extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

1.3.11 release changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-04 00:02:25 +00:00
parent a237911ebc
commit 1ad262c7cb
14 changed files with 3739 additions and 3589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
STABLE/INSTALL
View File

@ -24,8 +24,12 @@ o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to
fit your environment.
o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://shorewall.sf.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs

319
STABLE/documentation/FAQ.htm
View File

@ -24,6 +24,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
@ -32,8 +33,8 @@
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find <b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
@ -44,21 +45,21 @@
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p>
local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using their
external (non-RFC1918 addresses) so they <b>can't access each other using
their DNS names.</b></a></p>
to hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they <b>can't access each
other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather
than 'blocked'.</b> Why?</a></p>
than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -94,13 +95,13 @@ support?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0
interface, it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot
renew its lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I
enable RFC 1918 filtering on my external interface, <b>my DHCP client
cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
@ -111,15 +112,21 @@ support?</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why
this is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
addresses</b> with Shorewall, and maintain separate rulesets for different
IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
</a>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a
server. <b>Do I have to change Shorewall to allow access to my server from
the internet?<br>
</b><br>
</a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere
@ -129,7 +136,7 @@ but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of a port-forwarding
rule to a local system is as follows:</p>
rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -148,7 +155,7 @@ rule to a local system is as follows:</p>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
port</i>&gt;]</td>
port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> <br>
@ -219,7 +226,7 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
port</i>&gt;]</td>
port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
@ -237,11 +244,11 @@ port</i>&gt;]</td>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no,
that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You are trying to test from inside your firewall
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system
such as an incorrect default gateway configured (it should be set to
the IP address of your firewall's internal interface).</li>
such as an incorrect default gateway configured (it should be set
to the IP address of your firewall's internal interface).</li>
</ul>
@ -250,30 +257,30 @@ the IP address of your firewall's internal interface).</li>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter
counters in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the server
('loc' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect default gateway
setting on the server (the server's default gateway should be the IP address
of the firewall's interface to the server).</li>
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the 
('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the
connection request is reaching the firewall and is being redirected to
the server. In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default gateway should
be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
or</li>
<li>your DNAT rule doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your
firewall and your rule is only redirecting the primary IP address (You
need to specify the secondary IP address in the "ORIG. DEST." column in
your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request in some
other way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -287,25 +294,25 @@ or ethereal to further diagnose the problem.<br>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server
is compromised, there's nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
<li>Having an internet-accessible server in your local
network is like raising foxes in the corner of your hen house.
If the server is compromised, there's nothing between that server
and your other internal systems. For the cost of another NIC and
a cross-over cable, you can put your server in a DMZ such that
it is isolated from your local systems - assuming that the Server
can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
what I do here at shorewall.net for my local systems that use static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
is eth0 and your internal interface is eth1 and that eth1 has IP
address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -394,24 +401,24 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a
new IP address.</p>
client to automatically restart Shorewall each time that you get
a new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
(non-RFC1918 addresses) so they can't access each other using their
DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external and internal
clients to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
addresses and can be accessed externally and internally using the same
address. </p>
addresses and can be accessed externally and internally using the
same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
@ -513,32 +520,32 @@ traffic through your firewall then:</p>
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than
'blocked'. Why?</h4>
to check my firewall and it shows some ports as 'closed' rather
than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to
services that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
UDP ports 137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down slightly
on the amount of Windows chatter on LAN segments connected to the Firewall.
</p>
always rejects connection requests on TCP port 113 rather than
dropping them. This is necessary to prevent outgoing connection
problems to services that use the 'Auth' mechanism for identifying
requesting users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator on port
135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of
your Service Agreement.</p>
