diff --git a/docs/Actions.xml b/docs/Actions.xml
index b9d6460e1..00650e501 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -64,6 +64,9 @@
which each packet/rule match within the action causes a log message to be
generated.
+ For readers familiar with iptables, actions are the way in which you
+ can create your own filter-table chains.
+
There are three types of Shorewall actions:
@@ -158,7 +161,7 @@ ACCEPT - - tcp 135,139,445
In addition, the default specified in
/etc/shorewall/shorewall.conf may be overridden by
- specifying a different default in the POLICY column of /etc/shorewall/policy.
@@ -169,107 +172,6 @@ ACCEPT - - tcp 135,139,445
-
- Limiting Per-IP Connection Rate
-
- Shorewall supports a Limitaction. Limit is invoked with a comma-separated
- list in place of a logging tag. The list has three elements:
-
-
-
- The name of a recent list. You select the list
- name which must conform to the rules for a valid chain name. Different
- rules that specify the same list name will use the same set of
- counters.
-
-
-
- The number of connections permitted in a specified time
- period.
-
-
-
- The time period, expressed in seconds.
-
-
-
- Connections that exceed the specified rate are dropped.
-
- For example, to use a recent list name of SSHA, and to limit SSH connections to 3 per minute,
- use this entry in /etc/shorewall/rules:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-Limit:none:SSHA,3,60 net $FW tcp 22
-
- If you want dropped connections to be logged at the info level, use
- this rule instead:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-Limit:info:SSHA,3,60 net $FW tcp 22
-
- To summarize, you pass four pieces of information to the Limit
- action:
-
-
-
- The log level. If you don't want to log, specify
- none.
-
-
-
- The name of the recent list that you want to use
- (SSHA in this example).
-
-
-
- The maximum number of connections to accept (3 in this
- example).
-
-
-
- The number of seconds over which you are willing to accept that
- many connections (60 in this example).
-
-
-
-
- How Limit is Implemented
-
- For those who are curious, the Limit action is implemented as
- follows:
-
- my @tag = split /,/, $tag;
-
-fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
- unless @tag == 3;
-
-my $list = $tag[0];
-
-for ( @tag[1,2] ) {
- fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $tag[1] + 1;
-
-add_rule $chainref, "-m recent --name $list --set";
-
-if ( $level ) {
- my $xchainref = new_chain 'filter' , "$chainref->{name}%";
- log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
- add_rule $xchainref, '-j DROP';
- add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
-} else {
- add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP";
-}
-
-add_rule $chainref, '-j ACCEPT';
-
-1;
-
-
-
Defining your own Actions
@@ -699,7 +601,107 @@ add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
1;
- For a richer example, see this
- article.
+ For a richer example, see the next section.
+
+
+
+ Limiting Per-IP Connection Rate using the Limit Action
+
+ Shorewall supports a Limit built-in action. Limit is
+ invoked with a comma-separated list in place of a logging tag. The list
+ has three elements:
+
+
+
+ The name of a recent list. You select the list
+ name which must conform to the rules for a valid chain name. Different
+ rules that specify the same list name will use the same set of
+ counters.
+
+
+
+ The number of connections permitted in a specified time
+ period.
+
+
+
+ The time period, expressed in seconds.
+
+
+
+ Connections that exceed the specified rate are dropped.
+
+ For example, to use a recent list name of SSHA, and to limit SSH connections to 3 per minute,
+ use this entry in /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+Limit:none:SSHA,3,60 net $FW tcp 22
+
+ If you want dropped connections to be logged at the info level, use
+ this rule instead:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+Limit:info:SSHA,3,60 net $FW tcp 22
+
+ To summarize, you pass four pieces of information to the Limit
+ action:
+
+
+
+ The log level. If you don't want to log, specify
+ none.
+
+
+
+ The name of the recent list that you want to use
+ (SSHA in this example).
+
+
+
+ The maximum number of connections to accept (3 in this
+ example).
+
+
+
+ The number of seconds over which you are willing to accept that
+ many connections (60 in this example).
+
+
+
+
+ How Limit is Implemented
+
+ For those who are curious, the Limit action is implemented as
+ follows:
+
+ my @tag = split /,/, $tag;
+
+fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
+ unless @tag == 3;
+
+my $list = $tag[0];
+
+for ( @tag[1,2] ) {
+ fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $tag[1] + 1;
+
+add_rule $chainref, "-m recent --name $list --set";
+
+if ( $level ) {
+ my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+ log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+ add_rule $xchainref, '-j DROP';
+ add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+} else {
+ add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP";
+}
+
+add_rule $chainref, '-j ACCEPT';
+
+1;
+
diff --git a/docs/Build.xml b/docs/Build.xml
index 45bd92f93..86cf83557 100644
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -139,7 +139,8 @@
setversionThe setversion script updates the version
- number is a directory.
