diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index e43b3c7e7..8aa999c20 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
- 2005-02-06
+ 2005-02-08
2004
@@ -330,8 +330,11 @@ spdadd 134.28.54.2/32 206.162.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2
If you are running kernel 2.6.10 or later, then you need
- ipsec-tools (and racoon) 0.5 or later and you need to add -P fwd rules -- see -P fwd rules (duplicate each -P in rule and replace the in with fwd) --
+ see http://www.ipsec-howto.org/x277.html.
diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml
index 352f989ab..3997e6d40 100644
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@@ -15,7 +15,7 @@
- 2004-12-27
+ 2005-02-05
2001
@@ -26,6 +26,8 @@
2004
+ 2005
+
Thomas M. Eastep
@@ -218,9 +220,11 @@ INIT="rc.firewall"
To install my version of Shorewall on a fresh Bering disk, simply
replace the shorwall.lrp
file on the image with the file
- that you downloaded. See the two-interface
- QuickStart Guide for information about further steps
- required.
+ that you downloaded. For example, if you download
+ shorewall-lrp-2.2.0.tgz then you will rename the file
+ to shorwall.lrp and replace the file by that name on
+ the Bering disk with the new file. Then proceed to configure Shorewall as
+ described in the Bering (or Bering uClibc) documentation.
diff --git a/Shorewall-docs2/MAC_Validation.xml b/Shorewall-docs2/MAC_Validation.xml
index 1961520c2..c6c491412 100644
--- a/Shorewall-docs2/MAC_Validation.xml
+++ b/Shorewall-docs2/MAC_Validation.xml
@@ -15,10 +15,10 @@
- 2004-04-05
+ 2005-02-08
- 2001-2004
+ 2001-2005
Thomas M. Eastep
@@ -29,13 +29,15 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License
.
+ GNU Free Documentation
+ License
.
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore, each
- MAC address may be optionally associated with one or more IP addresses.
+ MAC address may be optionally associated with one or more IP
+ addresses.
MAC addresses are only visible within an
@@ -49,6 +51,11 @@
(CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).
+
+ MAC verification is only applied to new
+ incoming connection requests.
+
+
Components
@@ -57,16 +64,17 @@
The maclist interface option in
- /etc/shorewall/interfaces.
- When this option is specified, all traffic arriving on the interface
- is subjet to MAC verification.
+ /etc/shorewall/interfaces.
+ When this option is specified, all new connection requests arriving on
+ the interface are subject to MAC verification.
The maclist option in /etc/shorewall/hosts. When this
- option is specified for a subnet, all traffic from that subnet is
- subject to MAC verification.
+ option is specified for a subnet, all new connection requests from
+ that subnet are subject to MAC verification.
@@ -83,8 +91,8 @@
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
at which connection requests that fail verification are to be logged.
- If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then
- failing connection requests are not logged.
+ If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
+ connection requests are not logged.
@@ -99,7 +107,8 @@
INTERFACE
- The name of an ethernet interface on the Shorewall system.
+ The name of an ethernet interface on the Shorewall
+ system.
@@ -109,7 +118,8 @@
The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
- this column although you may use that format if you so choose.
+ this column although you may use that format if you so
+ choose.
@@ -155,11 +165,13 @@ eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIP
As shown above, I use MAC Verification on my wireless zone.
- While marketed as a wireless bridge, the WET11 behaves
- like a wireless router with DHCP relay. When forwarding DHCP traffic, it
- uses the MAC address of the host (TIPPER) but for other forwarded
- traffic it uses it's own MAC address. Consequently, I list the IP
- addresses of both devices in /etc/shorewall/maclist.
+
+ While marketed as a wireless bridge, the WET11 behaves like a
+ wireless router with DHCP relay. When forwarding DHCP traffic, it
+ uses the MAC address of the host (TIPPER) but for other forwarded
+ traffic it uses it's own MAC address. Consequently, I list the IP
+ addresses of both devices in /etc/shorewall/maclist.
+
@@ -176,9 +188,9 @@ eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIP
This entry accomodates traffic from the router itself
(192.168.3.253) and from the second wireless segment (192.168.4.0/24).
Remember that all traffic being sent to my firewall from the
- 192.168.4.0/24 segment will be forwarded by the router so that
- traffic's MAC address will be that of the router (00:06:43:45:C6:15)
- and not that of the host sending the traffic.
+ 192.168.4.0/24 segment will be forwarded by the router so that traffic's
+ MAC address will be that of the router (00:06:43:45:C6:15) and not that
+ of the host sending the traffic.
