extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-19 11:11:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6b

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-05 18:38:21 +00:00
parent b2729de062
commit 1f72beecc8
33 changed files with 14457 additions and 13546 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
STABLE/changelog.txt
View File

@ -56,3 +56,7 @@ Changes since 1.4.5
MANGLE_ENABLED is set before it is tested.
24. Fixed MAC address handling in the SOURCE column of tcrules.
25. Disabled 'stop' command when startup is disabled.
26. Fixed adding addresses to ppp interfaces.

1209
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

853
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

2410
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

71
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -48,18 +48,18 @@
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
&nbsp;&nbsp;&nbsp; </b>The following instructions mention
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
have those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets
being routed to the Squid server still have their original destination
IP addresses.<br>
@ -67,7 +67,7 @@ IP addresses.<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
@ -83,8 +83,8 @@ your Squid server.<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
running on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
@ -93,12 +93,13 @@ your Squid server.<br>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your
own http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on
port 3128. Squid will of course require access to remote web servers.<br>
You want to redirect all local www connection requests
EXCEPT those to your
own http server
(206.124.146.177) to a Squid
transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -144,24 +145,24 @@ port 3128. Squid will of course require access to remote web servers.
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid. In that
case, you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
&nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening
on port 3128. Your local interface is eth1. There may also be a web
server running on 192.168.1.3. It is assumed that web access is already
enabled from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
@ -255,6 +256,7 @@ from the local zone to the internet.<br>
</td>
</tr>
</tbody>
</table>
</li>
@ -304,7 +306,7 @@ from the local zone to the internet.<br>
<ul>
<li>On 192.168.1.3, arrange for the following command to
be executed after networking has come up<br>
be executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
@ -312,8 +314,7 @@ be executed after networking has come up<br>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command
above:<br>
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
@ -402,8 +403,8 @@ above:<br>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
C) Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
@ -511,7 +512,7 @@ above:<br>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
@ -519,8 +520,7 @@ the following command to be executed after networking has come up<br>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command
above:<br>
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
@ -532,13 +532,10 @@ above:<br>
<blockquote> </blockquote>
<p><font size="-1"> Updated 7/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 8/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

86
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -27,20 +27,21 @@
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
and ifconfig treats them more or less like real interfaces.<br>
which is used to configure network devices. ifconfig introduced the
concept of <i>aliased </i>or <i>virtual </i>interfaces. These virtual
interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
eth0:0) and ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip utility
does not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br>
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip
utility does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects in their own right.
The ip utility does provide for interaction with ifconfig in that it allows
addresses to be <i>labeled </i>where these labels take the form of ipconfig
virtual interfaces.<br>
<br>
Example:<br>
<br>
@ -51,18 +52,35 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either
it's "-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file.<br>
<br>
it's "-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file or anywhere
else except as described in the discussion below. <br>
<br>
<h2>Adding Addresses to Interfaces</h2>
Shorewall provides facilities for automatically adding addresses to interfaces
as described in the following section. It is also easy to add them yourself
using the <b>ip</b> utility. The above alias was added using:<br>
<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
dev eth0 label eth0:0</font></b><br>
</blockquote>
You probably want to arrange to add these addresses when the device is started
rather than placing commands like the above in one of the Shorewall extension
scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
<br>
<blockquote>
<pre>#!/bin/sh<br><br>case $1 in<br> eth0)<br> /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br> ;;<br>esac&nbsp;<br></pre>
</blockquote>
RedHat systems also allow adding such aliases from the network administration
GUI (which works well if you have a graphical environment on your firewall).<br>
<h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
that only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
@ -91,7 +109,7 @@ with the IP address.<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
<td valign="top">$FW:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
@ -109,9 +127,9 @@ with the IP address.<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone
at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
<br>
@ -185,8 +203,8 @@ at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/ru
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
Shorewall can create the alias (additional address) for you if
you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface
@ -216,10 +234,10 @@ name in the INTERFACE column as follows:<br>
</table>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
<br>
<blockquote>
@ -253,7 +271,7 @@ each subsequent label.<br>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
@ -288,9 +306,9 @@ each subsequent label.<br>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
Shorewall can create the alias (additional address) for you if
you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface
name in the INTERFACE column as follows:<br>
@ -491,8 +509,8 @@ and eth1:0 is 192.168.20.254. You want to simply route all requests between
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
Note 1: If you are running Shorewall 1.3.10 or earlier then you
must specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
@ -530,7 +548,7 @@ and eth1:0 is 192.168.20.254. You want to simply route all requests between
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into separate
zones and control the access between them (the users of the systems do
not have administrative privileges).<br>
@ -601,8 +619,8 @@ not have administrative privileges).<br>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
Note 1: If you are running Shorewall 1.3.10 or earlier then you
must specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
@ -642,7 +660,7 @@ not have administrative privileges).<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 6/22/2003 A - <a
<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;

61
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -2,18 +2,23 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -24,10 +29,16 @@
<tbody>
<tr>
<td
width="100%" height="90">
width="100%" height="90" align="center">
<div align="center">
</div>
<a href="http://www.shorewall.net" target="_top"><img
border="0" src="images/ProtectedBy.png" width="200" height="42"
hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</a><br>
<br>
</td>
</tr>
<tr>
@ -35,6 +46,8 @@
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
@ -71,36 +84,17 @@
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
<li><a href="http://lists.shorewall.net">Mailing
Lists</a><a href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
<ul>
@ -110,13 +104,7 @@
</ul>
<ul>
<li> <a
href="News.htm">News Archive</a></li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
@ -137,11 +125,14 @@
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
<br>
</body>
</html>

54
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -35,11 +35,17 @@
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
@ -73,47 +79,15 @@
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
href="http://lists.shorewall.net">Mailing Lists</a></li>
<li><a
href="shorewall_mirrors.htm">Mirrors</a>
href="shorewall_mirrors.htm">Mirrors</a></li>
<ul>
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
@ -130,6 +104,7 @@
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
@ -139,6 +114,7 @@
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
</body>
</html>

31
STABLE/documentation/blacklisting_support.htm
View File

@ -31,7 +31,8 @@
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
@ -42,15 +43,15 @@
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
names in the blacklist file.<br>
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
@ -61,19 +62,20 @@
/sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will
be automatically restored the next time that the firewall is restarted.</li>
from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
/etc/shorewall/interfaces.<br>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
@ -87,7 +89,7 @@ listed IP addresses to be rejected by the firewall.</li>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
@ -95,5 +97,6 @@ listed IP addresses to be rejected by the firewall.</li>
<br>
<br>
<br>
<br>
</body>
</html>

24
STABLE/documentation/download.htm
View File

@ -30,7 +30,7 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
@ -42,8 +42,8 @@ for the configuration that most closely matches your own.<br>
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
@ -54,7 +54,7 @@ for the configuration that most closely matches your own.<br>
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
@ -63,7 +63,7 @@ or insserv). If you find that it works in other cases, let <a
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
@ -89,9 +89,8 @@ have a copy of the documentation).</li>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing
the file /etc/shorewall/startup_disabled.</b></font></p>
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
@ -128,7 +127,7 @@ the file /etc/shorewall/startup_disabled.</b></font></p>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
@ -199,8 +198,8 @@ the file /etc/shorewall/startup_disabled.</b></font></p>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you
find there will work at all.<br>
each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
@ -216,7 +215,7 @@ find there will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 7/15/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -230,5 +229,6 @@ find there will work at all.<br>
<br>
<br>
<br>
<br>
</body>
</html>

