diff --git a/Shorewall-docs2/Actions.xml b/Shorewall-docs2/Actions.xml index 45df30d87..bf0bad2c8 100644 --- a/Shorewall-docs2/Actions.xml +++ b/Shorewall-docs2/Actions.xml @@ -15,7 +15,7 @@ - 2005-08-28 + 2005-09-12 2005 @@ -221,6 +221,12 @@ Reject:REJECT #Common Action for REJECT policy a log level. This will log to the ULOG target for routing to a separate log through use of ulogd (http://www.gnumonks.org/projects/ulogd). + + You may also use a macro in + your action provided that the macro's expansion only results in the + ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See + /usr/share/shorewall/Drop for an example of an + action that users macros extensively. @@ -369,7 +375,7 @@ Reject:REJECT #Common Action for REJECT policy might do something like: #ACTION SOURCE DEST PROTO DEST PORT(S) -LogAndAccept loc fw tcp 22 +LogAndAccept loc $FW tcp 22
@@ -399,7 +405,7 @@ bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug fw net +foo:debug $FW net Logging in the invoke 'foo' action will be as if foo had been defined as: @@ -424,7 +430,7 @@ bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug! fw net +foo:debug! $FW net Logging in the invoke 'foo' action will be as if foo had been defined as: @@ -463,7 +469,7 @@ bar:debug /etc/shorewall/rules: #ACTION SOURCE DEST -acton:info:test fw net +acton:info:test $FW net Your /etc/shorewall/acton file will be run with: diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 8f996a3f1..607ae897c 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2005-09-08 + 2005-09-12 2001-2005 @@ -1366,7 +1366,7 @@ loc loc REJECT info /etc/shorewall/zones: #ZONE TYPE OPTION -fw firewall +$FW firewall sam plain net plain loc plain @@ -1434,7 +1434,7 @@ DNAT net loc:192.168.1.5 tcp www #ACTION SOURCE DEST PROTO DEST PORT(S) ... -DNAT sam fw tcp ssh +DNAT sam $FW tcp ssh DNAT net loc:192.168.1.3 tcp ssh ... @@ -2046,7 +2046,7 @@ DNAT<4/min:8> net loc:192.168.1.3 tcp ssh#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3128 tcp www - !206.124.146.177 -ACCEPT fw net tcp www +ACCEPT $FW net tcp www @@ -2166,7 +2166,7 @@ DNAT net loc:192.168.1.101-192.168.1.109 tcp 80 NONAT loc:192.168.1.4,192.168.1.199 \ net tcp www REDIRECT loc 3128 tcp www - -ACCEPT fw net tcp www +ACCEPT $FW net tcp www The reason that NONAT is used in the above example rather than ACCEPT+ is that the example is assuming the usual ACCEPT loc->net @@ -3244,16 +3244,6 @@ eth0 eth1 206.124.146.176 - - FW - - - This parameter specifies the name of the firewall zone. If not - set or if set to an empty string, the value fw is - assumed. - - - SUBSYSLOCK @@ -4093,4 +4083,4 @@ eth1 - - \ No newline at end of file + diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index d3fad836a..ccb4429d8 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2005-09-03 + 2005-09-12 2004 @@ -388,17 +388,6 @@ spdadd 134.28.54.2/32 206.162.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2 The setkey.conf file on gateway B would be similar. - - If you are running kernel 2.6.10 or later, then you need - ipsec-tools (and racoon) 0.5 or later OR you need to add -P fwd rules (duplicate each -P in rule and replace the in with fwd) -- - as of this writing (2005-02028, the IPSEC HOWTO (http://www.ipsec-howto.org/x277.html) - is inaccurate on this point. - - A sample /etc/racoon/racoon.conf file using X.509 certificates might look like: @@ -779,8 +768,8 @@ loc eth0:192.168.20.0/24 /etc/shorewall/policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw all ACCEPT -loc fw ACCEPT +$FW all ACCEPT +loc $FW ACCEPT net loc NONE loc net NONE net all DROP info diff --git a/Shorewall-docs2/Introduction.xml b/Shorewall-docs2/Introduction.xml index 01c467f11..86416faa1 100644 --- a/Shorewall-docs2/Introduction.xml +++ b/Shorewall-docs2/Introduction.xml @@ -13,7 +13,7 @@ Eastep - 2005-08-30 + 2005-09-12 2003-2005 @@ -132,11 +132,10 @@ dmz Demilitarized Zone class="directory">/etc/shorewall/zones file. - Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw but that may be changed by - setting the FW option in /etc/shorewall/shorewall.conf. + Note that Shorewall recognizes the firewall system as its own zone. + The name of the zone designating the firewall itself is stored in the + shell variable $FW which may be used throughout the + Shorewall configuration to refer to the firewall zone. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. @@ -207,7 +206,7 @@ all all REJECT infoIn the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT The above policy will: +$FW net ACCEPT The above policy will: Allow all connection requests from your local network to the @@ -255,7 +254,7 @@ dmz eth2 detect #ACTION SOURCE DEST PROTO DEST # PORT(S) -ACCEPT net fw tcp 22 +ACCEPT net $FW tcp 22 So although you have a policy of ignoring all connection attempts from the net zone (from the internet), the above exception to that policy diff --git a/Shorewall-docs2/Macros.xml b/Shorewall-docs2/Macros.xml index 71d45d28a..c155cda1b 100644 --- a/Shorewall-docs2/Macros.xml +++ b/Shorewall-docs2/Macros.xml @@ -21,7 +21,7 @@ - 2005-08-22 + 2005-09-12 2005 @@ -40,6 +40,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
