diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 6fb2e858e..966094098 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -162,6 +162,18 @@ Answer: See above. + +
+ (faq 77c) After restart and bootup of my Debian firewall, all + traffic is blocked for hosts behind the firewall trying to connect out + onto the net or through the vpn (although i can reach the internal + firewall interface and obtain dumps etc). Once I issue 'shorewall + clear' followed by 'shorewall restart' it then works, despite the + config not changing + + Answer: Set IP_FORWARDING=On in /etc/shorewall/shorewall.conf. +
@@ -492,8 +504,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993(FAQ 30) I'm confused about when to use DNAT rules and when to use ACCEPT rules. - Answer: It would be a good idea to - review the QuickStart + Answer: It would be a good idea + to review the QuickStart Guide appropriate for your setup; the guides cover this topic in a tutorial fashion. DNAT rules should be used for connections that need to go the opposite direction from SNAT/MASQUERADE. So if you masquerade @@ -627,8 +639,7 @@ DNAT loc loc:192.168.1.5 tcp www - find_first_interface_address in /etc/shorewall/params must be preceded with - a load of the - Shorewall function library:. /usr/share/shorewall/functions + a load of the Shorewall function library:. /usr/share/shorewall/functions ETH0_IP=`find_first_interface_address eth0` @@ -731,8 +742,8 @@ dmz eth2 192.168.2.255 routeback following: In /etc/shorewall/params (or in your - <export directory>/init file if you are using - Shorewall Lite on the firewall system): + <export directory>/init file if you are + using Shorewall Lite on the firewall system): ETH0_IP=`find_first_interface_address eth0` @@ -754,9 +765,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - If you are running Shorewall 3.2.6 on a Debian-based system, the call to find_first_interface_address in - /etc/shorewall/params - must be preceded with a load of the Shorewall function - library:. /usr/share/shorewall/functions + /etc/shorewall/params must be preceded with a + load of the Shorewall function library:. /usr/share/shorewall/functions ETH0_IP=`find_first_interface_address eth0` @@ -783,10 +793,10 @@ DNAT loc dmz:192.168.2.4 tcp 80 - Blacklisting an IP address blocks incoming traffic from that IP address. And if you set BLACKLISTNEWONLY=Yes in - shorewall.conf, then only new connections - from that address are disallowed; - traffic from that address that is part of an established connection - (such as ping replies) is allowed. + shorewall.conf, then only new connections from that address are disallowed; traffic from + that address that is part of an established connection (such as ping + replies) is allowed. @@ -1070,8 +1080,9 @@ to debug/develop the newnat interface. openlog) and you get to choose the log level (again, see man syslog) in your policies and - rules. - The destination for messages logged by syslog is controlled by + rules. The + destination for messages logged by syslog is controlled by /etc/syslog.conf (see man syslog.conf). When you have changed /etc/syslog.conf, be sure to restart syslogd (on a @@ -1231,8 +1242,7 @@ teastep@ursa:~$ The first number determines the maximum log If, on your system, the first number is 7 or greater, then the default Shorewall configurations will cause messages to be written to your console. The simplest solution is to add this to your - /etc/sysctl.conf - file:kernel.printk = 4 4 1 7 + /etc/sysctl.conf file:kernel.printk = 4 4 1 7 thensysctl -p /etc/sysctl.conf @@ -1324,10 +1334,10 @@ teastep@ursa:~$ The first number determines the maximum log You have a policy that - specifies a log level and this packet is being logged under that - policy. If you intend to ACCEPT this traffic then you need a rule to that + url="manpages/shorewall-policy.html">policy + that specifies a log level and this packet is being logged under + that policy. If you intend to ACCEPT this traffic then you need a + rule to that effect. Beginning with Shorewall 3.3.3, packets logged out of these @@ -1746,15 +1756,16 @@ Creating input Chains... Why can't Shorewall detect my interfaces properly? Answer: The above output is - perfectly normal. The Net zone is defined as all hosts that are connected - through eth0 and the local zone - is defined as all hosts connected through eth0 and the + local zone is defined as all hosts connected through eth1. You can set the routefilter option on an internal interface if - you wish to guard against 'Martians' (a Martian is - a packet with a source IP address that is not routed out of the interface - on which the packet was received). If you do that, it is a good idea to - also set the logmartians option. + you wish to guard against 'Martians' (a Martian + is a packet with a source IP address that is not routed out of the + interface on which the packet was received). If you do that, it is a + good idea to also set the logmartians + option.
@@ -1766,12 +1777,12 @@ Creating input Chains... url="shorewall_extension_scripts.htm">Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) that you will be modifying with your commands so that the commands will - do what is intended. Many iptables commands published in HOWTOs and other - instructional material use the -A command which adds the rules to the end - of the chain. Most chains that Shorewall constructs end with an + do what is intended. Many iptables commands published in HOWTOs and + other instructional material use the -A command which adds the rules to + the end of the chain. Most chains that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT rule and any rules that you add - after that will be ignored. Check man iptables and look at - the -I (--insert) command. + after that will be ignored. Check man iptables and look + at the -I (--insert) command.
@@ -2625,4 +2636,4 @@ loc $FW ACCEPT policies.
- + \ No newline at end of file