158
STABLE/documentation/errata.htm
View File

@ -24,6 +24,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -45,31 +46,31 @@
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p>
firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</font></b><br>
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li>
<li><b><a
href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
@ -82,16 +83,16 @@ untar the archive, replace the 'firewall' script in the untarred director
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
@ -103,17 +104,49 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
<h3></h3>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
fail to start with the error "ERROR:  Traffic Control requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
script</a> which may be installed in /var/share/shorewall/firewall as described
above. This problem is also corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control. If
a MAC address is used in the SOURCE column, an error occurs as follows:<br>
<br>
     <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in /var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your 'firewall'
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this line:<br>
<br>
    r=`mac_match $source` <br>
<br>
with<br>
<br>
     r="`mac_match $source` "<br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by installing
<a
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.</li>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
@ -123,13 +156,13 @@ file. This problem may be corrected by installing <a
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.<br>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.<br>
</li>
</ul>
@ -138,9 +171,9 @@ as described above.<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule is
too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul>
@ -165,11 +198,11 @@ with fireparse here at shorewall.net. The updated files may be found at
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above. <br>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above. <br>
</li>
</ul>
@ -178,8 +211,8 @@ as described above. <br>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
@ -191,7 +224,7 @@ RST response. This problem is corrected in <a
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
produces the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br>
@ -208,8 +241,8 @@ produces the harmless additional message:<br>
<ul>
<li>When running under certain shells Shorewall will attempt
to create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a
to create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
@ -234,18 +267,18 @@ to create ECN rules even when /etc/shorewall/ecn is empty. You may either
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and
I have also built an <a
I have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you
can download from<font color="#ff6633"> <a
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it
works fine.</p>
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
@ -264,14 +297,15 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
@ -280,9 +314,10 @@ and RedHat iptables</h3>
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
@ -302,14 +337,14 @@ and RedHat iptables</h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
must be running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if you
are running Shorewall 1.3.6 you may
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
@ -319,8 +354,8 @@ or </li>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form
will result in Shorewall being unable to start:<br>
/etc/shorewall/nat entries of the following
form will result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -329,27 +364,28 @@ or </li>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support under
a new kernel configuraiton option; see <a
has disabled it. The 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1)</b></h3>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
to fix this problem are available at <a
to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/images/network.png
View File

Binary file not shown.

94
STABLE/documentation/mailing_list.htm
View File

@ -12,6 +12,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -42,6 +43,7 @@
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
@ -77,14 +79,14 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep at
hotmail dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
</p>
<ol>
@ -102,30 +104,31 @@ an A or MX record in DNS.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
A growing number of MTAs serving list subscribers
are rejecting all HTML traffic. At least one MTA has gone so far
as to blacklist shorewall.net "for continuous abuse" because it has
been my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to
control spam and that the ultimate losers here are not the spammers
I think that blocking all HTML is a Draconian way
to control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
list server at shorewall.net to strip all HTML from outgoing posts. This
means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br>
If you find that you are missing an occasional list
post, your e-mail admin may be blocking mail whose <i>Received:</i>
headers contain the names of certain ISPs. Again, I believe that such
policies hurt more than they help but I'm not prepared to go so far
as to start stripping <i>Received:</i> headers to circumvent those
policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
@ -138,11 +141,13 @@ This means that HTML-only posts will be bounced by the list server.<br>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -159,9 +164,9 @@ This means that HTML-only posts will be bounced by the list server.<br>
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
@ -170,8 +175,8 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
Shorewall mailing lists or you can use secure access (SSL) and accept
the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
@ -180,31 +185,16 @@ accept the server's certificate when prompted by your browser.<br>
of general interest to the Shorewall user community is also
posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br>
</p>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
</ul>
<p align="left">To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
<p align="left"><b>To post a problem report to this list or to subscribe
to the list, please see the <a
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -269,10 +259,10 @@ list may be found at <a
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options
enter your subscription email address:". Enter your email
address in the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p>
</li>
<li>
@ -289,13 +279,11 @@ options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 7/7/2003 - <a
<p align="left"><font size="2">Last updated 8/1/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

65
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

91
STABLE/documentation/ports.htm
View File

@ -18,6 +18,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
@ -28,8 +29,8 @@
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your
firewall to accommodate.</p>
are some other services/applications that you may need to configure
your firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
@ -52,11 +53,12 @@
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you
will return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if
you will return long replies to queries or if you need to enable ZONE
transfers. In the latter case, be sure that your server is properly
configured.</p>
</blockquote>
<p>ICQ   </p>
@ -100,11 +102,13 @@ will return long replies to queries or if you need to enable ZONE transfers
<blockquote>
<p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
</blockquote>
<p>IMAP<br>
</p>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote>
</blockquote>
<p>TELNET</p>
@ -130,61 +134,13 @@ will return long replies to queries or if you need to enable ZONE transfers
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP</p>
<p>FTP<br>
</p>
<blockquote>
<p>Server configuration is covered on in <a
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build
this support as a module, Shorewall will automatically load the module
from /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
<p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you
would have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot<br>
</li>
</ol>
<p> </p>
</blockquote>
<blockquote> </blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
@ -200,7 +156,7 @@ starts, then you should include the port list in /etc/modules.conf:<br>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
ICMP type 8 ('ping')<br>
ICMP type 8 ('ping')<br>
</p>
</blockquote>
@ -234,9 +190,12 @@ ICMP type 8 ('ping')<br>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

147
STABLE/documentation/quotes.htm
View File

@ -26,82 +26,116 @@
</tbody>
</table>
<font size="3">"I have fought with IPtables for untold hours. First I
tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey,
cool" stage. Then I discovered Shorewall. After about an hour, everything
just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it
was 'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
<li><font size="3">"I have fought with IPtables for untold hours. First
I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey, cool"
stage. Then I discovered Shorewall. After about an hour, everything just
worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<br>
</li>
<li>"The configuration is intuitive and flexible, and much easier than
any of the other iptables-based firewall programs out there. After sifting
through many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA<br>
<br>
</li>
<li>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
<br>
</li>
<li>"My case was almost like [the one above]. Well. instead of 'weeks'
it was 'months' for me, and I think I needed two minutes more:<br>
</li>
</ul>
<ul>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
</ul>
<ul>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<ul>
<li> Minutes instead of months! Congratulations and thanks for such
a simple and well documented thing for something as huge as iptables." --
JV, Spain. </li>
</ul>
<ul>
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
without any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </li>
</ul>
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<ul>
<li>"[Shorewall is a] great, great project. I've used/tested may
firewall scripts but this one is till now the best." -- B.R, Netherlands
</li>
</ul>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<ul>
<li>"Never in my +12 year career as a sys admin have I witnessed
someone so relentless in developing a secure, state of the art, safe and
useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </li>
</ul>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and
useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<ul>
<li>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</li>
</ul>
<p>"one time more to report, that your great shorewall in the latest release
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
up and running with shorewall on several versions - starting with 1.2.2
up to the new 1.2.9 and I never have encountered any problems!" -- SM,
Germany</p>
<ul>
<li>"You have the best support of any other package I've ever used."
-- SE, US </li>
</ul>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
<ul>
<li>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make
use of checkpoint firewalls, but not all of the internet servers are guarded
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
by request, Europe</li>
</ul>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms
of flexibillity, quality &amp; support" -- RM, Austria</p>
<ul>
<li>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</li>
</ul>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<ul>
<li>"I have never seen such a complete firewall package that is so easy
to configure. I searched the Debian package system for firewall scripts
and Shorewall won hands down." -- RG, Toronto</li>
</ul>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about
<p></p>
<ul>
<li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
it is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
 </p>
</li>
</ul>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font>
@ -114,5 +148,6 @@ of flexibillity, quality &amp; support" -- RM, Austria</p>
<br>
<br>
<br>
<br>
</body>
</html>