What are Shorewall Macros? @@ -47,8 +54,9 @@ series of one or more iptables rules. The symbolic name may appear in the ACTION column of an /etc/shorewall/rules file - entry in which case, the traffic matching that rules file entry will be - passed to the series of iptables rules named by the action. + entry and in the TARGET column of an action in which case, the traffic + matching that rules file entry will be passed to the series of iptables + rules named by the macro. Macros can be thought of as templates. When a macro is invoked in an /etc/shorewall/rules entry, it may be qualified by a @@ -57,30 +65,22 @@ which each packet/rule match within the macro causes a log message to be generated. - There are three types of Shorewall macros: + There are two types of Shorewall macros: - Built-in Macros. These macros are known by the Shorewall code - itself. They are listed in the comments at the top of the file - /usr/share/shorewall/actions.std. - - - - Standard Macros. These actions are released as part of - Shorewall. They are listed in the file - /usr/share/shorewall/actions.std and are defined - in the corresponding macros.* files in Standard Macros. These macros are released as part of Shorewall. + They are defined in macros.* files in /usr/share/shorewall. Each macros.* file has a comment at the beginning of - the file that describes what the action does. As an example, here is - the definition of the AllowSMB standard + the file that describes what the macro does. As an example, here is + the definition of the SMB standard macro. # # Shorewall 2.2 /usr/share/shorewall/macro.AllowSMB # -# Allow Microsoft SMB traffic. You need to invoke this action in +# Allow Microsoft SMB traffic. You need to invoke this macro in # both directions. # ###################################################################################### @@ -100,126 +100,97 @@ PARAM - - tcp 135,139,445 User-defined Macros. These macros are created by end-users. They - are listed in the file /etc/shorewall/actions and are defined in - macros.* files in /etc/shorewall/actions or in another directory - listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf).
-
- Common Actions - - Shorewall allows the association of a common - action with policies. A separate common action may be - associated with ACCEPT, DROP and REJECT policies. Common actions provide a - way to invoke a set of common rules just before the policy is enforced. - Common actions accomplish two goals: - - - - Relieve log congestion. Common actions typically include rules - to silently drop or reject traffic that would otherwise be logged when - the policy is enforced. - - - - Ensure correct operation. Common actions can also avoid common - pitfalls like dropping connection requests on port TCP port 113. If - these connections are dropped (rather than rejected) then you may - encounter problems connecting to internet services that utilize the - AUTH protocol of client authentication - AUTH is actually pretty silly on today's internet but it's - amazing how many servers still employ it. - . - - - - Shorewall provides common actions for the REJECT and DROP policies. - The common action for REJECT is named Reject and - the common action for DROP is named Drop. These - associations are made through two entries in - /usr/share/shorewall/actions.std: - - Drop:DROP #Common Action for DROP policy -Reject:REJECT #Common Action for REJECT policy - - These may be overridden by entries in your /etc/shorewall/actions - file. - - - Entries in the DROP and REJECT common actions ARE NOT THE CAUSE OF CONNECTION PROBLEMS. - Remember — common actions are only invoked immediately before the packet - is going to be dropped or rejected anyway!!! - -
-
Defining your own Macros - To define a new action: + To define a new macro: - Add a line to - /etc/shorewall/actions that - names your new action. Action names must be valid shell variable names - ((must begin with a letter and be composed of letters, digits and - underscore characters) as well as valid Netfilter chain names. If you - intend to log from the action, the name must have a maximum of 11 - characters. It is recommended that the name you select for a new - action begins with a capital letter; that way, the name won't conflict - with a Shorewall-defined chain name. - - Beginning with Shorewall-2.0.0-Beta1, the name of the action may - be optionally followed by a colon (:) and ACCEPT, DROP - or REJECT. When this is done, the named action will become the - common action for policies of type ACCEPT, DROP - or REJECT respectively. The common action is applied immediately - before the policy is enforced (before any logging is done under that - policy) and is used mainly to suppress logging of uninteresting - traffic which would otherwise clog your logs. The same policy name can - appear in multiple actions; the last such action for each policy name - is the one which Shorewall will use. - - Shorewall includes pre-defined actions for DROP and REJECT -- - see above. + Macro names must be valid shell variable names ((must begin with + a letter and be composed of letters, digits and underscore characters) + as well as valid Netfilter chain names. - Once you have defined your new action name (ActionName), then - copy /usr/share/shorewall/action.template to - /etc/shorewall/action.ActionName (for example, if - your new action name is Foo then copy - /usr/share/shorewall/action.template to - /etc/shorewall/action.Foo). + Copy /usr/share/shorewall/macro.template to + /etc/shorewall/macro.ActionName (for example, if + your new macro name is Foo then copy + /usr/share/shorewall/macro.template to + /etc/shorewall/macro.Foo). - Now modify the new file to define the new action. + Now modify the new file to define the new macro. - Columns in the action.template file are as follows: + Columns in the macro.template file are as follows: - TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or - <action> where - <action> is a previously-defined action - (that is, it must precede the action being defined in this file in - your /etc/shorewall/actions file). These actions - have the same meaning as they do in the - /etc/shorewall/rules file (CONTINUE terminates - processing of the current action and returns to the point where that - action was invoked). The TARGET may optionally be followed by a colon - (:) and a syslog log level (e.g, REJECT:info or - ACCEPT:debugging). This causes the packet to be logged at the - specified level. You may also specify ULOG (must be in upper case) as - a log level. This will log to the ULOG target for routing to a - separate log through use of