your ISP preventing you from running a web server in violation
of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your
firewall then it reports the port as open. If you want to see which
UDP ports are really open, temporarily change your net-&gt;all policy
to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back from
your firewall then it reports the port as open. If you want to see
which UDP ports are really open, temporarily change your net-&gt;all
policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -564,8 +571,8 @@ on the amount of Windows chatter on LAN segments connected to the Firewall.
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
a RedHat system, "service syslog restart"). </p>
When you have changed /etc/syslog.conf, be sure to restart syslogd
(on a RedHat system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
@ -585,7 +592,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
<a
href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
href="http://www.logwatch.org"><br>
http://www.logwatch.org</a><br>
</p>
@ -617,8 +625,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with
RH7.2.</p>
for problems concerning the version of iptables (v1.2.3) shipped
with RH7.2.</p>
</div>
<h4 align="left"> </h4>
@ -675,7 +683,7 @@ them when the authors feel that they are ready. </p>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of
the modem in/out but still block all other rfc1918 addresses.</p>
the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
@ -714,10 +722,10 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
interface to correspond to the modem address, you must also make an
entry in /etc/shorewall/rfc1918 for that address. For example, if you
configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
@ -742,6 +750,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -764,8 +773,8 @@ lease.</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and
what those computers will "see" when things are working properly. That
aside, the most common causes of this problem are:</p>
what those computers will "see" when things are working properly. That
aside, the most common causes of this problem are:</p>
<ol>
<li>
@ -781,8 +790,8 @@ aside, the most common causes of this problem are:</p>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP
and TCP port 53 from the firewall to the internet.</p>
user is running a DNS server on the firewall and hasn't enabled
UDP and TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
@ -797,12 +806,12 @@ aside, the most common causes of this problem are:</p>
</p>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains (as indicated
in the log message) in Shorewall:<br>
<b>Answer: </b>Logging occurs out of a number of chains (as
indicated in the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
<li><b>man1918 - </b>The destination address is listed in
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
@ -818,36 +827,42 @@ aside, the most common causes of this problem are:</p>
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
<b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under
the <b>maclist</b> <a href="Documentation.htm#Interfaces">interface
option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the source
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because it is
a TCP packet that is not part of any current connection yet it is not
a syn packet. Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the
source IP is blacklisted in the<a
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because
it is a TCP packet that is not part of any current connection yet it
is not a syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP
address that isn't in any of your defined zones ("shorewall check" and
look at the printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
IP address that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD and
the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged because it failed the
checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or
if you use NAT, use the local IP address in your rules). <b>Note:</b> The
":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<b>Answer: </b>Yes. You simply use the IP address in your rules
(or if you use NAT, use the local IP address in your rules). <b>Note:</b>
The ":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
@ -870,27 +885,59 @@ does Shorewall. <br>
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
so the contents of the tcrules file are simply being ignored.<br>
so the contents of the tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br>
</h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
that you used during your initial setup for information about how to set
up rules for your server.<br>
<br>
to change Shorewall to allow access to my server from the internet?</b><br>
</h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
guide</a> that you used during your initial setup for information about
how to set up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
</h4>
<blockquote>
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
</blockquote>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
<br>
<b>Answer: </b>While most people associate the Internet Control Message
Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is
used to report problems back to the sender of a packet; this is what is happening
here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
there are a lot of broken implementations. That is what you are seeing with
these messages.<br>
<br>
Here is my interpretation of what is happening -- to confirm this analysis,
one out have to have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query
to 192.0.2.3 and your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a DNS reply).
When the response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had
a connection on UDP port 2857. This causes a port unreachable (type 3, code
3) to be generated back to 192.0.2.3. As this packet is sent back through
206.124.146.179, that box correctly changes the source address in the packet
to 206.124.146.179 but doesn't reset the DST IP in the original DNS response
similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall
has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result is that the
packet gets logged and dropped in the all2all chain. I have also seen cases
where the source IP in the ICMP itself isn't set back to the external IP
of the remote NAT gateway; that causes your firewall to log and drop the packet
out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
<br>
<div align="left"> </div>
<font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

