From 1fc8ddbc82d1c31710a6d1e18bf1c796c1fd1fe8 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 12 Jun 2004 16:28:30 +0000 Subject: [PATCH] 2.0.3 docs git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1395 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 1102 +++++++---------- .../starting_and_stopping_shorewall.xml | 96 +- 2 files changed, 536 insertions(+), 662 deletions(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index e1c9823e8..d7dfc3712 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-05-06 + 2004-06-12 2001-2004 @@ -29,8 +29,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -51,10 +50,9 @@ params - a parameter file installed in /etc/shorewall that can be used to - establish the values of shell variables for use in other - files. + a parameter file installed in /etc/shorewall + that can be used to establish the values of shell variables for use + in other files. @@ -62,9 +60,8 @@ shorewall.conf - a parameter file installed in /etc/shorewall that is used to set - several firewall parameters. + a parameter file installed in /etc/shorewall + that is used to set several firewall parameters. @@ -72,9 +69,8 @@ zones - a parameter file installed in /etc/shorewall that defines a network - partitioning into zones + a parameter file installed in /etc/shorewall + that defines a network partitioning into zones @@ -82,9 +78,8 @@ policy - a parameter file installed in /etc/shorewall that establishes overall - firewall policy. + a parameter file installed in /etc/shorewall + that establishes overall firewall policy. @@ -92,10 +87,9 @@ rules - a parameter file installed in /etc/shorewall and used to express - firewall rules that are exceptions to the high-level policies - established in /etc/shorewall/policy. + a parameter file installed in /etc/shorewall + and used to express firewall rules that are exceptions to the + high-level policies established in /etc/shorewall/policy. @@ -103,9 +97,8 @@ blacklist - a parameter file installed in /etc/shorewall and used to list - blacklisted IP/subnet/MAC addresses. + a parameter file installed in /etc/shorewall + and used to list blacklisted IP/subnet/MAC addresses. @@ -113,9 +106,9 @@ ecn - a parameter file installed in /etc/shorewall and used to selectively - disable Explicit Congestion Notification (ECN - RFC 3168). + a parameter file installed in /etc/shorewall + and used to selectively disable Explicit Congestion Notification + (ECN - RFC 3168). @@ -124,8 +117,7 @@ a set of shell functions used by both the firewall and - shorewall shell programs. Installed in /usr/share/shorewall. + shorewall shell programs. Installed in /usr/share/shorewall. @@ -133,10 +125,9 @@ modules - a parameter file installed in /etc/shorewall and that specifies - kernel modules and their parameters. Shorewall will automatically - load the modules specified in this file. + a parameter file installed in /etc/shorewall + and that specifies kernel modules and their parameters. Shorewall + will automatically load the modules specified in this file. @@ -144,9 +135,9 @@ tos - a parameter file installed in /etc/shorewall that is used to specify - how the Type of Service (TOS) field in packets is to be set. + a parameter file installed in /etc/shorewall + that is used to specify how the Type of Service (TOS) field in + packets is to be set. @@ -154,10 +145,10 @@ init.sh and init.debian.sh - a shell script installed in /etc/init.d to automatically start - Shorewall during boot. The particular script installed depends on - which distribution you are running. + a shell script installed in /etc/init.d + to automatically start Shorewall during boot. The + particular script installed depends on which distribution you are + running. @@ -165,9 +156,8 @@ interfaces - a parameter file installed in /etc/shorewall and used to describe the - interfaces on the firewall system. + a parameter file installed in /etc/shorewall + and used to describe the interfaces on the firewall system. @@ -175,9 +165,8 @@ hosts - a parameter file installed in /etc/shorewall and used to describe - individual hosts or subnetworks in zones. + a parameter file installed in /etc/shorewall + and used to describe individual hosts or subnetworks in zones. @@ -185,10 +174,9 @@ maclist - a parameter file installed in /etc/shorewall and used to verify the - MAC address (and possibly also the IP address(es)) of - devices. + a parameter file installed in /etc/shorewall + and used to verify the MAC address (and possibly also the IP + address(es)) of devices. @@ -197,8 +185,7 @@ This file also describes IP masquerading under Shorewall and - is installed in /etc/shorewall. + is installed in /etc/shorewall. @@ -208,8 +195,7 @@ a shell program that reads the configuration files in /etc/shorewall and configures - your firewall. This file is installed in /usr/share/shorewall. + your firewall. This file is installed in /usr/share/shorewall. @@ -217,9 +203,8 @@ nat - a parameter file in /etc/shorewall used to define one-to-one NAT. + a parameter file in /etc/shorewall + used to define one-to-one NAT. @@ -227,9 +212,8 @@ proxyarp - a parameter file in /etc/shorewall used to define Proxy Arp. + a parameter file in /etc/shorewall + used to define Proxy Arp. @@ -237,10 +221,9 @@ rfc1918 - a parameter file in /usr/share/shorewall used to define the - treatment of packets under the norfc1918 - interface option. + a parameter file in /usr/share/shorewall + used to define the treatment of packets under the norfc1918 interface option. @@ -248,10 +231,9 @@ bogons - a parameter file in /usr/share/shorewall used to define the - treatment of packets under the nobogons - interface option. + a parameter file in /usr/share/shorewall + used to define the treatment of packets under the nobogons interface option. @@ -259,9 +241,9 @@ routestopped - a parameter file in /etc/shorewall used to define those - hosts that can access the firewall when Shorewall is stopped. + a parameter file in /etc/shorewall + used to define those hosts that can access the firewall when + Shorewall is stopped. @@ -279,9 +261,8 @@ tunnels - a parameter file in /etc/shorewall used to define IPSec - tunnels. + a parameter file in /etc/shorewall + used to define IPSec tunnels. @@ -293,8 +274,7 @@ to control and monitor the firewall. This should be placed in /sbin or in /usr/sbin (the install.sh script and - the rpm install this file in /sbin). + the rpm install this file in /sbin). @@ -302,9 +282,9 @@ accounting - a parameter file in /etc/shorewall used to define traffic - accounting rules. This file was added in version 1.4.7. + a parameter file in /etc/shorewall + used to define traffic accounting rules. This file was added in + version 1.4.7. @@ -312,9 +292,8 @@ version - a file created in /usr/share/shorewall that describes the - version of Shorewall installed on your system. + a file created in /usr/share/shorewall + that describes the version of Shorewall installed on your system. @@ -326,8 +305,7 @@ files in /etc/shorewall and /usr/share/shorewall respectively that allow you to define your own actions for rules in - /etc/shorewall/rules. + /etc/shorewall/rules. @@ -335,9 +313,8 @@ actions.std and action.* - files in /usr/share/shorewall that define the - actions included as a standard part of Shorewall. + files in /usr/share/shorewall + that define the actions included as a standard part of Shorewall. @@ -371,8 +348,7 @@ NET_OPTIONS=blacklist,norfc1918 net eth0 130.252.100.255 blacklist,norfc1918 - Variables may be used anywhere in the other configuration - files. + Variables may be used anywhere in the other configuration files.
@@ -404,8 +380,7 @@ NET_OPTIONS=blacklist,norfc1918 DISPLAY - The name of the zone as displayed during Shorewall - startup. + The name of the zone as displayed during Shorewall startup. @@ -424,28 +399,25 @@ net Net Internet loc Local Local networks dmz DMZ Demilitarized zone - You may add, delete and modify entries in the - /etc/shorewall/zones file as desired so long as you - have at least one zone defined. + You may add, delete and modify entries in the /etc/shorewall/zones + file as desired so long as you have at least one zone defined. - If you rename or delete a zone, you should perform - shorewall stop; shorewall start to - install the change rather than shorewall - restart. + If you rename or delete a zone, you should perform shorewall + stop; shorewall start to install the change rather + than shorewall restart. - The order of entries in the - /etc/shorewall/zones file is significant in some cases. + The order of entries in the /etc/shorewall/zones + file is significant in some cases.
