Shorewall log message.<br>
</p> </p>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that: chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is sending <li>your zone definitions are screwed up and the host that is
the packets or the destination host isn't in any zone (using an sending the packets or the destination host isn't in any zone (using
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
you?); or</li> are you?); or</li>
<li>the source and destination hosts are both connected to the same <li>the source and destination hosts are both connected to the
interface and that interface doesn't have the 'multi' option specified same interface and that interface doesn't have the 'multi' option
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP type <li>Remember that Shorewall doesn't automatically allow ICMP
8 ("ping") requests to be sent between zones. If you want pings to be type 8 ("ping") requests to be sent between zones. If you want pings
allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you have The ramifications of this can be subtle. For example, if you have
the following in /etc/shorewall/nat:<br> the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 and you ping 130.252.100.18, unless you have allowed icmp type
between the zone containing the system you are pinging from and the 8 between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually <li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing of their nearest firewall interface. One often overlooked aspect of
is that in order for two hosts to communicate, the routing between them routing is that in order for two hosts to communicate, the routing between
must be set up <u>in both directions.</u> So when setting up routing them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li> <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a <li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally <li>Some features require the "ip" program. That program is
included in the "iproute" package which should be included with your generally included in the "iproute" package which should be included
distribution (though many distributions don't install iproute by with your distribution (though many distributions don't install iproute
default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all <li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
@ -193,13 +198,15 @@ external addresses to be use with NAT unless you have set <a
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.11 VERSION=1.3.11a
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.11 VERSION=1.3.11a
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.11 %define version 1.3.11a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net> * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11 - Changes version to 1.3.11
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net> * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.11 VERSION=1.3.11a
usage() # $1 = exit status usage() # $1 = exit status
{ {