564
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

59
STABLE/documentation/download.htm
View File

@ -30,28 +30,36 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
for the configuration that most closely matches your own.<br>
</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<p>The entire set of Shorewall documentation is also available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
<br>
Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a
2.4 kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts
Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM
should also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li>
also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
@ -66,10 +74,10 @@ Testing Branch</a> and the <a
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
contain the version)</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
@ -84,8 +92,8 @@ Testing Branch</a> and the <a
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -204,7 +212,7 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
@ -216,18 +224,19 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
@ -283,8 +292,8 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
@ -334,7 +343,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
@ -377,7 +387,7 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</p>
</blockquote>
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
<p align="left"><font size="2">Last Updated 12/3/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -391,5 +401,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

194
STABLE/documentation/errata.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,12 +41,14 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
@ -52,7 +56,7 @@ untar the archive, replace the 'firewall' script in the untarred director
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
</li>
<li>
@ -66,19 +70,20 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on
SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
@ -87,18 +92,44 @@ with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive the following
warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the .rpm
from shorewall.net or mirrors should no longer see these warnings as the
.rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains !
followed by a sub-zone list) result in an error message and Shorewall fails
to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running on
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
</li>
</ul>
@ -106,8 +137,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
@ -116,8 +147,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -126,9 +157,9 @@ is the real script now and not just a symbolic link to the real script.<br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
<li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file is
installed in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
@ -147,10 +178,10 @@ when updating old configurations that had the file /etc/shorewall/functions.
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li>
of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
</li>
</ul>
@ -190,15 +221,15 @@ tcp 25 - 10.1.1.1")<br>
has two problems:</p>
<ol>
<li>If the firewall is running a
DHCP server, the client won't be able
to obtain an IP address lease from that
server.</li>
<li>If the firewall is running
a DHCP server, the client won't be
able to obtain an IP address lease
from that server.</li>
<li>With this order of checking,
the "dhcp" option cannot be used as a
noise-reduction measure where there are
both dynamic and static clients on a LAN
segment.</li>
the "dhcp" option cannot be used as
a noise-reduction measure where there
are both dynamic and static clients
on a LAN segment.</li>
</ol>
@ -300,10 +331,10 @@ segment.</li>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -314,21 +345,21 @@ so it's a good idea to run that command after you have made configura
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p>
message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it
from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
<li>The code to detect a duplicate interface entry
in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -365,15 +396,15 @@ option. For example:<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<li>Update 17 June 2002 - The bug described in the
prior bullet affects the following options: dhcp, dropunclean,
logunclean, norfc1918, routefilter, multi, filterping and
noping. An additional bug has been found that affects only
the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior to
1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li>
</ul>
@ -385,10 +416,10 @@ option.<br>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the
download page before 23:40 GMT, 29 May 2002 may have downloaded
1.2.13 rather than 1.3.0. The "shorewall version" command
will tell you which version that you have installed.</li>
<li>Folks who downloaded 1.3.0 from the links on
the download page before 23:40 GMT, 29 May 2002 may have
downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
command will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
@ -408,17 +439,17 @@ will tell you which version that you have installed.</li>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also
built an <a
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
@ -451,6 +482,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
@ -459,9 +491,9 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
@ -490,7 +522,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall
1.3.6 you may install
1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
@ -508,23 +540,17 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 11/24/2002 -
<p><font size="2"> Last updated 12/3/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>

167
STABLE/documentation/seattlefirewall_index.htm
View File

@ -52,6 +52,7 @@
</tbody>
</table>
@ -71,6 +72,7 @@
<h2 align="left">What is it?</h2>
@ -79,9 +81,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,8 +94,8 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program
is distributed in the hope that it will be useful,
@ -121,6 +123,7 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
@ -131,12 +134,13 @@ Public License</a> as published by the Free Software Foundation.<br>
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -159,29 +163,48 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
<p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option causes Shorewall to make a set of sanity check on TCP packet header
flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column
in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
appear by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw
rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
@ -212,24 +235,24 @@ generate a warning and are ignored</li>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>A new 'ipsecnat' tunnel type is supported for
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
@ -244,6 +267,7 @@ a NAT gateway</a>.</li>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
@ -252,7 +276,7 @@ a NAT gateway</a>.</li>
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
@ -263,24 +287,25 @@ Linux distribution</a>. Thanks Alex!<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
"shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The PATH used by Shorewall may now be
specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
@ -319,11 +344,12 @@ firewall system may now be defined in the<a href="PPTP.htm"> /etc/shore
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28"
@ -343,12 +369,14 @@ and to the firewall script.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at
<a
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
@ -356,18 +384,21 @@ and to the firewall script.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
@ -386,20 +417,20 @@ and to the firewall script.<br>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address in
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is
now disabled after initial installation until the file
/etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved
from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
may now be qualified by both interface and IP address
in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions' and
'version' files and the 'firewall' symbolic link have been
moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
@ -415,6 +446,7 @@ the LFS police at Debian.<br>
<p><a href="News.htm">More News</a></p>
@ -423,6 +455,7 @@ the LFS police at Debian.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
@ -440,6 +473,7 @@ the LFS police at Debian.<br>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -462,8 +496,9 @@ the LFS police at Debian.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -471,16 +506,14 @@ if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