ulogd (ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, + LOG, QUEUE, PARAM or an action name. + + + ACCEPT - allow the connection request + + ACCEPT+ - like ACCEPT but also excludes the connection from + any subsequent DNAT[-] or REDIRECT[-] rules. + + NONAT - Excludes the connection from any subsequent DNAT[-] + or REDIRECT[-] rules but doesn't generate a rule to accept the + traffic. + + DROP - ignore the request + + REJECT - disallow the request and return an icmp unreachable + or an RST packet. + + DNAT - Forward the request to another address (and + optionally another port). + + DNAT- - Advanced users only. Like DNAT but only generates + the DNAT iptables rule and not the companion ACCEPT rule. + + SAME - Similar to DNAT except that the port may not be + remapped and when multiple server addresses are listed, all requests + from a given remote system go to the same server. + + SAME- - Advanced users only. Like SAME but only generates + the SAME iptables rule and not the companion ACCEPT rule. + + REDIRECT - Redirect the request to a local port on the + firewall. + + REDIRECT- - Advanced users only. Like REDIRET but only + generates the REDIRECT iptables rule and not the companion ACCEPT + rule. + + CONTINUE - (For experts only). Do not process any of the + following rules for this (source zone,destination zone). If The + source and/or destination If the address falls into a zone defined + later in /etc/shorewall/zones, this connection request will be + passed to the rules defined for that (those) zone(s). + + LOG - Simply log the packet and continue. + + QUEUE - Queue the packet to a user-space application such as + ftwall (http://p2pwall.sf.net). + + + The ACTION may optionally be followed by ":" and a syslog log + level (e.g, REJECT:info or DNAT:debug). This causes the packet to be + logged at the specified level. + + (http://www.gnumonks.org/projects/ulogd). @@ -360,156 +331,77 @@ Reject:REJECT #Common Action for REJECT policy Example: - /etc/shorewall/actions: - - LogAndAccept/etc/shorewall/action.LogAndAccept LOG:info + /etc/shorewall/macro.LogAndAccept LOG:info ACCEPT - To use your action, in /etc/shorewall/rules you + To use your macro, in /etc/shorewall/rules you might do something like: #ACTION SOURCE DEST PROTO DEST PORT(S) -LogAndAccept loc fw tcp 22 +LogAndAccept loc $FW tcp 22
- Actions and Logging + Macros and Logging - Prior to Shorewall 2.1.2, specifying a log level (and optionally a - log tag) on a rule that specified a user-defined (or Shorewall-defined) - action would log all traffic passed to the action. Beginning with - Shorewall 2.1.2, specifying a log level in a rule that specifies a user- - or Shorewall-defined action will cause each rule in the action to be - logged with the specified level (and tag). + Specifying a log level in a rule that invokes a user- or + Shorewall-defined action will cause each rule in the macro to be logged + with the specified level (and tag). - The extent to which logging of action rules occur is governed by the + The extent to which logging of macro rules occur is governed by the following: - When you invoke an action and specify a log level, only those - rules in the action that have no log level will be changed to log at + When you invoke a macro and specify a log level, only those + rules in the macro that have no log level will be changed to log at the level specified at the action invocation. Example: - /etc/shorewall/action.foo + /etc/shorewall/macro.foo - #TARGET SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug fw net +foo:debug $FW net - Logging in the invoke 'foo' action will be as if foo had been + Logging in the invokeD 'foo' macro will be as if foo had been defined as: - #TARGET SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT:debug - - tcp 22 bar:info If you follow the log level with "!" then logging will be at - that level for all rules recursively invoked by the action. + that level for all rules recursively invoked by the macro. Example: - /etc/shorewall/action.foo + /etc/shorewall/macro.foo - #TARGET SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug! fw net +foo:debug! $FW net - Logging in the invoke 'foo' action will be as if foo had been + Logging in the invoked 'foo' macro will be as if foo had been defined as: - #TARGET SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT:debug - - tcp 22 bar:debug - - The change in Shorewall 2.1.2 has an effect on extension scripts - used with user-defined actions. If you define an action 'acton' and you - have an /etc/shorewall/acton script then when that - script is invoked, the following three variables will be set for use by - the script: - - - - $CHAIN = the name of the chain where your rules are to be - placed. When logging is used on an action invocation, Shorewall - creates a chain with a slightly different name from the action - itself. - - - - $LEVEL = Log level. If empty, no logging was specified. - - - - $TAG = Log Tag. - - - - Example: - - /etc/shorewall/rules: - - #ACTION SOURCE DEST -acton:info:test fw net - - Your /etc/shorewall/acton file will be run with: - - - - $CHAIN="%acton1" - - - - $LEVEL="info" - - - - $TAG="test" - - - - For an example of how to use these variables, see this article. -
- -
- Creating an Action using an Extension Script - - There may be cases where you wish to create a chain with rules that - can't be constructed using the tools defined in the action.template. In - that case, you can use an extension script. - If you actually need an action to drop broadcast packets, use - the dropBcast standard action rather than create - one like this. - - - - An action to drop all broadcast packets - - /etc/shorewall/actionsDropBcasts - - /etc/shorewall/action.DropBcasts# This file is empty - - /etc/shorewall/DropBcastsrun_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP - - - For a richer example, see this - article.