/etc/shorewall/interfaces - This file is used to tell the firewall which of your firewall's + This file is used to tell the firewall which of your firewall's network interfaces are connected to which zone. There will be one entry in /etc/shorewall/interfaces for each of your interfaces. Columns in an entry are: @@ -490,14 +462,12 @@ dmz DMZ Demilitarized zone - the interface must be up before you start your - firewall + the interface must be up before you start your firewall the interface must only be attached to a single - sub-network (i.e., there must have a single broadcast - address). + sub-network (i.e., there must have a single broadcast address). @@ -507,8 +477,7 @@ dmz DMZ Demilitarized zone OPTIONS - a comma-separated list of options. Possible options - include: + a comma-separated list of options. Possible options include: @@ -516,7 +485,7 @@ dmz DMZ Demilitarized zone (Added in version 1.4.7) - This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter + /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the result that this interface will only answer ARP who-has requests from hosts that are routed out of that interface. Setting this option facilitates testing @@ -547,8 +516,7 @@ dmz DMZ Demilitarized zone (Added in version 1.4.2) - This option causes Shorewall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is - specified, the ZONE column may not contain - -. + specified, the ZONE column may not contain -. @@ -563,8 +531,7 @@ dmz DMZ Demilitarized zone typically used for silent port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in and are - disposed of according to the TCP_FLAGS_DISPOSITION - option. + disposed of according to the TCP_FLAGS_DISPOSITION option. @@ -573,8 +540,7 @@ dmz DMZ Demilitarized zone This option causes incoming packets on this interface to - be checked against the blacklist. + be checked against the blacklist. @@ -613,10 +579,10 @@ dmz DMZ Demilitarized zone within their own infrastructure. Also, many cable and DSL modems have an RFC 1918 address that can be used through a web browser for management and monitoring - functions. If you want to specify norfc1918 on your external interface - but need to allow access to certain addresses from the above - list, see FAQ 14. + functions. If you want to specify norfc1918 + on your external interface but need to allow access to certain + addresses from the above list, see FAQ + 14. @@ -635,7 +601,7 @@ dmz DMZ Demilitarized zone routefilter - Invoke the Kernel's route filtering (anti-spoofing) + Invoke the Kernel's route filtering (anti-spoofing) facility on this interface. The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the @@ -653,8 +619,7 @@ dmz DMZ Demilitarized zone (Added in version 1.3.5) - This option causes Shorewall - to set - /proc/sys/net/ipv4/conf/<interface>/proxy_arp + to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp and is used when implementing Proxy ARP Sub-netting as described at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. @@ -699,8 +664,7 @@ dmz DMZ Demilitarized zone they do not have a broadcast or multicast address as their source. Any such packets will be dropped after being optionally logged according to the setting of SMURF_LOG_LEVEL - in /etc/shorewall/shorewall.conf. + in /etc/shorewall/shorewall.conf. @@ -709,13 +673,11 @@ dmz DMZ Demilitarized zone - External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfs + External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfs - Wireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfs + Wireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfs @@ -731,9 +693,8 @@ dmz DMZ Demilitarized zone You have a conventional firewall setup in which eth0 connects to a Cable or DSL modem and eth1 connects to your local network and eth0 gets its IP address via DHCP. You want to check all packets entering - from the internet against the <link linkend="Blacklist">black - list</link>. Your /etc/shorewall/interfaces file would be as - follows: + from the internet against the black list. + Your /etc/shorewall/interfaces file would be as follows: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918,blacklist @@ -765,13 +726,12 @@ loc eth1 192.168.1.255,192.168.12.255 purpose of the /etc/shorewall/hosts file. - The only time that you need entries in - /etc/shorewall/hosts is where you have more than one zone connecting through a single - interface. + The only time that you need entries in /etc/shorewall/hosts + is where you have more than one zone + connecting through a single interface. - IF YOU DON'T HAVE THIS SITUATION THEN DON'T - TOUCH THIS FILE!! + IF YOU DON'T HAVE THIS SITUATION THEN + DON'T TOUCH THIS FILE!! Columns in this file are: @@ -791,8 +751,8 @@ loc eth1 192.168.1.255,192.168.12.255 The name of an interface defined in the /etc/shorewall/interfaces file followed - by a colon (":") and a comma-separated list whose elements are - either: + by a colon (":") and a comma-separated list whose elements + are either: @@ -800,9 +760,8 @@ loc eth1 192.168.1.255,192.168.12.255 - A subnetwork in the form - <subnet-address>/<mask - width> + A subnetwork in the form <subnet-address>/<mask + width> @@ -810,8 +769,8 @@ loc eth1 192.168.1.255,192.168.12.255 only allowed when the interface names a bridge created by the brctl addbr command. This port must not be defined in /etc/shorewall/interfaces and - may optionally followed by a colon (":") and a host or network - IP. See the bridging + may optionally followed by a colon (":") and a host or + network IP. See the bridging documentation for details. @@ -873,8 +832,7 @@ loc eth1 192.168.1.255,192.168.12.255 This option causes incoming packets on this port to be - checked against the blacklist. + checked against the blacklist. @@ -920,12 +878,12 @@ loc eth1 192.168.1.255,192.168.12.255 - If you don't define any hosts for a zone, the hosts in the zone + If you don't define any hosts for a zone, the hosts in the zone default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the zone. - You probably DON'T want to specify any hosts for your internet + You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules. @@ -1002,10 +960,10 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones. - Policies established in /etc/shorewall/policy - can be viewed as default policies. If no rule in - /etc/shorewall/rules applies to a particular connection request then the - policy from /etc/shorewall/policy is applied. + Policies established in /etc/shorewall/policy can + be viewed as default policies. If no rule in /etc/shorewall/rules applies + to a particular connection request then the policy from + /etc/shorewall/policy is applied. Five policies are defined: @@ -1031,8 +989,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 The connection request is rejected with an RST (TCP) or an - ICMP destination-unreachable packet being returned to the - client. + ICMP destination-unreachable packet being returned to the client. @@ -1064,8 +1021,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 that you want a message sent to your system log each time that the policy is applied. - Entries in /etc/shorewall/policy have four columns as - follows: + Entries in /etc/shorewall/policy have four columns as follows: @@ -1116,18 +1072,16 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. - Otherwise, this column specifies the maximum rate at which TCP - connection requests will be accepted followed by a colon - (:) followed by the maximum burst size that will be - tolerated. Example: 10/sec:40 + role="bold">SOURCE zone to the DEST + zone will not be rate-limited. Otherwise, this column specifies the + maximum rate at which TCP connection requests will be accepted + followed by a colon (:) followed by the maximum burst + size that will be tolerated. Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be - dropped. See the rules file - documentation for an explaination of how rate limiting - works. + dropped. See the rules file documentation + for an explaination of how rate limiting works. @@ -1162,12 +1116,12 @@ all all REJECT info - The firewall script processes the - /etc/shorewall/policy file from top to bottom and - uses the first applicable policy that it - finds. For example, in the following policy file, the policy - for (loc, loc) connections would be ACCEPT as specified in the first - entry even though the third entry in the file specifies REJECT. + The firewall script processes the /etc/shorewall/policy + file from top to bottom and uses the first + applicable policy that it finds. For example, in the + following policy file, the policy for (loc, loc) connections would be + ACCEPT as specified in the first entry even though the third entry in + the file specifies REJECT. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc all ACCEPT @@ -1186,8 +1140,7 @@ loc loc REJECT info specify all in either the SOURCE or DEST column) and that there are no rules concerning connections from that zone to itself. If there is an explicit policy or if there are one or more rules, then - traffic within the zone is handled just like traffic between zones - is. + traffic within the zone is handled just like traffic between zones is. Any time that you have multiple interfaces associated with a single zone, you should ask yourself if you really want traffic routed @@ -1197,22 +1150,22 @@ loc loc REJECT info Multiple net interfaces to different ISPs. You - don't want to route traffic from one ISP to the other through your - firewall. + don't want to route traffic from one ISP to the other through + your firewall. - Multiple VPN clients. You don't necessarily want them to all - be able to communicate between themselves using your + Multiple VPN clients. You don't necessarily want them to + all be able to communicate between themselves using your gateway/router. Beginning with Shorewall 2.0.0, you can control the traffic from - the firewall to itself. As with any zone, fw->fw traffic is enabled + the firewall to itself. As with any zone, fw->fw traffic is enabled by default. It is not necessary to define the loopback interface (lo) in /etc/shorewall/interfaces in order to - define fw->fw rules or a fw->fw policy. + define fw->fw rules or a fw->fw policy. So long as there are no intra-zone rules for a zone, all @@ -1227,15 +1180,15 @@ loc loc REJECT info
The CONTINUE policy - Where zones are nested or - overlapping, the CONTINUE policy allows hosts that are within - multiple zones to be managed under the rules of all of these zones. - Let's look at an example: + Where zones are nested or overlapping, + the CONTINUE policy allows hosts that are within multiple zones to be + managed under the rules of all of these zones. Let's look at an + example: /etc/shorewall/zones: #ZONE DISPLAY COMMENTS -sam Sam Sam's system at home +sam Sam Sam's system at home net Internet The Internet loc Local Local Network @@ -1252,13 +1205,11 @@ net eth0:0.0.0.0/0 sam eth0:206.191.149.197 - Sam's home system is a member of both the sam zone and the net zone and as - described above , that means that sam must be listed before net in - /etc/shorewall/zones. + Sam's home system is a member of both the sam zone and the net + zone and as described above , that means + that sam must be listed before + net in /etc/shorewall/zones. /etc/shorewall/policy: @@ -1274,9 +1225,8 @@ all all REJECT info zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important - that this policy be listed BEFORE the next policy (net to all). + that this policy be listed BEFORE the next policy (net + to all). Partial /etc/shorewall/rules: @@ -1286,19 +1236,19 @@ DNAT sam loc:192.168.1.3 tcp ssh DNAT net loc:192.168.1.5 tcp www ... - Given these two rules, Sam can connect to the firewall's internet - interface with ssh and the connection request will be forwarded to - 192.168.1.3. Like all hosts in the net - zone, Sam can connect to the firewall's internet interface on TCP port - 80 and the connection request will be forwarded to 192.168.1.5. The + Given these two rules, Sam can connect to the firewall's + internet interface with ssh and the connection request will be forwarded + to 192.168.1.3. Like all hosts in the net + zone, Sam can connect to the firewall's internet interface on TCP + port 80 and the connection request will be forwarded to 192.168.1.5. The order of the rules is not significant. Sometimes it is necessary to suppress port forwarding for a sub-zone. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects - to the firewall's external IP, he should be connected to the firewall - itself. Because of the way that Netfilter is constructed, this requires - two rules as follows: + to the firewall's external IP, he should be connected to the + firewall itself. Because of the way that Netfilter is constructed, this + requires two rules as follows: #ACTION SOURCE DEST PROTO DEST PORT(S) ... @@ -1320,12 +1270,12 @@ DNAT net loc:192.168.1.3 tcp ssh /etc/shorewall/rules The /etc/shorewall/rules file defines - exceptions to the policies established in the - /etc/shorewall/policy file. There is one entry in - /etc/shorewall/rules for each of these rules. Entries in this file only - govern the establishment of new connections — packets that are part of an - existing connection or that establish a connection that is related to an - existing connection are automatically accepted. + exceptions to the policies established in the /etc/shorewall/policy + file. There is one entry in /etc/shorewall/rules for each of these rules. + Entries in this file only govern the establishment of new connections — + packets that are part of an existing connection or that establish a + connection that is related to an existing connection are automatically + accepted. Rules for each pair of zones (source zone, destination zone) are evaluated in the order that they appear in the file — the first match @@ -1346,8 +1296,7 @@ DNAT net loc:192.168.1.3 tcp ssh CONTINUE rules may cause the connection request to be - reprocessed using a different (source zone, destination zone) - pair. + reprocessed using a different (source zone, destination zone) pair. @@ -1383,8 +1332,7 @@ DNAT net loc:192.168.1.3 tcp ssh Added in Shorewall 2.0.2 Beta 2. Exempts matching - connections from DNAT and REDIRECT rules later in the - file. + connections from DNAT and REDIRECT rules later in the file. @@ -1394,11 +1342,9 @@ DNAT net loc:192.168.1.3 tcp ssh Causes the connection request to be forwarded to the system specified in the DEST column (port forwarding). - DNAT stands for Destination Network Address Translation + DNAT stands for Destination + Network Address + Translation @@ -1406,8 +1352,7 @@ DNAT net loc:192.168.1.3 tcp ssh DNAT- - The above ACTION (DNAT) generates two iptables - rules: + The above ACTION (DNAT) generates two iptables rules: @@ -1416,8 +1361,8 @@ DNAT net loc:192.168.1.3 tcp ssh - an ACCEPT rule in the Netfilter - filter table. + an ACCEPT rule in the Netfilter filter + table. @@ -1449,8 +1394,8 @@ DNAT net loc:192.168.1.3 tcp ssh - an ACCEPT rule in the Netfilter - filter table. + an ACCEPT rule in the Netfilter filter + table. @@ -1463,8 +1408,7 @@ DNAT net loc:192.168.1.3 tcp ssh LOG - Log the packet -- requires a syslog level (see - below). + Log the packet -- requires a syslog level (see below). @@ -1479,22 +1423,20 @@ DNAT net loc:192.168.1.3 tcp ssh When the protocol specified in the PROTO column is TCP - (tcp, TCP or - 6), Shorewall will only pass connection - requests (SYN packets) to user space. This is for - compatibility with ftwall. + (tcp, TCP or 6), + Shorewall will only pass connection requests (SYN packets) + to user space. This is for compatibility with ftwall. - <defined - action> + <defined + action> (Shorewall 1.4.9 and later) - An action defined in the - /etc/shorewall/actions + /etc/shorewall/actions file. @@ -1508,16 +1450,16 @@ DNAT net loc:192.168.1.3 tcp ssh syslog level. Beginning with Shorewall version 2.0.2 Beta 1, a log tag may be specified. A log tag is a string of alphanumeric characters and is specified by following the - log level with ":" and the log tag. Example:ACCEPT:info:ftp net dmz tcp 21 + log level with ":" and the log tag. Example:ACCEPT:info:ftp net dmz tcp 21 The log tag is appended to the log prefix generated by the - LOGPREFIX variable in /etc/shorewall/conf. If - "ACCEPT:info" generates the log prefix "Shorewall:net2dmz:ACCEPT:" - then "ACCEPT:info:ftp" will generate "Shorewall:net2dmz:ACCEPT:ftp " - (note the trailing blank). The maximum length of a log prefix - supported by iptables is 29 characters; if a larger prefix is - generated, Shorewall will issue a warning message and will truncate - the prefix to 29 characters. + LOGPREFIX variable in /etc/shorewall/conf. + If "ACCEPT:info" generates the log prefix + "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" + will generate "Shorewall:net2dmz:ACCEPT:ftp " (note the + trailing blank). The maximum length of a log prefix supported by + iptables is 29 characters; if a larger prefix is generated, + Shorewall will issue a warning message and will truncate the prefix + to 29 characters. The use of DNAT or REDIRECT requires that you have NAT enabled in your kernel configuration. @@ -1538,8 +1480,7 @@ DNAT net loc:192.168.1.3 tcp ssh If the source is not all then the source may be further restricted by adding a colon (:) followed by - a comma-separated list of qualifiers. Qualifiers are may - include: + a comma-separated list of qualifiers. Qualifiers are may include: @@ -1550,8 +1491,7 @@ DNAT net loc:192.168.1.3 tcp ssh specified interface (example loc:eth4). Beginning with Shorwall 1.3.9, the interface name may optionally be followed by a colon (:) and an IP address or subnet - (examples: loc:eth4:192.168.4.22, - net:eth0:192.0.2.0/24). + (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24). @@ -1569,8 +1509,7 @@ DNAT net loc:192.168.1.3 tcp ssh MAC Address - in Shorewall + in Shorewall format. @@ -1630,14 +1569,13 @@ DNAT net loc:192.168.1.3 tcp ssh Unlike in the SOURCE column, a range of IP addresses may be - specified in the DEST column as <first - address>-<last address>. - When the ACTION is DNAT or DNAT-, connections will be assigned to - the addresses in the range in a round-robin fashion - (load-balancing). This feature is available - with DNAT rules only with Shorewall 1.4.6 and later versions; it is - available with DNAT- rules in all versions that support - DNAT-. + specified in the DEST column as <first address>-<last + address>. When the ACTION is DNAT or DNAT-, + connections will be assigned to the addresses in the range in a + round-robin fashion (load-balancing). This + feature is available with DNAT rules only with Shorewall 1.4.6 and + later versions; it is available with DNAT- rules in all versions + that support DNAT-. @@ -1655,11 +1593,11 @@ DNAT net loc:192.168.1.3 tcp ssh DEST PORT(S) - Port or port range (<low port>:<high port>) being - connected to. May only be specified if the protocol is tcp, udp or - icmp. For icmp, this column's contents are interpreted as an icmp - type. If you don't want to specify DEST PORT(S) but need to include - information in one of the columns to the right, enter + Port or port range (<low port>:<high port>) + being connected to. May only be specified if the protocol is tcp, + udp or icmp. For icmp, this column's contents are interpreted as + an icmp type. If you don't want to specify DEST PORT(S) but need + to include information in one of the columns to the right, enter - in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names from /etc/services. @@ -1671,13 +1609,13 @@ DNAT net loc:192.168.1.3 tcp ssh May be used to restrict the rule to a particular client port - or port range (a port range is specified as <low port - number>:<high port number>). If you don't want to restrict - client ports but want to specify something in the next column, enter - - in this column. If you wish to specify a list of - port number or ranges, separate the list elements with commas (with - no embedded white space). Port numbers may be either integers or - service names from /etc/services. + or port range (a port range is specified as <low port + number>:<high port number>). If you don't want to + restrict client ports but want to specify something in the next + column, enter - in this column. If you wish to + specify a list of port number or ranges, separate the list elements + with commas (with no embedded white space). Port numbers may be + either integers or service names from /etc/services. @@ -1741,20 +1679,19 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp ACCEPT, DNAT[-], REDIRECT[-] or LOG rules with an entry in this column. Entries have the form - <rate>/<interval>[:<burst>] + <rate>/<interval>[:<burst>] - where <rate> is the number of connections per - <interval> (sec or min) and - <burst> is the largest burst permitted. If no burst value is + where <rate> is the number of connections per + <interval> (sec or min) and + <burst> is the largest burst permitted. If no burst value is given, a value of 5 is assumed. - There may be no whitespace embedded in the - specification. + There may be no whitespace embedded in the specification. - Let's take + Let's take - ACCEPT<2/sec:4> net dmz tcp 80 + ACCEPT<2/sec:4> net dmz tcp 80 The first time this rule is reached, the packet will be accepted; in fact, since the burst is 4, the first four packets @@ -1796,7 +1733,7 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp to 4/minute with a burst of 8 (Shorewall 1.4.7 and later only): #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT<4/min:8> net loc:192.168.1.3 tcp ssh +DNAT<4/min:8> net loc:192.168.1.3 tcp ssh @@ -1830,19 +1767,15 @@ ACCEPT loc dmz:155.186.235.222 tcp www server to be accessible from the internet in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. - - since the server is in the 192.168.2.0/24 subnetwork, we can - assume that access to the server from that subnet will not involve - the firewall (but see FAQ - 2) - - unless you have more than one external IP address, you can - leave the ORIGINAL DEST column blank in the first rule. You cannot - leave it blank in the second rule though because then all ftp - connections originating in the local subnet 192.168.1.0/24 would be - sent to 192.168.2.2 regardless of the site that the user was trying - to connect to. That is clearly not what you want. - + since the server is in the 192.168.2.0/24 subnetwork, + we can assume that access to the server from that subnet will not + involve the firewall (but see FAQ 2)unless + you have more than one external IP address, you can leave the ORIGINAL + DEST column blank in the first rule. You cannot leave it blank in the + second rule though because then all ftp connections originating in the + local subnet 192.168.1.0/24 would be sent to 192.168.2.2 regardless of + the site that the user was trying to connect to. That is clearly not + what you want. #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST @@ -1879,18 +1812,15 @@ ACCEPT loc:~02-00-08-E3-FA-55 dmz all #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT all dmz tcp 25 - - When all is used as a source or destination, - intra-zone traffic is not affected. In this example, if there were - two DMZ interfaces then the above rule would NOT enable SMTP traffic - between hosts on these interfaces. - + When all is used as a source or + destination, intra-zone traffic is not affected. In this example, if + there were two DMZ interfaces then the above rule would NOT enable SMTP + traffic between hosts on these interfaces. - Your firewall's external interface has several IP addresses but - you only want to accept SSH connections on address - 206.124.146.176. + Your firewall's external interface has several IP addresses + but you only want to accept SSH connections on address 206.124.146.176. #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net fw:206.124.146.176 tcp 22 @@ -1937,15 +1867,14 @@ REDIRECT loc 3128 tcp www - ACCEPT fw net tcp www The reason that NONAT is used in the above example rather than - ACCEPT+ is that the example is assuming the usual ACCEPT loc->net + ACCEPT+ is that the example is assuming the usual ACCEPT loc->net policy. Since traffic from the local zone to the internet zone is accepted anyway, adding an additional ACCEPT rule is unnecessary and all that is required is to avoid the REDIRECT rule for HTTP connection requests from the two listed IP addresses. - Look here for information on other - services. + Look here for information on other services.