498
STABLE/documentation/seattlefirewall_index.htm
View File

@ -4,6 +4,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
@ -24,35 +25,18 @@
<tr>
<td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%"
align="center" bgcolor="#3366ff">
valign="middle" align="center"><a href="http://www.cityofshoreline.com">
</a>
<div align="center">
<img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90"
align="middle">
</div>
</td>
<td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<br>
</td>
</tr>
@ -76,23 +60,28 @@
<td width="90%">
<div align="center">
<br>
<div align="left">
<h2>What is it?</h2>
</div>
</div>
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -100,11 +89,12 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -115,14 +105,14 @@ GNU General Public License</a> as published by the Free Software
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
details.<br>
<br>
You should have received a
copy of the GNU General Public License
along with this program; if not,
write to the Free Software Foundation,
You should have received
a copy of the GNU General Public
License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -131,6 +121,7 @@ details.<br>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -142,70 +133,171 @@ details.<br>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
<li>The 1.2 site is <a
href="http://shorewall.net/1.2/" target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the
step by step instructions.<br>
New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment
and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
The <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
If so, the documentation<b> </b>on
this site will not apply directly to your setup. If you want
to use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches
the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<h2>News</h2>
<ol>
</ol>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected:</b><br>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
Shorewall would fail to start with the error "ERROR:  Traffic Control
requires Mangle"; that problem has been corrected.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid iptables
command.</li>
<li>The "shorewall stop" command is now disabled when /etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior to
having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being
added to a PPP interface; the addresses were successfully added in spite
of the messages.<br>
   <br>
The firewall script has been modified to eliminate the error messages.<br>
</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<p><b>7/31/2003 - Snapshot 1.4.6_20030731</b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED variable
was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid iptables
command.<br>
</li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or 'save'
commands.</li>
<li>To maintain strict compatibility with previous versions, current
uses of "shorewall drop" and "shorewall reject" should be replaced with "shorewall
dropall" and "shorewall rejectall" </li>
</ol>
<b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is blacklisted
using these new commands, it will be blacklisted on all of your firewall's
interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give command-specific
help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to /etc/shorewall/shorewall.conf.
This option has a default value of "No" for existing users which causes Shorewall's
'stopped' state  to continue as it has been; namely, in the stopped state
only traffic to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in addition
to traffic to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
will allow:<br>
<br>
   a) All traffic originating from the firewall itself; and<br>
   b) All traffic that is part of or related to an already-existing connection.<br>
<br>
 In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" entered
through an ssh session will not kill the session.<br>
<br>
 Note though that even with ADMINISABSENTMINDED=Yes, it is still possible
for people to shoot themselves in the foot.<br>
<br>
 Example:<br>
<br>
 /etc/shorewall/nat:<br>
<br>
     206.124.146.178    eth0:0    192.168.1.5    <br>
<br>
 /etc/shorewall/rules:<br>
<br>
   ACCEPT    net    loc:192.168.1.5    tcp    22<br>
   ACCEPT    loc    fw        tcp    22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH connection
from that computer to the firewall and confidently type "shorewall stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my SSH
connection to 192.168.1.5!!!<br>
</li>
</ol>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b><br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR:  Traffic Control
requires Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> </b><br>
</p>
<blockquote> </blockquote>
@ -214,28 +306,30 @@ Mangle"; that problem has been corrected.</li>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<li>A problem seen on RH7.3 systems where Shorewall
encountered start errors when started using the "service" mechanism
has been worked around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<li>Where a list of IP addresses appears in the
DEST column of a DNAT[-] rule, Shorewall incorrectly created multiple
DNAT rules in the nat table (one for each element in the list). Shorewall
now correctly creates a single DNAT rule with multiple "--to-destination"
clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<li>Corrected a problem in Beta 1 where DNS names
containing a "-" were mis-handled when they appeared in the DEST
column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<li>A number of problems with rule parsing have been
corrected. Corrections involve the handling of "z1!z2" in the SOURCE
column as well as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.<br>
<li>The message "Adding rules for DHCP" is now suppressed
if there are no DHCP rules to add.<br>
</li>
@ -247,20 +341,20 @@ are no DHCP rules to add.<br>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<li>In earlier versions, an undocumented feature
allowed entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
This capability was never documented and has been removed
in 1.4.6 to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
options have been removed from /etc/shorewall/shorewall.conf. These
capabilities are now automatically detected by Shorewall (see below).<br>
</li>
@ -272,36 +366,37 @@ are no DHCP rules to add.<br>
<ol>
<li>A 'newnotsyn' interface option has been added. This
option may be specified in /etc/shorewall/interfaces and overrides the
setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<li>A 'newnotsyn' interface option has been added.
This option may be specified in /etc/shorewall/interfaces and overrides
the setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<li>The means for specifying a range of IP addresses
in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other
than the first one on an interface.<br>
<li>Shorewall can now add IP addresses to subnets
other than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<li>DNAT[-] rules may now be used to load balance
(round-robin) over a set of servers. Servers may be specified in
a range of addresses given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
configuration options have been removed and have been replaced by
code that detects whether these capabilities are present in the current
kernel. The output of the start, restart and check commands have been
enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
@ -309,39 +404,43 @@ than the first one on an interface.<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the start,
restart and check commands.<br>
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the
start, restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
If this extension is available, the ruleset generated
by Shorewall is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<li>To handle 'norfc1918' filtering, Shorewall
will not create chains in the mangle table but will rather do all
'norfc1918' filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate
two netfilter rules; one in the nat table and one in the filter
table. If the Connection Tracking Match Extension is available, the
rule in the filter table is extended to check that the original destination
address was the same as specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<li>The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the SHOREWALL_SHELL
parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
@ -358,7 +457,8 @@ filtering in the filter table (rfc1918 chain).</li>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0
255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
@ -367,10 +467,10 @@ filtering in the filter table (rfc1918 chain).</li>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
If your shell only supports 32-bit signed arithmatic (ash
or dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce correct
information for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
@ -378,13 +478,13 @@ filtering in the filter table (rfc1918 chain).</li>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a range
of network addresses.<br>
This command decomposes a range of IP addressses into a
list of network and host addresses. The command can be useful if you
need to construct an efficient set of rules that accept connections from
a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic
(ash or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -403,24 +503,24 @@ of network addresses.<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<li>A list of host/net addresses is now allowed
in an entry in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
<li>The "shorewall check" command now includes the chain
name when printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
is REJECT and the applicable entry in the /etc/shorewall/policy was the
all-&gt;all policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
@ -430,70 +530,13 @@ policy.<br>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a
<a href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in
the zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an
empty second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
@ -511,23 +554,26 @@ empty second column are no longer ignored.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash)
distribution called <i>Bering</i>
that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques
and Eric on the recent release of Bering 1.2!!! </b><br>
@ -536,8 +582,9 @@ empty second column are no longer ignored.<br>
</td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
<td width="88"
bgcolor="#3366ff" valign="top" align="center">
@ -545,23 +592,25 @@ empty second column are no longer ignored.<br>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font
color="#ffffff"><b>Note: </b></font></strong><font
<font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden"
name="format" value="long"> <input type="hidden" name="method"
value="and"> <input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
@ -581,6 +630,7 @@ empty second column are no longer ignored.<br>
</tbody>
</table>
@ -604,6 +654,7 @@ empty second column are no longer ignored.<br>
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)">
@ -615,12 +666,14 @@ empty second column are no longer ignored.<br>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td>
@ -628,13 +681,14 @@ empty second column are no longer ignored.<br>
</tbody>
</table>
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 8/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<br>
</p>
<br>
</body>