\ No newline at end of file diff --git a/Shorewall-docs2/PortKnocking.xml b/Shorewall-docs2/PortKnocking.xml index 55b468b17..ae5ccf9ae 100644 --- a/Shorewall-docs2/PortKnocking.xml +++ b/Shorewall-docs2/PortKnocking.xml @@ -15,7 +15,7 @@ - 2005-06-26 + 2005-09-12 2005 @@ -97,13 +97,13 @@ run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --nam /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSHKnock net fw tcp 22,1599,1600,1601 +SSHKnock net $FW tcp 22,1599,1600,1601 If you want to log the DROPs and ACCEPTs done by SSHKnock, you can just add a log level as in: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSHKnock:info net fw tcp 22,1599,1600,1601 +SSHKnock:info net $FW tcp 22,1599,1600,1601 @@ -115,7 +115,7 @@ SSHKnock:info net fw tcp 22,1599,1600,1601< #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178 -SSHKnock net fw tcp 1599,1600,1601 +SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178 diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index acbf1ecbf..dddd66a7c 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -15,7 +15,7 @@ - 2005-06-01 + 2005-09-12 2003-2005 @@ -150,7 +150,7 @@ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3128 tcp www - !206.124.146.177 -ACCEPT fw net tcp www +ACCEPT $FW net tcp www There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want @@ -218,7 +218,7 @@ fi Add this entry to your /etc/shorewall/providers file. #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS -Squid 1 202 - eth1 192.168.1.3 - +Squid 1 202 - eth1 192.168.1.3 loose @@ -308,8 +308,8 @@ ACCEPT SZ net tcp 80,443 loc zone: /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT loc fw tcp 8080 -ACCEPT fw net tcp 80,443 +ACCEPT loc $FW tcp 8080 +ACCEPT $FW net tcp 80,443
- \ No newline at end of file + diff --git a/Shorewall-docs2/Shorewall_and_Kazaa.xml b/Shorewall-docs2/Shorewall_and_Kazaa.xml index c4d1e509a..a2a1657ae 100644 --- a/Shorewall-docs2/Shorewall_and_Kazaa.xml +++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml @@ -15,7 +15,7 @@ - 2005-09-03 + 2005-09-12 2003-2005 @@ -56,7 +56,7 @@ #ACTION SOURCE DEST PROTO QUEUE loc net tcp QUEUE loc net udp - QUEUE loc fw udp + QUEUE loc $FW udp Now simply configure ftwall as described in the ftwall documentation and restart Shorewall. diff --git a/Shorewall-docs2/UPnP.xml b/Shorewall-docs2/UPnP.xml index 07238ca4e..e33434fc0 100644 --- a/Shorewall-docs2/UPnP.xml +++ b/Shorewall-docs2/UPnP.xml @@ -15,7 +15,7 @@ - 2005-05-16 + 2005-09-12 2005 @@ -109,7 +109,7 @@ net eth1 detect dhcp,routefilter,norfc1918,tcpflags, #ACTION SOURCE DEST -allowoutUPnP fw loc +allowoutUPnP $FW loc To use 'allowoutUPnP', your iptables and kernel must support the @@ -121,7 +121,7 @@ allowoutUPnP fw loc rule: #ACTION SOURCE DEST -allowinUPnP loc fw +allowinUPnP loc $FW You MUST have this rule: diff --git a/Shorewall-docs2/User_defined_Actions.xml b/Shorewall-docs2/User_defined_Actions.xml index 9b1c8c059..26d414571 100755 --- a/Shorewall-docs2/User_defined_Actions.xml +++ b/Shorewall-docs2/User_defined_Actions.xml @@ -15,7 +15,7 @@ - 2005-01-14 + 2005-09-12 2003 @@ -257,7 +257,7 @@ might do something like: #ACTION SOURCE DEST PROTO DEST PORT(S) -LogAndAccept loc fw tcp 22 +LogAndAccept loc $FW tcp 22 Prior to Shorewall 2.1.2, specifying a log level (and optionally a log tag) on a rule that specified a user-defined (or Shorewall-defined) @@ -286,7 +286,7 @@ bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug fw net +foo:debug $FW net Logging in the invoke 'foo' action will be as if foo had been defined as: @@ -311,7 +311,7 @@ bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug! fw net +foo:debug! $FW net Logging in the invoke 'foo' action will be as if foo had been defined as: @@ -350,7 +350,7 @@ bar:debug /etc/shorewall/rules: #ACTION SOURCE DEST -acton:info:test fw net +acton:info:test $FW net Your /etc/shorewall/acton file will be run with: @@ -383,7 +383,7 @@ acton:info:test fw net your firewall. In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO ... -AllowFTP loc fw +AllowFTP loc $FW /usr/share/shorewall/actions.std is processed diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index b9246e399..b41e5016b 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2005-08-28 + 2005-09-12 2001-2005 @@ -230,7 +230,7 @@ Comments in a Configuration File # This is a comment -ACCEPT net fw tcp www #This is an end-of-line comment +ACCEPT net $FW tcp www #This is an end-of-line comment @@ -244,7 +244,7 @@ ACCEPT net fw tcp www #This is an end-of-line comment Line Continuation - ACCEPT net fw tcp \ + ACCEPT net $FW tcp \ smtp,www,pop3,imap #Services running on the firewall diff --git a/Shorewall-docs2/ipsets.xml b/Shorewall-docs2/ipsets.xml index 903e9c57c..d5cb39f3f 100644 --- a/Shorewall-docs2/ipsets.xml +++ b/Shorewall-docs2/ipsets.xml @@ -15,7 +15,7 @@ - 2005-07-27 + 2005-09-12 2005 @@ -112,7 +112,7 @@ Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT +sshok fw tcp 22 +ACCEPT +sshok $FW tcp 22 Shorewall can automatically manage the contents of your ipsets for you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index b10645f62..0f633953f 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2005-04-15 + 2005-09-12 2001-2005 @@ -333,7 +333,7 @@ $WIFI_IF 192.168.3.0/24