40
STABLE/documentation/shoreline.htm
View File

@ -37,14 +37,14 @@
</p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -56,8 +56,8 @@ State University</a> 1967</li>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
@ -68,22 +68,23 @@ ipchains and developed the scripts which are now collectively known as <a
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian Woody</a>
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
@ -105,10 +106,11 @@ and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<p><font size="2">Last updated 11/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>

28
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -31,8 +31,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
@ -54,9 +54,9 @@ acting as a firewall/router for a small local network</li>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -92,6 +92,7 @@ your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -110,7 +111,7 @@ and Ends</a></li>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
Starting and Stopping the Firewall</a></li>
</ul>
@ -154,7 +155,8 @@ Starting and Stopping the Firewall</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
@ -175,8 +177,8 @@ Starting and Stopping the Firewall</a></li>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
@ -194,10 +196,12 @@ Starting and Stopping the Firewall</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
@ -218,10 +222,10 @@ Starting and Stopping the Firewall</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p>
</p>
<br>
</body>
</html>

66
STABLE/documentation/support.htm
View File

@ -30,12 +30,12 @@
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
@ -46,10 +46,10 @@ easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon
fed</i></b><i><b>".</b> </i>-- Simon White<br>
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being
spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are also a number of sources for problem solution information.</p>
@ -99,40 +99,46 @@ about similar problems:</li>
<h3 align="left">Problem Reporting Guideline</h3>
<ul>
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>When reporting a problem, give as much information as you
can. Reports that say "I tried XYZ and it didn't work" are not at all
helpful.</li>
<li>Please don't describe your environment and then ask us to
send you custom configuration files. We're here to answer your
questions but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
the /etc/shorewall/hosts file if you have modified that file) that
you think are relevant. If an error occurs when you try to "shorewall
start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
on October 3, 2002; MandrakeSoft issued a charge against my credit card on
October 4, 2002 (they are very effecient at that part of the order process)
and I haven't heard a word from them since (although their news letters
boast that 9.0 boxed sets have been shipping for the last two weeks). If
they can't fill my 9.0 order within <u>6 weeks after they have billed my
credit card</u> then I refuse to spend my free time supporting their product
for them.<br>
<br>
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
order is part of a batch of which was not correctly sent to our shipping
handler, and so unfortunately was not processed". They further assure me
that these mishandled orders will begin shipping on 12/2/2002.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
@ -153,11 +159,11 @@ product for them.<br>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

101
STABLE/documentation/troubleshoot.htm
View File

@ -18,7 +18,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</font></h1>
</td>
</tr>
@ -37,8 +40,9 @@ of the firewall.</p>
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
If you receive an error message when starting or restarting the
firewall and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
@ -52,17 +56,17 @@ of the firewall.</p>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
</p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Port Forwarding where client and server are in the
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li>
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li>
</ul>
@ -71,8 +75,8 @@ type of setup does NOT work the way that you expect it to.</li>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
@ -80,10 +84,10 @@ that you forget to remove them later.</p>
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
If you DO see packet messages, it may be an indication that you are missing
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
@ -98,14 +102,15 @@ that you forget to remove them later.</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -122,7 +127,7 @@ that you forget to remove them later.</p>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">Other Gotchas</h3>
@ -131,61 +136,61 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
you?); or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and that interface doesn't have the 'multi' option
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have
the following in /etc/shorewall/nat:<br>
the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of
routing is that in order for two hosts to communicate, the routing between
them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a
shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
<li>Some features require the "ip" program. That program is
generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a
external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul>
@ -196,10 +201,12 @@ external addresses to be use with NAT unless you have set <a
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.11
%define version 1.3.11a
%define release 1
%define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{