55
STABLE/documentation/shoreline.htm
View File

@ -22,6 +22,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
@ -47,7 +48,7 @@
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem
Computers, Incorporated</a> (now part of the <a
Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -57,52 +58,28 @@ Computers, Incorporated</a> (now part of the <a
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively
known as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p>
in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net"> Seattle
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
<p></p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
Windows system. Serves as a PPTP server for Road Warrior access. Dual
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
LNE100TX(Tulip) NIC - My personal Linux System which runs
Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
EEPRO100 NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD,
RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
and LinkSys WET11 - Our Laptop.<br>
</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>For information about our home network see <a href="myfiles.htm">my Shorewall
Configuration files.</a></p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
href="http://www.hp.com/">HP</a>).</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
@ -117,8 +94,8 @@ and LinkSys WET11 - Our Laptop.<br>
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
@ -126,7 +103,7 @@ and LinkSys WET11 - Our Laptop.<br>
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/14/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
@ -134,5 +111,9 @@ and LinkSys WET11 - Our Laptop.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

64
STABLE/documentation/shorewall_logging.html
View File

@ -28,8 +28,8 @@
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
@ -39,7 +39,7 @@
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
as their value.<br>
<br>
Valid levels are:<br>
<br>
@ -61,15 +61,15 @@ as their value.<br>
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are unsure
of the level to choose, 6 (info) is a safe bet. You may specify levels
by name or by number.<br>
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs
to log files is done in /etc/syslog.conf (5). If you make changes to this
file, you must restart syslogd before the changes can take effect.<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
@ -84,17 +84,17 @@ file, you must restart syslogd before the changes can take effect.<br>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available
from http://www.gnumonks.org/projects/ulogd and can be configured to log
all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
absolutely no effect on your Shorewall logging (except for Shorewall status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
@ -114,8 +114,8 @@ which still go to syslog).<br>
</ol>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
firewall, you can do the first six steps on another system then either NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -125,28 +125,32 @@ NFS mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>v
<li>syslogsync 1</li>
</ol>
Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

23
STABLE/documentation/shorewall_mirrors.htm
View File

@ -43,7 +43,7 @@
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
@ -70,7 +70,7 @@ http://germany.shorewall.net</a> (Hamburg, Germany)</li>
(Slovak Republic).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
(Texas, USA -- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
@ -84,24 +84,15 @@ http://germany.shorewall.net</a> (Hamburg, Germany)</li>
</li>
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
Search results and the mailing list archives are always fetched
from the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 7/15/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
<br>
</body>
</html>

158
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -24,6 +24,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
</font></h1>
@ -33,8 +34,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
@ -52,25 +53,28 @@ we must all first walk before we can run.<br>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
<li><a
href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and
a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
(See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
address</b></big></big></font>:<br>
</p>
address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
@ -82,8 +86,8 @@ single-address guides above.</blockquote>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p>
Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p>
<ul>
<li><a
@ -92,46 +96,41 @@ guide before trying to use this documentation directly.</p>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
<li>Dynamic Blacklisting using
/sbin/shorewall</li>
</ul>
</li>
<li><a
href="configuration_file_basics.htm">Common configuration file
features</a>
href="starting_and_stopping_shorewall.htm">Commands</a> (Description of
all /sbin/shorewall commands)</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a> </li>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
<li><a href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</a><br>
<li><a href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port Numbers/Service
Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a href="configuration_file_basics.htm#Variables">Using Shell
Variables</a></li>
<li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li>
<li><a href="configuration_file_basics.htm#Compliment">Complementing
an IP address or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses
in Shorewall</a>
</li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
@ -173,6 +172,7 @@ a test configuration)</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
@ -180,7 +180,7 @@ a test configuration)</a></li>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling
by host or subnet</a></li>
by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
@ -195,6 +195,8 @@ by host or subnet</a></li>
</li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="FTP.html">FTP and Shorewall</a><br>
</li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
@ -209,24 +211,29 @@ by host or subnet</a></li>
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC
Verification</a></li>
<li><a
href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My
Shorewall Configuration (How I personally use Shorewall)</a><br>
Shorewall Configuration (How I personally use Shorewall)</a></li>
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Which applications use which
ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="ProxyARP.htm">Proxy
ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
@ -235,19 +242,22 @@ Shorewall Configuration (How I personally use Shorewall)</a><br>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3
Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
@ -256,8 +266,8 @@ Introduction</a></li>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
RFC 1918</a></li>
</ul>
@ -266,7 +276,8 @@ Introduction</a></li>
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
</ul>
@ -282,15 +293,17 @@ Introduction</a></li>
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
@ -307,7 +320,8 @@ Introduction</a></li>
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>Description of all /sbin/shorewall
commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
@ -315,12 +329,12 @@ Introduction</a></li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a
Transparent Proxy with Shorewall</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
<li><a href="Shorewall_Squid_Usage.html">Squid as
a Transparent Proxy with Shorewall</a></li>
<li><a
href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if
it doesn't work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
@ -328,7 +342,8 @@ doesn't work)</a><br>
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="IPIP.htm">GRE and
IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
@ -337,6 +352,7 @@ doesn't work)</a><br>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
</ul>
</li>
<li><a
@ -347,7 +363,7 @@ doesn't work)</a><br>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 7/30/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>