+ number in a directory. The script is run with the current working
+ directory being trunk.
setversion
@@ -153,8 +154,7 @@
build44
- This is the script that builds Shorewall packages from Git.
-
+ This is the script that builds Shorewall packages from Git.The script copies content from Git using the git
archive command. It then uses that content to build the
@@ -344,22 +344,6 @@
Build the shorewall6-lite package.
-
-
- p
-
-
- Build the shorewall-perl package
-
-
-
-
- s
-
-
- Build the shorewall-shell package
-
-
@@ -386,14 +370,14 @@
4.3.6:
- Example 2 - Build Shorewall 4.2.7.1 Shorewall-perl and generate
- patches against 4.2.7:
+ Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
+ against 4.2.7:
@@ -452,24 +436,6 @@
Upload the shorewall6-lite package.
-
-
- p
-
-
- Upload the shorewall-perl package (versions 4.0 and
- 4.2 only)
-
-
-
-
- s
-
-
- Upload the shorewall-shell package (versions 4.0 and
- 4.2 only)
-
-
diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
index c11c5f798..34abc5975 100644
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -58,11 +58,6 @@
attempting to use them.
-
- The detectnets interface
- option is not supported.
-
-
All extension scripts used are copied into the program (with
the exception of those
@@ -115,8 +110,8 @@
command:
where
@@ -162,7 +157,9 @@
<path name>
- specifies the name of the script to be created.
+ specifies the name of the script to be created. If not
+ given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
+ /var/lib/shorewall/)
@@ -239,8 +236,9 @@
modify the files in the corresponding export directory
appropriately. It's a good idea to include the IP address of the
- administrative system in the routestopped
- file.
+ administrative system in the routestopped
+ file.
It is important to understand that with Shorewall Lite, the
firewall's export directory on the administrative system acts as
@@ -288,8 +286,9 @@
-e), copies that file to the remote system via scp and
starts Shorewall Lite on the remote system via ssh. The -c option
causes the capabilities of the remote system to be generated and
- copied to a file named capabilities in the export directory. See
- below.
+ copied to a file named capabilities in the
+ export directory. See below.
Example (firewall's DNS name is 'gateway'):
@@ -538,8 +537,9 @@ clean:
On the administrative system:It's a good idea to include the IP address of the
- administrative system in the firewall system's
- routestopped file.
+ administrative system in the firewall system's routestopped
+ file.
Also, edit the shorewall.conf file in the
firewall's export directory and change the CONFIG_PATH setting to
@@ -727,8 +727,8 @@ CAPVERSION=40190
Running compiled programs directly
- Compiled firewall programs are complete programs that support the
- following command line forms:
+ Compiled firewall programs are complete shell programs that support
+ the following command line forms:
diff --git a/docs/Dynamic.xml b/docs/Dynamic.xml
index 0839a71be..c9324a755 100644
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -45,11 +45,144 @@
Shorewall provides basic support for defining such zones. This
support is based on ipset, so to use dynamic zones,
- you must have installed the ipset. As of this writing, ipset
+ is not included in the standard kernel distribution; so to use dynamic
+ zones, you must be running kernel 2.6.20 or later and have installed the
+ xtables-addons.
+
+ Installing xtables-addons
+
+ The xtables-addons are fairly easy to install. You do not need to
+ recompile your kernel. Basic steps are as follows:
+
+
+
+ Install gcc and make
+
+
+
+ Install the headers for the kernel you are running. In some
+ distributions, such as Debian and
+ Ubuntu, the packet is called kernel-headers.
+ For other distrubutions, such as OpenSuSE, you must install the
+ kernel-source package.
+
+
+
+ At a shell prompt, type 'locate libxtables'. If no output is
+ produced, then you must download and install the latest iptables.
+
+
+
+
+ download the iptables source tarball
+
+
+
+ untar the source
+
+
+
+ cd to the iptables source directory
+
+
+
+ run './configure'
+
+
+
+ run 'make'
+
+
+
+ As root, cd to the iptables source directory and run 'make
+ install'.
+
+
+
+ Your new iptables binary will now be installed in
+ /usr/local/sbin. Modify shorewall.conf to specify
+ IPTABLES=/usr/local/sbin/iptables
+
+
+
+
+
+ Download the latest xtables-addons source tarball
+
+
+
+ Untar the xtables-addons source
+
+
+
+ cd to the xtables-addons source directory
+
+
+
+ run './configure'
+
+
+
+ run 'make'
+
+
+
+ As root, cd to the xtables-addons directory and run 'make
+ install'.