\ No newline at end of file
diff --git a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
index f8805cd95..831c36b74 100644
--- a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
+++ b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
@@ -15,10 +15,10 @@
- 2004-07-10
+ 2002-02-07
- 2001-2004
+ 2001-2005
Thomas M. Eastep
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License
.
+ GNU Free Documentation
+ License
.
@@ -67,23 +68,27 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
ip
[root@gateway root]# ip addr show dev eth0
-2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
+2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
- One cannot type
- ip addr show dev eth0:0
because
- eth0:0
is a label
- for a particular address rather than a device name.[root@gateway root]# ip addr show dev eth0:0
-Device "eth0:0" does not exist.
-[root@gateway root]#
+
+ One cannot type
+ ip addr show dev eth0:0
because
+ eth0:0
is a
+ label for a particular address rather than a device name.
+
+ [root@gateway root]# ip addr show dev eth0:0
+Device "eth0:0" does not exist.
+[root@gateway root]#
+
- The iptables program doesn't support virtual interfaces in
- either it's -i
or -o
command options; as
- a consequence, Shorewall does not allow them to be used in the
+ The iptables program doesn't support virtual interfaces in either
+ it's -i
or -o
command options; as a
+ consequence, Shorewall does not allow them to be used in the
/etc/shorewall/interfaces file or anywhere else except as described in the
discussion below.
@@ -92,8 +97,8 @@ Device "eth0:0" does not exist.
Adding Addresses to Interfaces
Most distributions have a facility for adding additional addresses
- to interfaces. If you have already used your distribution's capability
- to add your required addresses, you can skip this section.
+ to interfaces. If you have already used your distribution's capability to
+ add your required addresses, you can skip this section.
Shorewall provides facilities for automatically adding addresses to
interfaces as described in the following section. It is also easy to add
@@ -124,7 +129,7 @@ esac
So how do I handle more than one address on an interface?
The answer depends on what you are trying to do with the interfaces.
- In the sub-sections that follow, we'll take a look at common
+ In the sub-sections that follow, we'll take a look at common
scenarios.
@@ -150,7 +155,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22
zone at 192.168.1.3. That is accomplised by a single rule in the
/etc/shorewall/rules file:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+ #ACTION SOURCE DEST PROTO DEST POR------------------T(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
@@ -159,17 +164,19 @@ DNAT net loc:192.168.1.3 tcp 80 - 20
SNAT
If you wanted to use eth0:0 as the IP address for outbound
- connections from your local zone (eth1), then in /etc/shorewall/masq:
+ connections from your local zone (eth1), then in
+ /etc/shorewall/masq:
#INTERFACE SUBNET ADDRESS
eth0 eth1 206.124.146.178
Shorewall can create the alias (additional address) for you if you
- set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
- Beginning with Shorewall 1.3.14, Shorewall can actually create the
- label
(virtual interface) so that you can see the created
- address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you
- specify the virtual interface name in the INTERFACE column as follows.
+ set ADD_SNAT_ALIASES=Yes in
+ /etc/shorewall/shorewall.conf. Beginning with
+ Shorewall 1.3.14, Shorewall can actually create the label
+ (virtual interface) so that you can see the created address using
+ ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the
+ virtual interface name in the INTERFACE column as follows.
/etc/shorewall/masq#INTERFACE SUBNET ADDRESS
eth0:0 eth1 206.124.146.178
@@ -195,7 +202,8 @@ eth0:2 = 206.124.146.180
If you wanted to use one-to-one NAT to link eth0:0 with local address 192.168.1.3, you
- would have the following in /etc/shorewall/nat:
+ would have the following in
+ /etc/shorewall/nat:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0 192.168.1.3 no no
@@ -210,9 +218,10 @@ eth0:2 = 206.124.146.180
/etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.3 no no
- In either case, to create rules in /etc/shorewall/rules
- that pertain only to this NAT pair, you simply qualify the local zone
- with the internal IP address.
+ In either case, to create rules in
+ /etc/shorewall/rules that pertain only to this NAT
+ pair, you simply qualify the local zone with the internal IP
+ address.
You want to allow SSH from the net to 206.124.146.178 a.k.a.