472
STABLE/documentation/sourceforge_index.htm
View File

@ -4,6 +4,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
@ -24,17 +25,12 @@
<tr>
<td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle"
bgcolor="#3366ff" width="34%" align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</td>
<td valign="top" width="33"><br>
valign="middle" align="center"><a href="http://www.cityofshoreline.com">
</a><img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90">
<br>
</td>
</tr>
@ -44,6 +40,7 @@
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
@ -58,6 +55,7 @@
<h2 align="left">What is it?</h2>
@ -65,6 +63,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a
href="http://www.netfilter.org">Netfilter</a> (iptables)
@ -77,11 +76,12 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -92,14 +92,14 @@ General Public License</a> as published by the Free Software
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
details.<br>
<br>
You should have received a
copy of the GNU General Public License
along with this program; if not,
write to the Free Software Foundation,
You should have received
a copy of the GNU General Public
License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -108,6 +108,7 @@ details.<br>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -115,89 +116,214 @@ details.<br>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
<li>The 1.2 site is <a
href="http://shorewall.net/1.2/" target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting
the <a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and follow
the step by step instructions.<br>
New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and
follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
The <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.
If so, the documentation<b> </b>on this
site will not apply directly to your setup. If you want to
use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches
the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.
<h2></h2>
<h2><b>News</b></h2>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control
requires Mangle"; that problem has been corrected.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid iptables
command.</li>
<li>The "shorewall stop" command is now disabled when /etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior to
having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being
added to a PPP interface; the addresses were successfully added in spite
of the messages.<br>
   <br>
The firewall script has been modified to eliminate the error messages.<br>
</li>
</ol>
<p><b>7/31/2003 - Snapshot 1.4.6_20030731 </b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<p><b>Problems Corrected since version 1.4.6:</b><br>
</p>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED variable
was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column
of the tcrules file. Previously, these addresses resulted in an invalid
iptables command.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or 'save'
commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be replaced
with "shorewall dropall" and "shorewall rejectall" </li>
</ol>
<p><b>New Features:</b> <br>
</p>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands
use the routing table to determine which of these chains is to be used for
blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is blacklisted
using these new commands, it will be blacklisted on all of your firewall's
interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give command-specific
help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to /etc/shorewall/shorewall.conf.
This option has a default value of "No" for existing users which causes
Shorewall's 'stopped' state  to continue as it has been; namely, in the
stopped state only traffic to/from hosts listed in /etc/shorewall/routestopped
is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in addition
to traffic to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
will allow:<br>
<br>
   a) All traffic originating from the firewall itself; and<br>
   b) All traffic that is part of or related to an already-existing connection.<br>
<br>
 In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" entered
through an ssh session will not kill the session.<br>
<br>
 Note though that even with ADMINISABSENTMINDED=Yes, it is still possible
for people to shoot themselves in the foot.<br>
<br>
 Example:<br>
<br>
 /etc/shorewall/nat:<br>
<br>
     206.124.146.178    eth0:0    192.168.1.5    <br>
<br>
 /etc/shorewall/rules:<br>
<br>
   ACCEPT    net    loc:192.168.1.5    tcp    22<br>
   ACCEPT    loc    fw        tcp    22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH connection
from that computer to the firewall and confidently type "shorewall stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my SSH
connection to 192.168.1.5!!!<br>
</li>
</ol>
<ol>
</ol>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b>  <br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR:  Traffic Control
requires Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b>  <br>
</b> </p>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
Corrections involve the handling of "z1!z2" in the SOURCE column as
well as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
<li>The message "Adding rules for DHCP" is now suppressed
if there are no DHCP rules to add.</li>
</ol>
@ -205,99 +331,108 @@ are no DHCP rules to add.</li>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
This capability was never documented and has been removed
in 1.4.6 to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
options have been removed from /etc/shorewall/shorewall.conf. These
capabilities are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<li>A 'newnotsyn' interface option has been added.
This option may be specified in /etc/shorewall/interfaces and overrides
the setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<li>The means for specifying a range of IP addresses
in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<li>Shorewall can now add IP addresses to subnets
other than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<li>DNAT[-] rules may now be used to load balance
(round-robin) over a set of servers. Servers may be specified in
a range of addresses given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
configuration options have been removed and have been replaced by
code that detects whether these capabilities are present in the current
kernel. The output of the start, restart and check commands have been
enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the
start, restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
If this extension is available, the ruleset generated by
Shorewall is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<li>To handle 'norfc1918' filtering, Shorewall will
not create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two
netfilter rules; one in the nat table and one in the filter table.
If the Connection Tracking Match Extension is available, the rule
in the filter table is extended to check that the original destination
address was the same as specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<li>The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the SHOREWALL_SHELL
parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
@ -323,10 +458,10 @@ specified (or defaulted to) in the DNAT rule.<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
If your shell only supports 32-bit signed arithmatic (ash
or dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce correct
information for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
@ -334,13 +469,13 @@ specified (or defaulted to) in the DNAT rule.<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a range
of network addresses.<br>
This command decomposes a range of IP addressses into a list
of network and host addresses. The command can be useful if you need
to construct an efficient set of rules that accept connections from
a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic
(ash or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -359,119 +494,138 @@ or dash) then the range may not span 128.0.0.0.<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<li>A list of host/net addresses is now allowed in
an entry in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li value="11">The "shorewall check" command now includes the chain
name when printing the applicable policy for each pair of zones.<br>
<li value="11">The "shorewall check" command now includes
the chain name when printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
is REJECT and the applicable entry in the /etc/shorewall/policy was the
all-&gt;all policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<b> </b>
<ol>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
<p><b>7/15/2003 - New Mirror in Brazil</b><b>  <br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>
Thanks to the folks at securityopensource.org.br, there is now
a <a href="http://shorewall.securityopensource.org.br"
target="_top">Shorewall mirror in Brazil</a>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
<li>The INCLUDE directive now works properly
in the zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with
an empty second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
<li>The ORIGINAL DEST column in a DNAT[-] or
REDIRECT[-] rule may now contain a list of addresses. If the list
begins with "!' then the rule will take effect only if the original
destination address in the connection request does not match any
of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded to the
2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
The firewall at shorewall.net has been upgraded
to the 2.4.21 kernel and iptables 1.2.8 (using the "official" RPM
from netfilter.org). No problems have been encountered with this
set of software. The Shorewall version is 1.4.4b plus the accumulated
changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<p><b></b></p>
<p><b></b></p>
<blockquote>
<ol>
@ -479,6 +633,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
</ol>
</blockquote>
@ -487,15 +642,17 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<p><a href="News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<b>
</b>
@ -508,21 +665,23 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash)
distribution called <i>Bering</i>
that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques
and Eric on the recent release of Bering
1.2!!! </b><br>
<b>Congratulations
to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br>
@ -538,6 +697,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<h4><b> </b></h4>
<b> </b>
@ -545,6 +705,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
@ -553,12 +714,14 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<h2><b><a name="Donations"></a>Donations</b></h2>
<b>
</b></td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
<td width="88"
bgcolor="#3366ff" valign="top" align="center">
@ -568,6 +731,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p><strong><br>
<font color="#ffffff"><b>Note:
</b></font></strong> <font
@ -578,9 +742,10 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font><font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
@ -594,19 +759,21 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
href="1.3/index.html"><font color="#ffffff"> </font></a><a
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
@ -641,12 +808,14 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you
try it and find it useful, please consider making a donation
<font size="+2">Shorewall is free but if
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
<a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td>
@ -654,12 +823,15 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
</tbody>
</table>
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 8/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
</body>
</html>

84
STABLE/documentation/standalone.htm
View File

@ -27,8 +27,6 @@
</tbody>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
@ -39,38 +37,39 @@
<ul>
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
dial-up...</li>
</ul>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13"
changes.  Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
of dos2unix</a></li>
</ul>
@ -80,7 +79,7 @@ Version of dos2unix</a></li>
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
@ -93,7 +92,7 @@ of these as described in this guide. After you have <a
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -134,8 +133,8 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -179,8 +178,8 @@ the following policies:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall</li>
<li>drop (ignore) all connection requests from the internet
to your firewall</li>
<li>reject all other connection requests (Shorewall requires
this catchall policy).</li>
@ -194,20 +193,20 @@ this catchall policy).</li>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
are specified for the interface. Some hints:</p>
<ul>
<li>
@ -217,7 +216,7 @@ are specified for the interface. Some hints:</p>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
option list. </p>
</li>
</ul>
@ -236,8 +235,8 @@ option list. </p>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -286,8 +285,8 @@ option list. </p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
@ -335,8 +334,8 @@ your firewall system:</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -397,8 +396,8 @@ your firewall system:</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -407,10 +406,10 @@ your firewall system:</p>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
@ -431,5 +430,6 @@ Also, I don't recommend using "shorewall restart"; it is better to create
<br>
<br>
<br>
<br>
</body>
</html>