@@ -1968,15 +1897,13 @@ ACCEPT fw net tcp www optionally qualified by adding : and a subnet or host IP. When this qualification is added, only packets addressed to that host or subnet will be masqueraded. Beginning with Shorewall version - 1.4.10, the interface name can be qualified with ":" followed by a - comma separated list of hosts and/or subnets. If this list begins - with ! (e.g., - eth0:!192.0.2.8/29,192.0.2.32/29) then only packets - addressed to destinations not - listed will be masqueraded; otherwise (e.g., - eth0:192.0.2.8/29,192.0.2.32/29), traffic will be - masqueraded if it does match one of - the listed addresses. + 1.4.10, the interface name can be qualified with ":" + followed by a comma separated list of hosts and/or subnets. If this + list begins with ! (e.g., eth0:!192.0.2.8/29,192.0.2.32/29) + then only packets addressed to destinations not + listed will be masqueraded; otherwise (e.g., eth0:192.0.2.8/29,192.0.2.32/29), + traffic will be masqueraded if it does + match one of the listed addresses. Beginning with Shorewall version 1.3.14, if you have set ADD_SNAT_ALIASES=Yes in , you can cause @@ -2072,9 +1999,8 @@ ACCEPT fw net tcp www - A range of port numbers of the form <low - port>:<high - port> + A range of port numbers of the form <low + port>:<high port> @@ -2101,7 +2027,7 @@ ipsec0:10.1.0.0/16 192.168.9.0/24 You have a DSL line connected on eth0 and a local network - (192.168.10.0/24) connected to eth1. You want all local->net + (192.168.10.0/24) connected to eth1. You want all local->net connections to use source address 206.124.146.176. #INTERFACE SUBNET ADDRESS @@ -2117,18 +2043,18 @@ eth0 192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176 - <emphasis role="bold">(Shorewall version >= - 1.3.14):</emphasis> You have a second IP address (206.124.146.177) - assigned to you and wish to use it for SNAT of the subnet - 192.168.12.0/24. You want to give that address the name eth0:0. You must - have ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />. + <emphasis role="bold">(Shorewall version >= 1.3.14):</emphasis> + You have a second IP address (206.124.146.177) assigned to you and wish + to use it for SNAT of the subnet 192.168.12.0/24. You want to give that + address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <xref + linkend="Conf" />. #INTERFACE SUBNET ADDRESS eth0:0 192.168.12.0/24 206.124.146.177 - <emphasis role="bold">(Shorewall version >= 1.4.7):</emphasis> + <title><emphasis role="bold">(Shorewall version >= 1.4.7):</emphasis> You want to use both 206.124.146.177 and 206.124.146.179 for SNAT of the subnet 192.168.12.0/24. Each address will be used on alternate outbound connections. @@ -2138,11 +2064,11 @@ eth0 192.168.12.0/24 206.124.146.177,206.124.146.179 - <emphasis role="bold">(Shorewall version >= 2.0.2 Beta - 1):</emphasis> You want all outgoing SMTP traffic entering the firewall - on eth1 to be sent from eth0 with source IP address 206.124.146.177. You - want all other outgoing traffic from eth1 to be sent from eth0 with - source IP address 206.124.146.176. + <emphasis role="bold">(Shorewall version >= 2.0.2 Beta 1):</emphasis> + You want all outgoing SMTP traffic entering the firewall on eth1 to be + sent from eth0 with source IP address 206.124.146.177. You want all + other outgoing traffic from eth1 to be sent from eth0 with source IP + address 206.124.146.176. #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 eth1 206.124.146.177 tcp 25 @@ -2160,11 +2086,10 @@ eth0 eth1 206.124.146.176 that you look at the Proxy ARP Subnet Mini HOWTO. If you decide to use the technique described in that - HOWTO, you can set the proxy_arp flag for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + HOWTO, you can set the proxy_arp flag for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) by including the proxyarp option in the - interface's record in . When using Proxy ARP - sub-netting, you do NOT include any + interface's record in . When using Proxy + ARP sub-netting, you do NOT include any entries in /etc/shorewall/proxyarp. The /etc/shorewall/proxyarp file is used to @@ -2215,33 +2140,33 @@ eth0 eth1 206.124.146.176 PERSISTENT - If you specify "No" or "no" in the HAVEROUTE column, Shorewall - will automatically add a route to the host in the ADDRESS column - through the interface in the INTERFACE column. If you enter - No or no in the PERSISTENT column or - if you leave the column empty, that route will be deleted if you - issue a shorewall stop or shorewall - clear command. If you place Yes or - yes in the PERSISTENT column, then those commands - will not cause the route to be deleted. + If you specify "No" or "no" in the HAVEROUTE + column, Shorewall will automatically add a route to the host in the + ADDRESS column through the interface in the INTERFACE column. If you + enter No or no in the PERSISTENT + column or if you leave the column empty, that route will be deleted + if you issue a shorewall stop or + shorewall clear command. If you place + Yes or yes in the PERSISTENT column, + then those commands will not cause the route to be deleted. - After you have made a change to the - /etc/shorewall/proxyarp file, you may need to flush - the ARP cache of all routers on the LAN segment connected to the - interface specified in the EXTERNAL column of the change/added entry(s). - If you are having problems communicating between an individual host (A) - on that segment and a system whose entry has changed, you may need to - flush the ARP cache on host A as well. + After you have made a change to the /etc/shorewall/proxyarp + file, you may need to flush the ARP cache of all routers on + the LAN segment connected to the interface specified in the EXTERNAL + column of the change/added entry(s). If you are having problems + communicating between an individual host (A) on that segment and a + system whose entry has changed, you may need to flush the ARP cache on + host A as well. ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using tcpdump - -nei <external interface> host <IP addr>), it may - take a long while to time out. I personally have had to contact my ISP - and ask them to delete a stale entry in order to restore a system to + -nei <external interface> host <IP addr>), it + may take a long while to time out. I personally have had to contact my + ISP and ask them to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings. @@ -2255,21 +2180,18 @@ eth0 eth1 206.124.146.176 In your DMZ, you want to install a Web/FTP server with public address 155.186.235.4. On the Web server, you subnet just like the - firewall's eth0 and you configure 155.186.235.1 as the default gateway. - In your /etc/shorewall/proxyarp file, you will - have: + firewall's eth0 and you configure 155.186.235.1 as the default + gateway. In your /etc/shorewall/proxyarp file, you + will have: #ADDRESS INTERFACE EXTERNAL HAVEROUTE 155.186.235.4 eth2 eth0 NO - - You may want to configure the servers in your DMZ with a - subnet that is smaller than the subnet of your internet interface. - See the Proxy ARP - Subnet Mini HOWTO for details. In this case you will want to - place Yes in the HAVEROUTE column. - + You may want to configure the servers in your DMZ with + a subnet that is smaller than the subnet of your internet interface. See + the Proxy + ARP Subnet Mini HOWTO for details. In this case you will want to + place Yes in the HAVEROUTE column. @@ -2278,12 +2200,12 @@ eth0 eth1 206.124.146.176 Shorewall with an IPSEC tunnel active, the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to - debug this problem so I can't say if it is a bug in the Kernel or in - FreeS/Wan. + /etc/shorewall/proxyarp. I haven't had the time + to debug this problem so I can't say if it is a bug in the Kernel or + in FreeS/Wan. You might be able to work around - this problem using the following (I haven't tried it): + this problem using the following (I haven't tried it): In /etc/shorewall/init, include: @@ -2306,11 +2228,10 @@ eth0 eth1 206.124.146.176 If all you want to do is forward ports to servers behind your firewall, you do NOT want to use one-to-one NAT. Port forwarding can be - accomplished with simple entries in the rules - file. Also, in most cases Proxy - ARP provides a superior solution to one-to-one NAT because the - internal systems are accessed using the same IP address internally and - externally. + accomplished with simple entries in the rules file. + Also, in most cases Proxy ARP provides a + superior solution to one-to-one NAT because the internal systems are + accessed using the same IP address internally and externally. Columns in an entry are: @@ -2370,15 +2291,15 @@ eth0 eth1 206.124.146.176 If Yes or yes, NAT will be effective from the firewall system. Note that with Shorewall 2.0.1 and earlier versions, this column was - ignored if the ALL INTERFACES column did not contain "Yes" or "yes". - Beginning with Shorewall 2.0.2 Beta 1, this column's contents are - independent of the value in ALL INTERFACES. + ignored if the ALL INTERFACES column did not contain "Yes" + or "yes". Beginning with Shorewall 2.0.2 Beta 1, this + column's contents are independent of the value in ALL + INTERFACES. For this to work, you must be running kernel 2.4.19 or later and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL in your - kernel. + role="bold">CONFIG_IP_NF_NAT_LOCAL in your kernel. @@ -2404,13 +2325,13 @@ eth0 eth1 206.124.146.176 compilation errors. - Instructions for setting up IPSEC - tunnels may be found here, instructions for IPIP and GRE tunnels are here, instructions for - OpenVPN tunnels are here, instructions - for PPTP tunnels are here, instructions for - 6to4 tunnels are here, and instructions for - integrating Shorewall with other types of + Instructions for setting up IPSEC tunnels + may be found here, instructions for IPIP and GRE + tunnels are here, instructions for OpenVPN + tunnels are here, instructions for PPTP + tunnels are here, instructions for 6to4 + tunnels are here, and instructions for integrating Shorewall with other types of tunnels are here.