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT -fw fw ACCEPT +$FW $FW ACCEPT loc net ACCEPT $FW vpn ACCEPT vpn net ACCEPT @@ -342,14 +342,14 @@ sec vpn ACCEPT vpn sec ACCEPT sec loc ACCEPT loc sec ACCEPT -fw sec ACCEPT +$FW sec ACCEPT sec net ACCEPT Wifi sec NONE sec Wifi NONE -fw Wifi ACCEPT +$FW Wifi ACCEPT loc vpn ACCEPT $FW loc ACCEPT -loc fw REJECT $LOG +loc $FW REJECT $LOG net all DROP $LOG 10/sec:40 all all REJECT $LOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE @@ -514,23 +514,23 @@ REDIRECT sec 3128 tcp ##### # Local Network to Firewall # -DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box -ACCEPT loc fw tcp ssh,time,631,8080 -ACCEPT loc fw udp 161,ntp,631 -DROP loc fw tcp 3185 #SuSE Meta pppd +DROP loc:!192.168.0.0/22 $FW # Silently drop traffic with an HP source IP from my XP box +ACCEPT loc $FW tcp ssh,time,631,8080 +ACCEPT loc $FW udp 161,ntp,631 +DROP loc $FW tcp 3185 #SuSE Meta pppd ########################################################################################################################################################################## ##### # Secure wireless to Firewall # -ACCEPT sec fw tcp ssh,time,631,8080 -ACCEPT sec fw udp 161,ntp,631 -DROP sec fw tcp 3185 #SuSE Meta pppd +ACCEPT sec $FW tcp ssh,time,631,8080 +ACCEPT sec $FW udp 161,ntp,631 +DROP sec $FW tcp 3185 #SuSE Meta pppd ########################################################################################################################################################################## ##### # Roadwarriors to Firewall # -ACCEPT vpn fw tcp ssh,time,631,8080 -ACCEPT vpn fw udp 161,ntp,631 +ACCEPT vpn $FW tcp ssh,time,631,8080 +ACCEPT vpn $FW udp 161,ntp,631 ########################################################################################################################################################################## ##### # Local Network to DMZ @@ -561,7 +561,7 @@ ACCEPT vpn dmz tcp ##### # Internet to ALL -- drop NewNotSyn packets # -dropNotSyn net fw tcp +dropNotSyn net $FW tcp dropNotSyn net loc tcp dropNotSyn net dmz tcp @@ -632,10 +632,10 @@ ACCEPT:$LOG dmz net tcp ##### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # -ACCEPT dmz fw udp ntp ntp -ACCEPT dmz fw tcp 161,ssh -ACCEPT dmz fw udp 161 -REJECT dmz fw tcp auth +ACCEPT dmz $FW udp ntp ntp +ACCEPT dmz $FW tcp 161,ssh +ACCEPT dmz $FW udp 161 +REJECT dmz $FW tcp auth ########################################################################################################################################################################## ##### # DMZ to Local Network @@ -647,29 +647,29 @@ ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp ##### # Internet to Firewall # -REJECT net fw tcp www,ftp,https +REJECT net $FW tcp www,ftp,https ACCEPT net dmz udp 33434:33454 -ACCEPT net:$OMAK fw udp ntp -ACCEPT net:$OMAK fw tcp 22 #SSH from Omak +ACCEPT net:$OMAK $FW udp ntp +ACCEPT net:$OMAK $FW tcp 22 #SSH from Omak ########################################################################################################################################################################## ##### # Firewall to Internet # -ACCEPT fw net:$NTPSERVERS udp ntp ntp -#ACCEPT fw net:$POPSERVERS tcp pop3 -ACCEPT fw net udp domain -ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7 -ACCEPT fw net udp 33435:33535 -ACCEPT fw net icmp -REJECT:$LOG fw net udp 1025:1031 -DROP fw net udp ntp +ACCEPT $FW net:$NTPSERVERS udp ntp ntp +#ACCEPT $FW net:$POPSERVERS tcp pop3 +ACCEPT $FW net udp domain +ACCEPT $FW net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7 +ACCEPT $FW net udp 33435:33535 +ACCEPT $FW net icmp +REJECT:$LOG $FW net udp 1025:1031 +DROP $FW net udp ntp ########################################################################################################################################################################## ##### # Firewall to DMZ # -ACCEPT fw dmz tcp www,ftp,ssh,smtp,993,465 -ACCEPT fw dmz udp domain -REJECT fw dmz udp 137:139 +ACCEPT $FW dmz tcp www,ftp,ssh,smtp,993,465 +ACCEPT $FW dmz udp domain +REJECT $FW dmz udp 137:139 ########################################################################################################################################################################## ##### #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE @@ -883,9 +883,9 @@ net Net Internet
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT -fw home ACCEPT -home fw ACCEPT +$FW net ACCEPT +$FW home ACCEPT +home $FW ACCEPT net home NONE home net NONE net all DROP info @@ -932,9 +932,9 @@ home eth0:0.0.0.0/0
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP -ACCEPT net fw icmp 8 -ACCEPT net fw tcp 22 -ACCEPT net fw tcp 4000:4100 +ACCEPT net $FW icmp 8 +ACCEPT net $FW tcp 22 +ACCEPT net $FW tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
@@ -1021,9 +1021,9 @@ net Net Internet
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT -fw home ACCEPT -home fw ACCEPT +$FW net ACCEPT +$FW home ACCEPT +home $FW ACCEPT net home NONE home net NONE net all DROP info @@ -1050,9 +1050,9 @@ home tun0 -