198
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
@ -33,7 +34,7 @@
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
@ -41,10 +42,10 @@ your favorite graphical run-level editor.</p>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br>
<li>Shorewall startup is disabled by default. Once you
have configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
@ -55,112 +56,143 @@ your favorite graphical run-level editor.</p>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic
permitted through the firewall is from systems listed in /etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new connections
originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the
broadcast addresses of firewall interfaces, <a
installed by Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument,
then a shell trace of the command is produced as in:<br>
then a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br>
<p>Beginning with version 1.4.7, shorewall can give detailed help about each
of its commands:<br>
</p>
<ul>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
</ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall status - produce a verbose report about
the firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose
report about <i>chain </i>(iptables -L <i>chain</i>
-n -v)</li>
<li>shorewall show nat - produce a verbose report about
the nat table (iptables -t nat -L -n -v)</li>
the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about
the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log
entries.</li>
the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show tc - displays
information about the traffic control/shaping configuration.</li>
show tc
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the
Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed version
number.</li>
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files.<br>
the zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands.
Even though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described
below.</b></font><br>
below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if
an error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li>
<li>shorewall try<i> configuration-directory</i> [<i>
timeout</i> ] - Restart shorewall using the specified configuration
and if an error occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept
and shorewall save implement <a
and shorewall save implement <a
href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm
when new Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands
for dealing with IP addresses and IP address ranges:<br>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays
the network address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</li>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation
and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
</ul>
There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that
it will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone
</i>- Adds the specified interface (and host if included) to the
specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
</i>- Deletes the specified interface (and host if included) from
the specified zone.</li>
the specified zone.</li>
</ul>
@ -197,7 +229,7 @@ be used.</p>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
from /etc/shorewall to . and change them here&gt;</li>
from /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font
@ -207,8 +239,8 @@ from /etc/shorewall to . and change them here&gt;</li>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
@ -231,70 +263,106 @@ you.</p>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the
actual transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following
table:<br>
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. For Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
in addition, all existing connections are retained and all connection requests
from the firewall are accepted.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
<td valign="top">firewall -c &lt;new configuration&gt;
restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 7/6/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

118
STABLE/documentation/support.htm
View File

@ -2,8 +2,10 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
@ -13,7 +15,9 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -24,8 +28,10 @@
</font></h1>
</td>
</tr>
</tbody>
</table>
@ -49,14 +55,14 @@
</li>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
Information contains a number of tips
to help you solve common problems. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility can
locate documents and posts about similar problems:
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
</ul>
@ -108,17 +114,17 @@ has links to download updated components. </li>
<ul>
<li>Please remember we only
know what is posted in your message. Do not leave out any
information that appears to be correct, or was mentioned
know what is posted in your message. Do not leave out
any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics
where detail is lacking.<br>
where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
@ -140,57 +146,67 @@ better than a paraphrase or summary.<br>
<ul>
<ul>
<li>the exact version of Shorewall
you are running.<br>
<li>the exact version of
Shorewall you are running.<br>
<br>
<b><font
color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
</ul>
<ul>
<li>the complete, exact output
of<br>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output
of<br>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
route show<br>
</b></font></li>
</ul>
<ul>
</ul>
</ul>
<ul>
<ul>
<li><big><font color="#ff0000"><u><i><big><b>THIS IS
IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
that some type of connection to/from or through your firewall isn't working
then please perform the following four steps:</big></big></big><br>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
problem is that some type of connection to/from or through your firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
@ -199,8 +215,8 @@ then please perform the following four steps:</big></big></big><br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment
(you may compress it if you like).<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
@ -211,26 +227,27 @@ then please perform the following four steps:</big></big></big><br>
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general matter, please <strong>do not edit the
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads us
(and 80% of the time, a hacker could derive them anyway from
information contained in the SMTP headers of your post).<br>
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads
us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
@ -242,14 +259,14 @@ your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb
so don't post GIFs of your network
so don't post GIFs of your network
layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
@ -269,22 +286,15 @@ blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all
HTML is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the
lists unless/until the postmaster notices that your posts are being rejected.
To avoid this problem, you should configure your MTA to forward posts to
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
as the one at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -295,20 +305,26 @@ as the one at your ISP). </b></font></big><br>
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a
<b>If you run Shorewall
under MandrakeSoft Multi Network Firewall (MNF) and
you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p>
list.</a> </p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
<blockquote>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
<br>
Secure: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p>
</blockquote>
@ -316,11 +332,13 @@ as the one at your ISP). </b></font></big><br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