@@ -2436,14 +2357,15 @@ eth0 eth1 206.124.146.176 (Added at version 2.0.2) - Specifies where configuration files other than shorewall.conf may be found. CONFIG_PATH is specifies as a list of directory names separated by - colons (":"). When looking for a configuration file other than - shorewall.conf: + colons (":"). When looking for a configuration file other + than shorewall.conf:
- If the command is "try" or if "-c <configuration - directory>" was specified in the command then the directory - given in the command is searched first. + If the command is "try" or if "-c + <configuration directory>" was specified in the + command then the directory given in the command is searched + first. @@ -2453,16 +2375,26 @@ eth0 eth1 206.124.146.176 If CONFIG_PATH is not given or if it is set to the empty value - then the contents of - /usr/share/shorewall/configpath are used. As - released from shorewall.net, that file sets the CONFIG_PATH to - /etc/shorewall:/usr/share/shorewall - but your particular distribution may set it - differently. + then the contents of /usr/share/shorewall/configpath + are used. As released from shorewall.net, that file sets the + CONFIG_PATH to /etc/shorewall:/usr/share/shorewall + but your particular distribution may set it differently. - Note that the setting in - /usr/share/shorewall/configpath is always used - to locate shorewall.conf. + Note that the setting in /usr/share/shorewall/configpath + is always used to locate shorewall.conf. + + + + + RESTOREFILE + + + (Added at version 2.0.3 Beta 1) - The simple name of a file in + /var/lib/shorewall to be used as the default restore + script in the shorewall save, shorewall restore, shorewall forget + and shorewall -f start commands. See the Saved Configuration + documentation for details. @@ -2481,10 +2413,9 @@ eth0 eth1 206.124.146.176 (Added at version 2.0.0) - Specifies the logging level for smurf packets (see the nosmurfs - option in /etc/shorewall/interfaces). If set to - the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not - logged. + option in /etc/shorewall/interfaces). + If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs + are not logged. @@ -2494,8 +2425,8 @@ eth0 eth1 206.124.146.176 (Added at version 1.4.9) - The value of this variable determines the possible file extensions of kernel modules. The - default value is "o gz ko and o.gz". See - for more details. + default value is "o gz ko and o.gz". See for more details. @@ -2504,7 +2435,7 @@ eth0 eth1 206.124.146.176 (Added at version 1.4.7) - The value of this variable affects - Shorewall's stopped + Shorewall's stopped state. When ADMINISABSENTMINDES=No, only traffic to/from those addresses listed in /etc/shorewall/routestopped is accepted when Shorewall is stopped.When ADMINISABSENTMINDED=Yes, in addition @@ -2538,24 +2469,24 @@ eth0 eth1 206.124.146.176 disposition). To use LOGFORMAT with fireparse, set it as: - LOGFORMAT="fp=%s:%d a=%s " + LOGFORMAT="fp=%s:%d a=%s " - If the LOGFORMAT value contains the substring - %d then the logging rule number is calculated and - formatted in that position; if that substring is not included then - the rule number is not included. If not supplied or supplied as - empty (LOGFORMAT="") then Shorewall:%s:%s: is + If the LOGFORMAT value contains the substring %d + then the logging rule number is calculated and formatted in that + position; if that substring is not included then the rule number is + not included. If not supplied or supplied as empty + (LOGFORMAT="") then Shorewall:%s:%s: is assumed. /sbin/shorewall uses the leading part of the LOGFORMAT string (up to but not including the first - %) to find log messages in the show - log, status and hits - commands. This part should not be omitted (the LOGFORMAT should - not begin with %) and the leading part should be - sufficiently unique for /sbin/shorewall to - identify Shorewall messages. + %) to find log messages in the show log, + status and hits commands. This part + should not be omitted (the LOGFORMAT should not begin with + %) and the leading part should be sufficiently + unique for /sbin/shorewall to identify + Shorewall messages.
@@ -2565,16 +2496,15 @@ eth0 eth1 206.124.146.176 (Added at version 1.3.13) - If this option is set to - No then Shorewall won't clear the current traffic + No then Shorewall won't clear the current traffic control rules during [re]start. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That - way, your traffic shaping rules can still use the - fwmark classifier based on packet marking defined in - /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is - assumed. + way, your traffic shaping rules can still use the fwmark + classifier based on packet marking defined in + /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed. @@ -2593,7 +2523,7 @@ eth0 eth1 206.124.146.176 show mangle command; if a FORWARD chain is displayed then your kernel will support this option. If this option is not specified or if it is given the empty value (e.g., - MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is + MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. @@ -2603,9 +2533,8 @@ eth0 eth1 206.124.146.176 (Added at version 1.3.12) - This parameter determines the - level at which packets logged under the norfc1918 mechanism are - logged. The value must be a valid norfc1918 + mechanism are logged. The value must be a valid syslog level and if no level is given, then info is assumed. Prior to Shorewall version 1.3.12, these packets are always logged at the info level. @@ -2617,9 +2546,8 @@ eth0 eth1 206.124.146.176 (Added at version 2.0.1) - This parameter determines the level - at which packets logged under the nobogons mechanism are - logged. The value must be a valid nobogons + mechanism are logged. The value must be a valid syslog level and if no level is given, then info is assumed. @@ -2634,8 +2562,8 @@ eth0 eth1 206.124.146.176 linkend="Interfaces">tcpflags interface option and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not set or if set to the empty value - (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is - assumed. + (e.g., TCP_FLAGS_DISPOSITION="") then + TCP_FLAGS_DISPOSITION=DROP is assumed. @@ -2647,9 +2575,9 @@ eth0 eth1 206.124.146.176 url="shorewall_logging.html">syslog level for logging packets that fail the checks enabled by the tcpflags interface option.The value must - be a valid syslogd log level. If you don't want to log these + be a valid syslogd log level. If you don't want to log these packets, set to the empty value (e.g., - TCP_FLAGS_LOG_LEVEL=""). + TCP_FLAGS_LOG_LEVEL=""). @@ -2662,7 +2590,7 @@ eth0 eth1 206.124.146.176 Verification and must have the value ACCEPT (accept the connection request anyway), REJECT (reject the connection request) or DROP (ignore the connection request). If not set or if set to the - empty value (e.g., MACLIST_DISPOSITION="") then + empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. @@ -2675,8 +2603,8 @@ eth0 eth1 206.124.146.176 url="shorewall_logging.html">syslog level for logging connection requests that fail MAC Verification. The value must be a valid syslogd log level. - If you don't want to log these connection requests, set to the empty - value (e.g., MACLIST_LOG_LEVEL=""). + If you don't want to log these connection requests, set to the + empty value (e.g., MACLIST_LOG_LEVEL=""). @@ -2705,8 +2633,7 @@ eth0 eth1 206.124.146.176 Shorewall drops non-SYN TCP packets that are not part of an existing connection. If you would like to log these packets, set LOGNEWNOTSYN to the syslog level at - which you want the packets logged. Example: - LOGNEWNOTSYN=ULOG| + which you want the packets logged. Example: LOGNEWNOTSYN=ULOG| Packets logged under this option are usually the result of @@ -2726,8 +2653,8 @@ eth0 eth1 206.124.146.176 DNAT rules as the original destination IP address. If set to No or no, Shorewall will not detect this address and any destination IP address will match the DNAT - rule. If not specified or empty, - DETECT_DNAT_ADDRS=Yes is assumed. + rule. If not specified or empty, DETECT_DNAT_ADDRS=Yes + is assumed. @@ -2761,8 +2688,8 @@ eth0 eth1 206.124.146.176 This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops. Creating and removing this file allows Shorewall to work with - your distribution's initscripts. For RedHat, this should be set to - /var/lock/subsys/shorewall. For Debian, the value is + your distribution's initscripts. For RedHat, this should be set + to /var/lock/subsys/shorewall. For Debian, the value is /var/state/shorewall and in LEAF it is /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall. @@ -2773,8 +2700,8 @@ eth0 eth1 206.124.146.176 This parameter specifies the name of a directory where - Shorewall stores state information. If the directory doesn't exist - when Shorewall starts, it will create the directory. Example: + Shorewall stores state information. If the directory doesn't + exist when