@@ -230,7 +239,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
multiple subnetworks configured on a LAN segment. This technique does
not provide for any security between the subnetworks if the users of the
systems have administrative privileges because in that case, the users
- can simply manipulate their system's routing table to bypass your
+ can simply manipulate their system's routing table to bypass your
firewall/router. Nevertheless, there are cases where you simply want to
consider the LAN segment itself as a zone and allow your firewall/router
to route between the two subnetworks.</para>
diff --git a/Shorewall-docs2/images/Thumbs.db b/Shorewall-docs2/images/Thumbs.db
index 4754d426f..8bef04e8c 100644
Binary files a/Shorewall-docs2/images/Thumbs.db and b/Shorewall-docs2/images/Thumbs.db differ
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index cc77a92a5..42b4012a5 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -15,7 +15,7 @@
</author>
</authorgroup>
- <pubdate>2005-02-06</pubdate>
+ <pubdate>2005-02-08</pubdate>
<copyright>
<year>2001-2005</year>
@@ -250,7 +250,7 @@ loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
vpn tun+ -
-Wifi $WIFI_IF - maclist
+Wifi $WIFI_IF - maclist,dhcp
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@@ -496,6 +496,12 @@ DROP loc:!192.168.0.0/22 net
# SQUID
#
REDIRECT loc 3128 tcp 80
+##########################################################################################################################################################################
+#####
+# Secure zone to Internet
+#
+# SQUID
+#
REDIRECT sec 3128 tcp 80
##########################################################################################################################################################################
#####
@@ -999,7 +1005,7 @@ ACCEPT net fw tcp 4000:4100
<blockquote>
<programlisting>dev tun
-remote ursa.shorewall.net
+remote gateway.shorewall.net
up /etc/openvpn/home.up
tls-client
diff --git a/Shorewall-docs2/shorewall_prerequisites.xml b/Shorewall-docs2/shorewall_prerequisites.xml
index 6c10e7c33..4a81e9f68 100644
--- a/Shorewall-docs2/shorewall_prerequisites.xml
+++ b/Shorewall-docs2/shorewall_prerequisites.xml
@@ -13,10 +13,10 @@
<surname>Eastep</surname>
</author>
- <pubdate>2004-05-31</pubdate>
+ <pubdate>2005-02-07</pubdate>
<copyright>
- <year>2001-2004</year>
+ <year>2001-2005</year>
<holder>Thomas M Eastep</holder>
</copyright>
@@ -27,7 +27,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+ <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+ License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@@ -36,25 +37,15 @@
<itemizedlist>
<listitem>
- <para>A kernel that supports netfilter. I've tested with 2.4.2 -
- 2.6.6. With current releases of Shorewall, Traffic Shaping/Control
+ <para>A kernel that supports netfilter. I've tested with 2.4.2 -
+ 2.6.10. With current releases of Shorewall, Traffic Shaping/Control
requires at least 2.4.18. Check <ulink url="kernel.htm">here</ulink>
- for kernel configuration information. If you are looking for a
- firewall for use with 2.2 kernels, see <ulink
- url="http://seawall.sourceforge.net">the Seattle Firewall site</ulink>.</para>
+ for kernel configuration information.</para>
</listitem>
<listitem>
- <para>iptables 1.2 or later but beware version 1.2.3 -- see the <ulink
- url="errata.htm">Errata</ulink>.</para>
-
- <warning>
- <para>The buggy iptables version 1.2.3 is included in RedHat 7.2 and
- you should upgrade to iptables 1.2.4 prior to installing Shorewall.
- Version 1.2.4 is available <ulink
- url="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
- RedHat</ulink> and in the <ulink url="errata.htm">Shorewall Errata</ulink>.</para>
- </warning>
+ <para>iptables 1.2 or later (but I recommend at least version
+ 1.2.9)</para>
</listitem>
<listitem>
@@ -66,17 +57,26 @@
<listitem>
<para>A Bourne shell or derivative such as bash or ash. This shell
- must have correct support for variable expansion formats ${<emphasis>variable%pattern</emphasis>},
- ${<emphasis>variable%%pattern</emphasis>}, ${<emphasis>variable#pattern</emphasis>}
- and ${<emphasis>variable##pattern</emphasis>}.</para>
+ must have correct support for variable expansion formats
+ ${<emphasis>variable%pattern</emphasis>},
+ ${<emphasis>variable%%pattern</emphasis>},
+ ${<emphasis>variable#pattern</emphasis>} and
+ ${<emphasis>variable##pattern</emphasis>}.</para>
</listitem>
<listitem>
<para>Your shell must produce a sensible result when a number n (128
- <= n <= 255) is left shifted by 24 bits. You can check this at
- a shell prompt by:<itemizedlist><listitem><para>echo $((128 <<
- 24))</para></listitem><listitem><para>The result must be either
- 2147483648 or -2147483648.</para></listitem></itemizedlist></para>
+ <= n <= 255) is left shifted by 24 bits. You can check this at a
+ shell prompt by:<itemizedlist>
+ <listitem>
+ <para>echo $((128 << 24))</para>
+ </listitem>
+
+ <listitem>
+ <para>The result must be either 2147483648 or
+ -2147483648.</para>
+ </listitem>
+ </itemizedlist></para>
</listitem>
<listitem>