301
STABLE/documentation/three-interface.htm
View File

@ -28,15 +28,13 @@
</tbody>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up a Linux system as a firewall for a small network
with DMZ is a fairly straight-forward task if you understand the
basics and follow the documentation.</p>
with DMZ is a fairly straight-forward task if you understand
the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its more popular configurations:</p>
Shorewall. It rather focuses on what is required to configure
Shorewall in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small
@ -55,37 +53,37 @@
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended
are flagged with <img border="0" src="images/BD21298_.gif"
width="13" height="13">
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are marked with <img
src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy before
using it with Shorewall.</p>
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying
to use them. Similarly, if you copy a configuration file from your
Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -94,13 +92,14 @@ using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
directory /etc/shorewall -- for simple setups, you will only need
to deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
same names that were placed in /etc/shorewall when Shorewall was
installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
@ -143,18 +142,18 @@ deal with a few of these as described in this guide. After you have <a
<ul>
<li>You express your default policy for connections
from one zone to another zone in the<a
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
@ -227,13 +226,12 @@ in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network
to the internet</li>
<li>allow all connection requests from your local
network to the internet</li>
<li>drop (ignore) all connection requests from the
internet to your firewall or local network</li>
<li>optionally accept all connection requests from
the firewall to the internet (if you uncomment the additional
policy)</li>
the firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -250,8 +248,8 @@ policy)</li>
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter that is connected to that
"Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
Interface</i> will be the ethernet adapter that is connected to
that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -267,30 +265,30 @@ Interface</i> will be the ethernet adapter that is connected to that
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
only a single local system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you
have only a single DMZ system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch.
Your DMZ computers will be connected to the same switch (note: If
you have only a single DMZ system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the
same hub or switch (even for testing). It won't work the way that
you expect it to and you will end up confused and believing that Shorewall
doesn't work at all.</p>
same hub or switch (even for testing). It won't work the way that
you expect it to and you will end up confused and believing that
Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration
assumes that the external interface is <b>eth0, </b>the local interface
is <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
assumes that the external interface is <b>eth0, </b>the local interface
is <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -309,18 +307,18 @@ list of options that are specified for the interfaces. Some hints:</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges
for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>Regardless
of how the address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
for your internal network (the local and DMZ Interfaces on your firewall
plus your other computers). RFC 1918 reserves several <i>Private </i>IP
address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -329,24 +327,24 @@ for this purpose:</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at
the IP address of your external interface and if it is one of
the above ranges, you should remove the 'norfc1918' option from
the external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits
from the left of the subnet mask. </p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from
another subnet. For our purposes, we can consider a subnet to
consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved
as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet
is described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing </i>(CIDR)</a> notation with consists of the
subnet address followed by "/24". The "24" refers to the number of
consecutive "1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -397,18 +395,18 @@ from the left of the subnet mask. </p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp;
2) should be configured with their<i> default gateway</i> set
to the IP address of the firewall's internal interface and your
DMZ computers ( DMZ Computers 1 &amp; 2) should be configured with
their default gateway set to the IP address of the firewall's DMZ
interface.   </p>
2) should be configured with their<i> default gateway</i> set to
the IP address of the firewall's internal interface and your DMZ
computers ( DMZ Computers 1 &amp; 2) should be configured with their
default gateway set to the IP address of the firewall's DMZ interface.  
</p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -433,35 +431,35 @@ interface.
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume local computer 1) sends a
connection request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed accross the internet). When the firewall receives a return
packet, it rewrites the destination address back to 10.10.10.1 and forwards
the packet on to local computer 1. </p>
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume local computer 1) sends
a connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the firewall
(remember that packets whose destination address is reserved by RFC
1918 can't be routed accross the internet). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
firewall system automatically detect the external interface
address. </p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
the source address that you want outbound packets from your
local network to use. </p>
</li>
</ul>
@ -473,15 +471,16 @@ the packet on to local computer 1. </p>
height="13">
    If your external firewall interface is <b>eth0</b>,
your local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
then you do not need to modify the file provided with the sample.
Otherwise, edit /etc/shorewall/masq and change it to match your
configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external IP is static, you can enter it in
the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes <br>
    If your external IP is static, you can enter it
in the third column in the /etc/shorewall/masq entry if you like
although your firewall will work fine if you leave that column
empty. Entering your static IP in column 3 makes <br>
processing outgoing packets a little more efficient.<br>
</p>
@ -502,13 +501,13 @@ the packet on to local computer 1. </p>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to
the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
DMZ computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to your firewall who rewrites the destination
address to the address of your server and forwards the packet to that
server. When your server responds, the firewall automatically performs
SNAT to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -545,8 +544,8 @@ to rewrite the source address in the response.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -593,9 +592,9 @@ the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your
local systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000 (e.g., connect
to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
port 80. If you have problems connecting to your web server,
try the following rule and try connecting to port 5000 (e.g., connect
to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
is your external IP).</li>
</ul>
@ -700,7 +699,7 @@ to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
</blockquote>
<p>If you want to access your server from the DMZ using your external IP
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for
@ -709,23 +708,23 @@ your servers. </p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take
one of two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. It is <u>your</u>
responsibility to configure the resolver in your internal systems.
You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
@ -733,14 +732,14 @@ one of two approaches:</p>
    You can configure a<i> Caching Name Server </i>on
your firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address
if you choose to run the name server on your firewall. To allow your
local systems to talk to your caching name server, you must open
port 53 (both UDP and TCP) from the local network to the server; you
do that by adding the rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -1051,7 +1050,8 @@ by adding the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
you want shell access to your firewall from the internet, use
SSH:</p>
</div>
<div align="left">
@ -1168,15 +1168,15 @@ you have completed configuration of your firewall, you can enable Shorewall
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The three-interface sample assumes that you want to
enable routing to/from <b>eth1 (</b>your local network) and<b>
    The three-interface sample assumes that you want
to enable routing to/from <b>eth1 (</b>your local network) and<b>
eth2 </b>(DMZ) when Shorewall is stopped. If these two interfaces
don't connect to your local network and DMZ or if you want to enable
a different set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
@ -1184,11 +1184,11 @@ a different set of hosts, modify /etc/shorewall/routestopped according
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1200,5 +1200,6 @@ create an <i><a href="configuration_file_basics.htm#Configs">alternate
Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