Shorewall starts, it will create the directory. Example: STATEDIR=/tmp/shorewall. @@ -2791,7 +2718,7 @@ eth0 eth1 206.124.146.176 This parameter specifies the directory where your kernel netfilter modules may be found. If you leave the variable empty, - Shorewall will supply the value "/lib/modules/`uname + Shorewall will supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter. @@ -2819,8 +2746,7 @@ LOGBURST=5 be logged from the rule, regardless of how many packets reach it. Also, every 6 seconds which passes without matching a packet, one of the bursts will be regained; if no packets hit the rule for 30 - seconds, the burst will be fully recharged; back where we - started. + seconds, the burst will be fully recharged; back where we started. @@ -2831,9 +2757,9 @@ LOGBURST=5 This parameter tells the /sbin/shorewall program where to look for Shorewall messages when processing the show log, - monitor, status and - hits commands. If not assigned or if assigned an - empty value, /var/log/messages is assumed. + monitor, status and hits + commands. If not assigned or if assigned an empty value, + /var/log/messages is assumed. @@ -2873,7 +2799,7 @@ LOGBURST=5 If this variable is not set or is given an empty value - (IP_FORWARD="") then IP_FORWARD=On is assumed. + (IP_FORWARD="") then IP_FORWARD=On is assumed. @@ -2882,15 +2808,14 @@ LOGBURST=5 This parameter determines whether Shorewall automatically adds - the external address(es) in . If the variable is set to Yes or - yes then Shorewall automatically adds these aliases. - If it is set to No or no, you must add - these aliases yourself using your distribution's network - configuration tools. + the external address(es) in . + If the variable is set to Yes or yes + then Shorewall automatically adds these aliases. If it is set to + No or no, you must add these aliases + yourself using your distribution's network configuration tools. If this variable is not set or is given an empty value - (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed. + (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed. @@ -2903,11 +2828,10 @@ LOGBURST=5 the variable is set to Yes or yes then Shorewall automatically adds these addresses. If it is set to No or no, you must add these addresses - yourself using your distribution's network configuration - tools. + yourself using your distribution's network configuration tools. If this variable is not set or is given an empty value - (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed. + (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed. @@ -2918,10 +2842,10 @@ LOGBURST=5 This parameter determines the logging level of mangled/invalid packets controlled by the dropunclean and logunclean interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then packets - selected by dropclean are dropped silently - (logunclean packets are logged under the - info log level). Otherwise, these packets are logged - at the specified level (Example: LOGUNCLEAN=debug). + selected by dropclean are dropped silently (logunclean + packets are logged under the info log level). + Otherwise, these packets are logged at the specified level (Example: + LOGUNCLEAN=debug). @@ -2943,10 +2867,10 @@ LOGBURST=5 This paremter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged - at. Its value is a syslog - level (Example: BLACKLIST_LOGLEVEL=debug). If you do not - assign a value or if you assign an empty value then packets from - blacklisted hosts are not logged. + at. Its value is a syslog level + (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a value or + if you assign an empty value then packets from blacklisted hosts are + not logged. @@ -2958,8 +2882,7 @@ LOGBURST=5 Netfilter and is usually required when your internet connection is through PPPoE or PPTP. If set to Yes or yes, the feature is enabled. If left blank or set to - No or no, the feature is not - enabled. + No or no, the feature is not enabled. This option requires CONFIG_IP_NF_TARGET_TCPMSS parameter exists (see above). The file that is released with Shorewall calls the Shorewall - function loadmodule for the set of modules that I - load. + function loadmodule for the set of modules that I load. - The loadmodule function is called as - follows: + The loadmodule function is called as follows: - loadmodule <modulename> [ <module parameters> ] + loadmodule <modulename> [ <module parameters> ] where - <modulename> + <modulename> is the name of the modules without the trailing @@ -3012,7 +2933,7 @@ LOGBURST=5 - <module parameters> + <module parameters> Optional parameters to the insmod utility. @@ -3020,31 +2941,31 @@ LOGBURST=5 - The function determines if the module named by - <modulename> is already loaded and if not then - the function determines if the .o file corresponding to the - module exists in the <moduledirectory>; if so, - then the following command is executed: + The function determines if the module named by <modulename> + is already loaded and if not then the function determines if the + .o file corresponding to the module exists in the + <moduledirectory>; if so, then the following + command is executed: - insmod <moduledirectory>/<modulename>.o <module parameters> + insmod <moduledirectory>/<modulename>.o <module parameters> - If the file doesn't exist, the function determines of the + If the file doesn't exist, the function determines of the .o.gz file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed modules and execute the following command: - insmod <moduledirectory>/<modulename>.o.gz <module parameters> + insmod <moduledirectory>/<modulename>.o.gz <module parameters> Beginning with the 1.4.9 Shorewall release, the value of the MODULE_SUFFIX option in determines which files the loadmodule function - looks for if the named module doesn't exist. For each file - <extension> listed in MODULE_SUFFIX (default "o - gz ko o.gz"), the function will append a period (".") and the extension - and if the resulting file exists then the following command will be - executed: + looks for if the named module doesn't exist. For each file + <extension> listed in MODULE_SUFFIX (default + "o gz ko o.gz"), the function will append a period (".") + and the extension and if the resulting file exists then the following + command will be executed: - insmod moduledirectory/<modulename>.<extension> <module parameters> + insmod moduledirectory/<modulename>.<extension> <module parameters>
@@ -3053,8 +2974,7 @@ LOGBURST=5 The /etc/shorewall/tos file allows you to set the Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port. In order for this - file to be processed by Shorewall, you must have mangle support - enabled. + file to be processed by Shorewall, you must have mangle support enabled. Entries in the file have the following columns: @@ -3065,11 +2985,11 @@ LOGBURST=5 The source zone. May be qualified by following the zone name with a colon (:) and either an IP address, an IP - subnet, a MAC address in Shorewall Format - or the name of an interface. This column may also contain the name - of the firewall zone to indicate packets originating on the firewall - itself or all to indicate any source. + subnet, a MAC address in + Shorewall Format or the name of an interface. This column + may also contain the name of the firewall zone to indicate packets + originating on the firewall itself or all to indicate + any source. @@ -3089,8 +3009,8 @@ LOGBURST=5 PROTOCOL - The name of a protocol in /etc/protocols - or the protocol's number. + The name of a protocol in /etc/protocols or + the protocol's number. @@ -3166,13 +3086,12 @@ all all tcp ftp-data - 8Packets from hosts listed in the blacklist file will be disposed of according to the value assigned to the - BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in - /etc/shorewall/shorewall.conf. Only packets arriving on interfaces that - have the blacklist option - in /etc/shorewall/interfaces are checked against the - blacklist. The black list is designed to prevent listed hosts/subnets from - accessing services on your + BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL + variables in /etc/shorewall/shorewall.conf. Only packets arriving on + interfaces that have the blacklist + option in /etc/shorewall/interfaces are checked + against the blacklist. The black list is designed to prevent listed + hosts/subnets from accessing services on your network. Beginning with Shorewall 1.3.8, the blacklist file has three @@ -3205,8 +3124,7 @@ all all tcp ftp-data - 8iptables -h - icmp). + of ICMP type numbers or names (see iptables -h icmp). @@ -3215,11 +3133,10 @@ all all tcp ftp-data - 8. - The Shorewall blacklist file is NOT designed to police your users' web browsing - -- to do that, I suggest that you install and configure Squid with SquidGuard. + The Shorewall blacklist file is NOT + designed to police your users' web browsing -- to do that, I suggest + that you install and configure Squid + with SquidGuard.