+
+
+
+ Restart shorewall
+
+
+
+ 'shorewall show capabilities' should now indicate Ipset Match: Available
+
+
+
+ You will have to repeat steps 6-9 each time that you receive a
+ kernel upgrade from your distribution venrundor. You can install
+ xtables-addons before booting to the new kernel as follows
+ (new-kernel-version is the version of the
+ newly-installed kernel - example 2.6.28.11-generic. Look in the /lib/modules
+ directory to get the full version name)
+
+
+
+ cd to the xtables-addons source directory
+
+
+
+ run 'make clean'
+
+
+
+ run './configure --with-kbuild
+ /lib/modules/new-kernel-version/build'
+
+
+
+ run 'make'
+
+
+
+ As root, cd to the xtables-addons source directory and run 'make
+ install'.
+
+
+
+ As root, run 'depmod -a
+ new-kernel-version'
+
+
+
+
Defining a Dynamic Zone
@@ -93,6 +226,10 @@ webok eth0 - hosts=dynamic
shorewall add eth0:192.168.3.4 webok
+
+ The command can only be used when the ipset involved is of type
+ iphash. For other ipset types, the ipset command must
+ be used directly.
@@ -112,6 +249,10 @@ webok eth0 - hosts=dynamic
shorewall delete eth0:192.168.3.4 webok
+
+ The command can only be used when the ipset involved is of type
+ iphash. For other ipset types, the ipset command must
+ be used directly.
@@ -152,7 +293,8 @@ eth0:
Restrictions
- When using dynamic zones, you may not use ipsets in your
- /etc/shorewall/routestopped file.
+ When using dynamic zones, you may not use ipsets in your /etc/shorewall/routestopped
+ file.
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 907529140..d649a5280 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -227,6 +227,14 @@
/etc/shorewall and modify the
copy.
+
+
+ /usr/share/modules — Specifies the kernel
+ modules to be loaded during shorewall start/restart . If you need to change this file, copy it to
+ /etc/shorewall and modify the
+ copy.
+
@@ -424,7 +432,7 @@ ACCEPT net:\
206.124.146.180\
dmz tcp 873
- The leading white space on the first through third continuation
+ The leading white space on the first through third continuation
lines is ignored so the SOURCE column effectively contains
"net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
continuation line does not end with a comma or colon, the leading white
@@ -600,8 +608,8 @@ SHELL cat /etc/shorewall/rules.d/*.rulesThe /etc/shorewall/params file is processed
by the compiler at compile-time and by the compiled script at
- run-time. Beginning with Shorewall 3.2.9 and 3.4.0 RC2, if you have
- set EXPORTPARAMS=No in shorewall.conf, then the
+ run-time. If you have set EXPORTPARAMS=No in
+ shorewall.conf, then the
params file is only
processed by the compiler; it is not run by the compiled
script.
@@ -865,8 +873,8 @@ POP(ACCEPT) loc net:pop.gmail.com
If you use line continuation to break a comma-separated list,
- the continuation line(s) must begin in column 1 (or there would be
- embedded white space)
+ the comma must be the last thing on the continued line before '\'
+ unless the continuation line has no leading white space.
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 6d8edd06b..6caa730b6 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1344,7 +1344,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+ An HFSC ExampleAs mentioned at the top of this article, there is an excellent
@@ -1371,7 +1371,7 @@ eth0 - 1000kbit hfsc
The following sub-section offers some notes about the
article.
-
+ Where Did all of those Magic Numbers come from?As you read the article, numbers seem to be introduced out of thin
diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml
index e3ffd688a..c01acbbce 100644
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@@ -12,7 +12,7 @@
routestoppedThe Shorewall file that governs what traffic flows through the
- firewall while it is in 'stopped' state.
+ firewall while it is in the 'stopped' state.
@@ -29,6 +29,12 @@
used, the file also determines those hosts that are accessible when the
firewall is in the process of being [re]started.
+
+ Changes to this file do not take effect until after the next
+ shorewall start or shorewall
+ restart command.
+
+
The columns in the file are as follows.
@@ -102,34 +108,6 @@
-
- critical
-
-
- Allow traffic between the firewall and these hosts
- throughout '[re]start', 'stop' and 'clear'. Specifying
- critical on one or more
- entries will cause your firewall to be "totally open" for a
- brief window during each of those operations. Examples of
- where you might want to use this are:
-
-
-
- 'Ping' nodes with heartbeat.
-
-
-
- LDAP server(s) if you use LDAP Authentication
-
-
-
- NFS Server if you have an NFS-mounted root
- filesystem.
-
-
-
-
-
notrack