374
STABLE/documentation/two-interface.htm
View File

@ -32,18 +32,18 @@
<p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p>
Shorewall. It rather focuses on what is required to configure
Shorewall in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a
small local network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL,
ISDN, Frame Relay, dial-up ...</li>
ISDN, Frame Relay, dial-up ...</li>
</ul>
@ -54,14 +54,14 @@ ISDN, Frame Relay, dial-up ...</li>
</p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
configure the above setup using the Mandrake "Internet Connection Sharing"
applet. From the Mandrake Control Center, select "Network &amp; Internet"
then "Connection Sharing".<br>
configure the above setup using the Mandrake "Internet Connection
Sharing" applet. From the Mandrake Control Center, select "Network
&amp; Internet" then "Connection Sharing".<br>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you
use the rest of this documentation (it has two local zones; "loc" and "masq"
use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -70,38 +70,38 @@ use the rest of this documentation (it has two local zones; "loc" and "masq"
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering
are marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
are marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
that option or you must run them through dos2unix before trying
to use them. Similarly, if you copy a configuration file from your
Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -114,8 +114,9 @@ the directory /etc/shorewall -- for simple setups, you will only need
to deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
to /etc/shorewall (these files will replace files with the same
name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
@ -158,19 +159,21 @@ to deal with a few of these as described in this guide. After you have
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules
</a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in
that file matches the connection request then the first policy
in /etc/shorewall/policy that matches the request is applied.
If that policy is REJECT or DROP  the request is first checked against
the rules in /etc/shorewall/common (the samples provide that file
for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -211,8 +214,8 @@ the following policies:</p>
<blockquote>
<p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p>
out. If you want your firewall system to have full access to
servers on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -240,19 +243,18 @@ the following policies:</p>
<ol>
<li>allow all connection requests from your local
network to the internet</li>
network to the internet</li>
<li>drop (ignore) all connection requests from the
internet to your firewall or local network</li>
<li>optionally accept all connection requests from
the firewall to the internet (if you uncomment the additional
policy)</li>
the firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and
make any changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy
and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -260,11 +262,11 @@ policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
via a regular modem, your External Interface will also be <b>ppp0</b>.
@ -273,31 +275,31 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b>
ippp0</b>  then you will want to set CLAMPMSS=yes in <a
ippp0</b>  then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
(eth1 or eth0) and will be connected to a hub or switch. Your
other computers will be connected to the same hub/switch (note:
If you have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface
to the same hub or switch (even for testing). It won't work the way
that you think that it will and you will end up confused and believing
that Shorewall doesn't work at all.</p>
to the same hub or switch (even for testing). It won't work the
way that you think that it will and you will end up confused and
believing that Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration
assumes that the external interface is <b>eth0</b> and the internal
interface is <b>eth1</b>. If your configuration is different, you
will have to modify the sample <a
assumes that the external interface is <b>eth0</b> and the internal
interface is <b>eth1</b>. If your configuration is different, you
will have to modify the sample <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -317,17 +319,17 @@ of options that are specified for the interfaces. Some hints:</p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However your
external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -337,23 +339,23 @@ ranges for this purpose:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at
the IP address of your external interface and if it is one of
the above ranges, you should remove the 'norfc1918' option from
the external interface's entry in /etc/shorewall/interfaces.</p>
the IP address of your external interface and if it is one of
the above ranges, you should remove the 'norfc1918' option from
the external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The
address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1"
bits from the left of the subnet mask. </p>
by "/24". The "24" refers to the number of consecutive leading
"1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -404,7 +406,7 @@ is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer
2 in the above diagram) should be configured with their<i> default
2 in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p>
</div>
@ -412,8 +414,8 @@ is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -428,74 +430,74 @@ Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network.</b><br>
assign your external interface an RFC 1918 address. If that address
is in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT
RFC 1918 subnet for your local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its
response to computer 1). When the firewall receives a return packet,
it rewrites the destination address back to 10.10.10.1 and forwards
the packet on to computer 1. </p>
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a
connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites
the source address in the packet to be the address of the firewall's
external interface; in other words, the firewall makes it look as
if the firewall itself is initiating the connection.  This is necessary
so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed across the internet so the
remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to
10.10.10.1 and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
firewall system automatically detect the external interface
address. </p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
the source address that you want outbound packets from your
local network to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP is
static.</p>
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>,
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name
of your external interface and the second column to the name of
your internal interface.</p>
of your external interface and the second column to the name of your
internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it
in the third column in the /etc/shorewall/masq entry if you like
although your firewall will work fine if you leave that column empty.
Entering your static IP in column 3 makes processing outgoing packets
a little more efficient.<br>
in the third column in the /etc/shorewall/masq entry if you like
although your firewall will work fine if you leave that column
empty. Entering your static IP in column 3 makes processing outgoing
packets a little more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
    If you are using the Debian package, please check your
shorewall.conf file to ensure that the following are set correctly;
if they are not, change them appropriately:<br>
</p>
<ul>
@ -511,10 +513,10 @@ a little more efficient.<br>
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
connection requests to the firewall who rewrites the destination
address to the address of your server and forwards the packet to
that server. When your server responds, the firewall automatically
performs SNAT to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -551,8 +553,8 @@ to rewrite the source address in the response.</p>
</table>
</blockquote>
<p>Example - you run a Web Server on computer 2 and you want to forward incoming
TCP port 80 to that system:</p>
<p>Example 1 - you run a Web Server on computer 2 and you want to forward
incoming TCP port 80 to that system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -581,17 +583,53 @@ to rewrite the source address in the response.</p>
</table>
</blockquote>
<p>Example 2 - you run an FTP Server on computer 1 so you want to forward
incoming TCP port 21 to that system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.1</td>
<td>tcp</td>
<td>21<br>
</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>For FTP, you will also need to have FTP connection tracking and NAT support
in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp
and ip_nat_ftp modules must be loaded. Shorewall will automatically load
these modules if they are available and located in the standard place under
/lib/modules/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.<br>
</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server and/or FTP server from inside your firewall
using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests
to port 80. If you have problems connecting to your web server,
try the following rule and try connecting to port 5000.</li>
try the following rule and try connecting to port 5000.</li>
</ul>
@ -623,30 +661,30 @@ try the following rule and try connecting to port 5000.</li>
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add
any DNAT rules that you require.</p>
    At this point, modify /etc/shorewall/rules to
add any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you the
IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless of
how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless
of how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take
one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your
firewall system -- the name servers are given in "nameserver" records
in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -654,12 +692,12 @@ file. </p>
    You can configure a<i> Caching Name Server </i>on
your firewall.<i> </i>Red Hat has an RPM for a caching name
server (the RPM also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the firewall itself as their primary
(and only) name server. You use the internal IP address of the firewall
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the firewall itself as their primary (and
only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address.
To allow your local systems to talk to your caching name server,
you must open port 53 (both UDP and TCP) from the local network to the
To allow your local systems to talk to your caching name server, you
must open port 53 (both UDP and TCP) from the local network to the
firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</li>
@ -751,7 +789,7 @@ you must open port 53 (both UDP and TCP) from the local network to the
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -827,8 +865,7 @@ allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
</div>
<div align="left">
@ -871,8 +908,8 @@ system:</p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on
your firewall"</p>
listed above under "You can configure a Caching Name Server
on your firewall"</p>
</div>
<div align="left">
@ -882,8 +919,9 @@ system:</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!).
If you want shell access to your firewall from the internet,
use SSH:</p>
</div>
<div align="left">
@ -918,8 +956,8 @@ system:</p>
<div align="left">
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
    Bering users will want to add the following two rules to be compatible
with Jacques's Shorewall configuration.</p>
    Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.</p>
<div align="left">
<blockquote>
@ -965,7 +1003,8 @@ system:</p>
</div>
<p align="left"><br>
<img border="0" src="images/BD21298_.gif" width="13" height="13">
<img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Now edit your /etc/shorewall/rules file to add
or delete other connections as required.</p>
</div>
@ -978,11 +1017,11 @@ system:</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure
</a> configures your system to start Shorewall at system boot 
but beginning with Shorewall version 1.3.9 startup is disabled so
that your system won't try to start Shorewall before configuration
is complete. Once you have completed configuration of your firewall,
you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</a> configures your system to start Shorewall at system boot  but
beginning with Shorewall version 1.3.9 startup is disabled so that
your system won't try to start Shorewall before configuration is complete.
Once you have completed configuration of your firewall, you can enable
Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -998,37 +1037,36 @@ you can enable Shorewall startup by removing the file /etc/shorewall/startu
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to
enable routing to/from <b>eth1 </b>(the local network) when Shorewall
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
    The two-interface sample assumes that you want
to enable routing to/from <b>eth1 </b>(the local network) when
Shorewall is stopped. If your local network isn't connected to <b>eth1</b>
or if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better
to create an <i><a
href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 6/27/2003 - <a
<p align="left"><font size="2">Last updated 7/28/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</p>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6a
VERSION=1.4.6b
usage() # $1 = exit status
{

21
STABLE/firewall
View File

@ -3258,10 +3258,14 @@ add_ip_aliases()
# Get all of the lines that contain inet addresses
#
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
case $cidr in
*/*)
if in_subnet $external $cidr; then
echo "/${cidr#*/} brd `broadcastaddress $cidr`"
break
fi
;;
esac
done
}
@ -4007,10 +4011,9 @@ activate_rules()
}
#
# Start/Restart the Firewall
# Check for disabled startup
#
define_firewall() # $1 = Command (Start or Restart)
{
check_disabled_startup() {
if [ -f /etc/shorewall/startup_disabled ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
@ -4020,6 +4023,14 @@ define_firewall() # $1 = Command (Start or Restart)
my_mutex_off
exit 2
fi
}
#
# Start/Restart the Firewall
#
define_firewall() # $1 = Command (Start or Restart)
{
check_disabled_startup
echo "${1}ing Shorewall..."
@ -4771,6 +4782,10 @@ case "$command" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
#
# Don't want to do a 'stop' when startup is disabled
#
check_disabled_startup
echo -n "Stopping Shorewall..."
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6a
VERSION=1.4.6b
usage() # $1 = exit status
{

13
STABLE/releasenotes.txt
View File

@ -27,6 +27,19 @@ Problems Corrected:
tcrules file. Previously, these addresses resulted in an invalid
iptables command.
8) The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured
Shorewall.
9) A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully
added in spite of the messages.
The firewall script has been modified to eliminate the error
messages.
Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.6a
%define version 1.4.6b
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Aug 01 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6b-1
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6a-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6a
VERSION=1.4.6b
usage() # $1 = exit status
{