@@ -3251,8 +3168,7 @@ all all tcp ftp-data - 8RETURN - Process the packet normally thru the rules and - policies. + Process the packet normally thru the rules and policies. @@ -3268,9 +3184,8 @@ all all tcp ftp-data - 8logdrop - Log then drop the packet -- see the RFC1918_LOG_LEVEL parameter - above. + Log then drop the packet -- see the RFC1918_LOG_LEVEL + parameter above. @@ -3278,9 +3193,9 @@ all all tcp ftp-data - 8 - If you want to modify this file, DO NOT MODIFY - /usr/share/shorewall/rfc1918. Rather copy that file - to /etc/shorewall/rfc1918 and modify the copy. + If you want to modify this file, DO NOT MODIFY /usr/share/shorewall/rfc1918. + Rather copy that file to /etc/shorewall/rfc1918 and + modify the copy.
@@ -3288,8 +3203,7 @@ all all tcp ftp-data - 8This file lists the subnets affected by the nobogons interface option and nobogons hosts option. Columns in the file - are: + linkend="Hosts">nobogons hosts option. Columns in the file are: @@ -3311,8 +3225,7 @@ all all tcp ftp-data - 8RETURN - Process the packet normally thru the rules and - policies. + Process the packet normally thru the rules and policies. @@ -3328,8 +3241,8 @@ all all tcp ftp-data - 8logdrop - Log then drop the packet -- see the BOGONS_LOG_LEVEL parameter above. + Log then drop the packet -- see the BOGONS_LOG_LEVEL + parameter above. @@ -3337,17 +3250,16 @@ all all tcp ftp-data - 8 - If you want to modify this file, DO NOT MODIFY - /usr/share/shorewall/bogons. Rather copy that file to - /etc/shorewall/bogons and modify the copy. + If you want to modify this file, DO NOT MODIFY /usr/share/shorewall/bogons. + Rather copy that file to /etc/shorewall/bogons and + modify the copy.
/etc/shorewall/netmap (Added in Version 2.0.1) - Network mapping is defined using the - /etc/shorewall/netmap file. Columns in this file - are: + Network mapping is defined using the /etc/shorewall/netmap + file. Columns in this file are: @@ -3357,12 +3269,12 @@ all all tcp ftp-data - 8Must be DNAT or SNAT. If DNAT, traffic entering INTERFACE and addressed to NET1 has - it's destination address rewritten to the corresponding address in - NET2. + it's destination address rewritten to the corresponding address + in NET2. If SNAT, traffic leaving INTERFACE with a source address in - NET1 has it's source address rewritten to the corresponding address - in NET2. + NET1 has it's source address rewritten to the corresponding + address in NET2. @@ -3370,8 +3282,7 @@ all all tcp ftp-data - 8NET1 - Must be expressed in CIDR format (e.g., - 192.168.1.0/24). + Must be expressed in CIDR format (e.g., 192.168.1.0/24). @@ -3380,8 +3291,7 @@ all all tcp ftp-data - 8 A firewall interface. This interface must have been defined in - /etc/shorewall/interfaces. + /etc/shorewall/interfaces. @@ -3459,108 +3369,16 @@ eth1 - Revision History - - - 1.17 - - 2004-04-05 - - TE - - Update for Shorewall 2.0.2 - - - - 1.16 - - 2004-03-17 - - TE - - Clarified LOGBURST and LOGLIMIT. - - - - 1.15 - - 2004-02-16 - - TE - - Move the rfc1918 file to - /usr/share/shorewall. - - - - 1.14 - - 2004-02-13 - - TE - - Add a note about the order of rules. - - - - 1.13 - - 2004-02-03 - - TE - - Update for Shorewall 2.0. - - - - 1.12 - - 2004-01-21 - - TE - - Add masquerade destination list. - - - - 1.12 - - 2004-01-18 - - TE - - Correct typo. - - - - 1.11 - - 2004-01-05 - - TE - - Standards Compliance - - - - 1.10 - - 2004-01-05 - - TE - - Improved formatting of DNAT- and REDIRECT- for - clarity - - - - 1.9 - - 2003-12-25 - - MN - - Initial Docbook Conversion Complete - - + 1.172004-04-05TEUpdate + for Shorewall 2.0.21.162004-03-17TEClarified + LOGBURST and LOGLIMIT.1.152004-02-16TEMove + the rfc1918 file to /usr/share/shorewall.1.142004-02-13TEAdd + a note about the order of rules.1.132004-02-03TEUpdate + for Shorewall 2.0.1.122004-01-21TEAdd + masquerade destination list.1.122004-01-18TECorrect + typo.1.112004-01-05TEStandards + Compliance1.102004-01-05TEImproved + formatting of DNAT- and REDIRECT- for clarity1.92003-12-25MNInitial + Docbook Conversion Complete \ No newline at end of file diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index 07f6d7a78..48251ddd2 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2004-05-14 + 2004-06-12 2001-2004 @@ -78,13 +78,8 @@ the bottom of this page for more information. The -q option was added in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may - be specified; if this option is given and the file - /var/lib/shorewall/restore is present (see - shorewall save below), then that script is run to - restore the state of the firewall to the state when - /var/lib/shorewall/restore was created. This is - generally must faster than starting the firewall without the -f - option. + be specified. See the Saved Configurations + section below for details. @@ -121,15 +116,16 @@ shorewall save - Beginning with Shorewall - 2.0.2 Beta1, this command creates a script /var/lib/shorewall/restore - which when run will restore the state of the firewall to its current - state. + 2.0.2 Beta1, this command creates a script which when run will restore + the state of the firewall to its current state. See the Saved Configurations section below for details. - shorewall restore - Runs the - /var/lib/shorewall/restore created by the - shorewall save command. + shorewall restore [ <file name> ] - + Runs a script created by the shorewall save + command. See the Saved Configurations + section below for details. @@ -277,12 +273,13 @@ - shorewall save - save the dynamic - blacklisting configuration so that it will be automatically restored - the next time that the firewall is restarted. Beginning with Shorewall - version 2.0.2 Beta1, this command also creates the - /var/lib/shorewall/restore script as described - above. + shorewall save [ <file name> ] - save + the dynamic blacklisting configuration so that it will be + automatically restored the next time that the firewall is restarted. + Beginning with Shorewall version 2.0.2 Beta1, this command also + creates a script that can be used to restore the state of the + firewall. See the Saved Configurations + section below for details. @@ -405,6 +402,65 @@
+
+ Saved Configurations + + Beginning with Shorewall 2.0.2 Beta 1, Shorewall is integrated with + the iptables-save/iptables-restore programs through + saved configurations. A saved configuration is a + shell script that when executed will restore the firewall state to match + what it was when the script was created. Because of the way in which saved + configurations are used, they are also referred to using the term + restore script. + + + + The shorewall save command creates a restore + script. + + + + The shorewall restore command executes a + restore script. + + + + The shorewall forget command deleted a + restore script. + + + + The -f option of the shorewall + start command causes a restore script to be executed if it + exists. + + + + In Shorewall 2.0.2, the name of the restore script is fixed: + /var/lib/shorewall/restore. Beginning with Shorewall + 2.0.3 Beta 1, multiple restore scripts are permitted in /var/lib/shorewall. + + + + The shorewall save, shorewall + restore and shorewall forget commands are + extended to allow you to specify a simple file name (one not + containing embedded slashes). The fiile name specifies the name of a + restore script in /var/lib/shorewall. + + + + A RESTOREFILE option has been added to shorewall.conf. + This variable may contain a simple file name that designates the + default restore script when the command doesn't specify one. To + maintain backward compatibility with Shorewall 2.0.2, if RESTOREFILE + is not set or is set to the empty value (RESTOREFILE=""), the + the default value is restore. + + +
+
Shorewall State Diagram