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP -ACCEPT net fw icmp 8 -ACCEPT net fw tcp 22 -ACCEPT net fw tcp 4000:4100 +ACCEPT net $FW icmp 8 +ACCEPT net $FW tcp 22 +ACCEPT net $FW tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-docs2/ping.xml b/Shorewall-docs2/ping.xml index efd02ea10..d03067f35 100644 --- a/Shorewall-docs2/ping.xml +++ b/Shorewall-docs2/ping.xml @@ -13,7 +13,7 @@ - 2005-08-31 + 2005-09-12 2001-2005 @@ -64,7 +64,7 @@ Ping/ACCEPT z1 z2 To permit ping from the local zone to the firewall: #ACTION SOURCE DEST PROTO DEST PORT(S) -Ping/ACCEPT loc fw +Ping/ACCEPT loc $FW If you would like to accept ping by default even when @@ -89,7 +89,7 @@ Ping/DROP z1 z2 /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -Ping/DROP net fw +Ping/DROP net $FW Note that the above rule may be used without changing the action diff --git a/Shorewall-docs2/samba.xml b/Shorewall-docs2/samba.xml index abe4b265d..bbc15f8ce 100644 --- a/Shorewall-docs2/samba.xml +++ b/Shorewall-docs2/samba.xml @@ -15,7 +15,7 @@ - 2005-08-31 + 2005-09-12 2002 @@ -43,8 +43,8 @@ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) -SMB/ACCEPT fw loc -SMB/ACCEPT loc fw +SMB/ACCEPT $FW loc +SMB/ACCEPT loc $FW To pass traffic SMB/Samba traffic between zones Z1 and Z2: diff --git a/Shorewall-docs2/shorewall_logging.xml b/Shorewall-docs2/shorewall_logging.xml index beb253010..001699dab 100644 --- a/Shorewall-docs2/shorewall_logging.xml +++ b/Shorewall-docs2/shorewall_logging.xml @@ -15,7 +15,7 @@ - 2005-03-04 + 2005-09-12 2001 - 2005 @@ -68,7 +68,7 @@ The packet matches a rule in /etc/shorewall/rules. By including a syslog level (see below) in the ACTION column of a rule - (e.g., ACCEPT:info net fw tcp + (e.g., ACCEPT:info net $FW tcp 22), the connection attempt will be logged at that level. @@ -231,7 +231,7 @@ rules:REJECT:$LOG loc net rules:REJECT:$LOG loc net udp 1025:1031 rules:REJECT:$LOG dmz net udp 1025:1031 rules:ACCEPT:$LOG dmz net tcp 1024: 20 -rules:REJECT:$LOG fw net udp 1025:1031 +rules:REJECT:$LOG $FW net udp 1025:1031 shorewall.conf:LOGFILE=/var/log/shorewall shorewall.conf:LOGUNCLEAN=$LOG shorewall.conf:LOGNEWNOTSYN=$LOG diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index e50a0e781..52077c906 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2005-09-04 + 2005-09-12 2001-2005 @@ -145,7 +145,7 @@ net - The public Internet. + The public Internet. @@ -184,8 +184,10 @@ dmz plain Note that Shorewall recognizes the firewall system as its own zone - The above example follows the usual convention of naming the Firewall zone - fw. In this guide, the name fw will be used. With the exception of the name + fw. The name specified for the firewall + zone (fw in the above example) is stored + in the shell variable $FW when the + /etc/shorewall/zones file is processed. With the exception of the name assigned to the firewall zone, Shorewall attaches absolutely no meaning to zone names. Zones are entirely what YOU make of them. That means that you should not expect Shorewall to do something special because this is @@ -418,7 +420,7 @@ net eth0 detect rfc1918 loc eth1 detect dmz eth2 detect - Note that the fw zone has no entry + Note that the $FW zone has no entry in the /etc/shorewall/interfaces file. @@ -1698,7 +1700,7 @@ ACCEPT net loc:192.168.201.4 tcp www Shorewall has a macro facility that includes macros for many standard applications. This section does - not use those macros but rather defines the rules directly. + not use those macros but rather defines the rules directly. @@ -1738,7 +1740,7 @@ ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local #Network ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local #Network -ACCEPT fw dmz:192.0.2.178 tcp smtp #Mail from the +ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the #Firewall ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the #Internet @@ -1763,9 +1765,9 @@ ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from #Local Network ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from #Local Network -ACCEPT fw dmz:192.0.2.177 udp domain #UDP DNS from +ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from #the Firewall -ACCEPT fw dmz:192.0.2.177 tcp domain #TCP DNS from +ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from #the Firewall ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to #the Internet @@ -1780,7 +1782,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to #ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ACCEPT loc dmz tcp ssh #SSH to the DMZ -ACCEPT net fw tcp ssh #SSH to the +ACCEPT net $FW tcp ssh #SSH to the #Firewall @@ -1860,7 +1862,7 @@ ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local #Network ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local #Network -ACCEPT fw dmz:192.0.2.178 tcp smtp #Mail from the +ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the #Firewall ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the #Internet @@ -1879,16 +1881,16 @@ ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from #Local Network ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from #Local Network -ACCEPT fw dmz:192.0.2.177 udp domain #UDP DNS from +ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from #the Firewall -ACCEPT fw dmz:192.0.2.177 tcp domain #TCP DNS from +ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from #the Firewall ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to #the Internet ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to #the Internet ACCEPT loc dmz tcp ssh #SSH to the DMZ -ACCEPT net fw tcp ssh #SSH to the +ACCEPT net $FW tcp ssh #SSH to the #Firewall @@ -2339,7 +2341,7 @@ foobar.net. 86400 IN A 192.0.2.177 external IP address does not mean that the request will be associated with the external interface or the net zone. Any traffic that you generate from the local network will be associated - with your local interface and will be treated as loc->fw + with your local interface and will be treated as loc->$FW traffic. diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index 0765057be..f8ba4ca0c 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -15,7 +15,7 @@ - 2005-07-12 + 2005-09-12 2002-2005 @@ -164,18 +164,21 @@ Shorewall views the network where it is running as being composed of a set of zones. In the one-interface sample - configuration, only one zone is defined: + configuration, only two zones are defined: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -net + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net plain Shorewall zones are defined in /etc/shorewall/zones. - Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw. + Note that Shorewall recognizes the firewall system as its own zone. + The name of the firewall zone (fw in the + above example) is stored in the shell variable $FW + which may be used throughout the rest of the Shorewall configuration to + refer to the firewall itself. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. @@ -210,7 +213,7 @@ net the one-interface sample has the following policies: #SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT +$FW net ACCEPT net all DROP info all all REJECT info @@ -319,15 +322,15 @@ all all REJECT info rule in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -<action> net fw +<action> net $FW You want to run a Web Server and a IMAP Server on your firewall system: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -Web/ACCEPT net fw -IMAP/ACCEPT net fw + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +Web/ACCEPT net $FW +IMAP/ACCEPT net $FW You may also choose to code your rules directly without using the @@ -337,15 +340,15 @@ IMAP/ACCEPT net fw is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT net fw <protocol> <port> +ACCEPT net $FW <protocol> <port> You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT net fw tcp 80 -ACCEPT net fw tcp 143 +ACCEPT net $FW tcp 80 +ACCEPT net $FW tcp 143 If you don't know what port and protocol a particular application @@ -356,8 +359,8 @@ ACCEPT net fw tcp 143 uses clear text (even for login!). If you want shell access to your firewall from the internet, use SSH: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -SSH/ACCEPT net fw + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +SSH/ACCEPT net $FW diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 71f1ea3e2..2aa4e1729 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2005-09-07 + 2005-09-12 2002-2005 @@ -202,15 +202,19 @@ a set of zones. In the three-interface sample configuration, the following zone names are used: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -net -loc -dmzZone names are defined in + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net plain +loc plain +dmz plainZone names are defined in /etc/shorewall/zones. - Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw. + Note that Shorewall recognizes the firewall system as its own zone. + When the /etc/shorewall/zones file is processed, he name of the firewall + zone is stored in the shell variable $FW which may + be used throughout the Shorewall configuration to refer to the firewall + zone. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. @@ -252,7 +256,7 @@ all all REJECT info servers on the internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT +$FW net ACCEPT The above policy will: @@ -721,12 +725,12 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP/etc/shorewall/rules. If you run the name server on the firewall: - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNS/ACCEPT loc fw -DNS/ACCEPT dmz fw Run name server on DMZ - computer 1: #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNS/ACCEPT loc $FW +DNS/ACCEPT dmz $FW Run name server on DMZ + computer 1: #ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT loc dmz:10.10.11.1 -DNS/ACCEPT fw dmz:10.10.11.1 +DNS/ACCEPT $FW dmz:10.10.11.1 In the rules shown above, AllowDNS is an example of a defined action. Shorewall includes a number of @@ -744,10 +748,10 @@ DNS/ACCEPT fw dmz:10.10.11.1 firewall) could also have been coded as follows: #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT loc fw tcp 53 -ACCEPT loc fw udp 53 -ACCEPT dmz fw tcp 53 -ACCEPT dmz fw udp 53 +ACCEPT loc $FW tcp 53 +ACCEPT loc $FW udp 53 +ACCEPT dmz $FW tcp 53 +ACCEPT dmz $FW udp 53 In cases where Shorewall doesn't include a defined action to meet your needs, you can either define the action yourself or you can simply @@ -758,14 +762,14 @@ ACCEPT dmz fw udp 53 Other Connections The three-interface sample includes the following rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNS/ACCEPT fw net That rule allow DNS access + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNS/ACCEPT $FW net That rule allow DNS access from your firewall and may be removed if you commented out the line in /etc/shorewall/policy allowing all connections from the firewall to the Internet. - The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSH/ACCEPT loc fw + The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) +SSH/ACCEPT loc $FW SSH/ACCEPT loc dmz Those rules allow you to run an SSH server on your firewall and in each of your DMZ systems and to connect to those servers from your local systems. @@ -784,14 +788,14 @@ ACCEPT <source zone> <destination zone> <protocol&g Using defined macros: - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNS/ACCEPT net fw + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNS/ACCEPT net $FW Not using defined actions: #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT net fw tcp 53 -ACCEPT net fw udp 53 +ACCEPT net $FW tcp 53 +ACCEPT net $FW udp 53 Those rules would of course be in addition to the rules listed above under "If you run the name server on your firewall". @@ -803,15 +807,15 @@ ACCEPT net fw udp 53 I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your - firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSH/ACCEPT net fw + firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) +SSH/ACCEPT net $FW Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration: #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT loc fw udp 53 -ACCEPT net fw tcp 80 +ACCEPT loc $FW udp 53 +ACCEPT net $FW tcp 80 Entry 1 allows the DNS Cache to be used. diff --git a/Shorewall-docs2/traffic_shaping.xml b/Shorewall-docs2/traffic_shaping.xml index e80f194fc..d4f8048bd 100644 --- a/Shorewall-docs2/traffic_shaping.xml +++ b/Shorewall-docs2/traffic_shaping.xml @@ -15,7 +15,7 @@ - 2005-05-20 + 2005-09-12 2001-2005 @@ -294,7 +294,7 @@ Examples eth0 192.168.2.4,192.168.1.0/24 - Beginning with Shorewall version 2.2.2, "$fw" may be optionally + Beginning with Shorewall version 2.2.2, "$FW" may be optionally followed by a colon (":") and a host/net address or an address range. @@ -379,7 +379,7 @@ 1 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0 all 2 eth3 0.0.0.0/0 all -3 fw 0.0.0.0/0 all +3 $FW 0.0.0.0/0 all diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index 3983ce23f..b89053740 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -12,7 +12,7 @@ Eastep - 2005-08-31 + 2005-09-12 2002- @@ -223,9 +223,10 @@ loc Zones are defined in the /etc/shorewall/zones file. - Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw. + Note that Shorewall recognizes the firewall system as its own zone - + when the /etc/shorewall/zones file is processed, the name of the firewall + zone is stored in the shell variable $FW which may be used to refer to the + firewall zone throughout the Shorewall configuration. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. @@ -265,7 +266,7 @@ all all REJECT info In the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -fw net ACCEPT The above policy will: +$FW net ACCEPT The above policy will: Allow all connection requests from your local network to the @@ -586,10 +587,10 @@ fw net ACCEPT The above policy will: class="directory">/etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<server local ip address>[:<server port>] <protocol> <port>Shorewall - has macros for many popular applications. Look at - /usr/share/shorewall/macro.* to see what is available in your release. - Macros simplify creating DNAT rules by supplying the protocol and port(s) - as shown in the following examples. + has macros for many popular applications. + Look at /usr/share/shorewall/macro.* to see what is available in your + release. Macros simplify creating DNAT rules by supplying the protocol and + port(s) as shown in the following examples. Web Server @@ -685,7 +686,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 in /etc/shorewall/rules. #ACTION SOURCE DEST PROTO DEST PORT(S) -DNS/ACCEPT loc fw +DNS/ACCEPT loc $FW @@ -695,48 +696,44 @@ DNS/ACCEPT loc fw The two-interface sample includes the following rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -DNS/ACCEPT fw netThis rule allows +DNS/ACCEPT $FW netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in /etc/shorewall/policy allowing all connections from the firewall to the internet. In the rule shown above, DNS/ACCEPT is an example of - a defined action. Shorewall includes a number of - defined actions and you can add your - own. To see the list of actions included with your version of - Shorewall, look in the file - /usr/share/shorewall/actions.std. Those actions that - accept connection requests have names that begin with - Allow. + a macro invocation. Shorewall includes a number of + macros (see /usr/share/shorewall/macro.*) and you can add your own. You don't have to use defined macros when coding a rule in /etc/shorewall/rules; Shorewall will start slightly faster if you code your rules directly rather than using macros. The the rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT fw net udp 53 -ACCEPT fw net tcp 53 +ACCEPT $FW net udp 53 +ACCEPT $FW net tcp 53 In cases where Shorewall doesn't include a defined action to meet your needs, you can either define the action yourself or you can simply code the appropriate rules directly. The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSH/ACCEPT loc fw That rule allows you to run an +SSH/ACCEPT loc $FWThat rule allows you to run an SSH server on your firewall and connect to that server from your local systems. If you wish to enable other connections from your firewall to other systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) -<macro>/ACCEPT fw <destination zone>The +<macro>/ACCEPT $FW <destination zone>The general format when not using defined actions is:#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT fw <destination zone> <protocol> <port> +ACCEPT $FW <destination zone> <protocol> <port> Web Server on Firewall You want to run a Web Server on your firewall system: #ACTION SOURCE DEST PROTO DEST PORT(S) -Web/ACCEPT net fw -Web/ACCEPT loc fw Those two rules would of course be +Web/ACCEPT net $FW +Web/ACCEPT loc $FWThose two rules would of course be in addition to the rules listed above under You can configure a Caching Name Server on your firewall. @@ -748,12 +745,12 @@ Web/ACCEPT loc fw Those two rules would of course be SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSH/ACCEPT net fw +SSH/ACCEPT net $FW Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT loc fw udp 53 #Allow DNS Cache to work -ACCEPT loc fw tcp 80 #Allow Weblet to work +ACCEPT loc $FW udp 53 #Allow DNS Cache to work +ACCEPT loc $FW tcp 80 #Allow Weblet to work Now edit your