From 291dc4df9de366ffb9009e0fb7c9ec23170eb1e2 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 11 Aug 2004 00:18:47 +0000 Subject: [PATCH] Updates to Documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 21 +++++++++++----- Shorewall-docs2/FAQ.xml | 24 ++++++++++++------- Shorewall-docs2/NAT.xml | 20 +++++++++------- Shorewall-docs2/ProxyARP.xml | 16 +++++++++---- .../starting_and_stopping_shorewall.xml | 14 +++++------ 5 files changed, 61 insertions(+), 34 deletions(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index f2f40624e..0d7f3fd54 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-06-12 + 2004-08-10 2001-2004 @@ -1657,14 +1657,23 @@ ACCEPT:info - - tc addresses are specified in the ORIGINAL DEST column as a comma-separated list. + If this list begins with ! then the rule will + only apply if the original destination address matches none of the + addresses listed. + The IP address(es) may be optionally followed by : and a second IP address. This latter address, if present, is used as the source address for packets forwarded to the server (This is called Source NAT or SNAT. - If this list begins with ! then the rule will - only apply if the original destination address matches none of the - addresses listed. + + Specifying SNAT in a DNAT rule is deprecated and this + feature will be removed from Shorewall in version 2.1.0. An entry + in /etc/shorewall/masq can serve the + same purpose and is the preferred method of performing SNAT with + Shorewall. See FAQ 2 for an + example. + When using SNAT, it is a good idea to qualify the source @@ -2410,7 +2419,7 @@ eth0 eth1 206.124.146.176 (Added at Version 2.0.6) - Normally Shorewall attempts to use the iptables packet type match extension to determine broadcast and - multicast packets. + multicast packets. @@ -2429,7 +2438,7 @@ eth0 eth1 206.124.146.176 If you are experiencing either of these problems, setting PKTTYPE=No will prevent Shorewall from trying to use the packet type match extension and to use IP address matching to determine which - packets are broadcasts or multicasts. + packets are broadcasts or multicasts. diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 8c5898903..1e7581c56 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2004-08-01 + 2004-08-10 2001-2004 @@ -291,12 +291,18 @@ loc eth1 detect routeback

- In /etc/shorewall/rules (Assuming that - your local network is 192.168.1.0/24): + In /etc/shorewall/masq: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254 + #INTERFACE SUBNET ADDRESS PROTO PORT(S) +eth1 eth1 192.168.1.254 tcp www + + + + In /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 That rule only works of course if you have a static external IP address. If you have a dynamic IP address and are running @@ -306,9 +312,9 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - $ETH0_IP:192.168.1.254 + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP Using this technique, you will want to configure your DHCP/PPPoE client to automatically restart Shorewall each time that diff --git a/Shorewall-docs2/NAT.xml b/Shorewall-docs2/NAT.xml index 2a35de305..cba3c5fc0 100644 --- a/Shorewall-docs2/NAT.xml +++ b/Shorewall-docs2/NAT.xml @@ -15,7 +15,7 @@ - 2004-02-04 + 2004-08-10 2001-2004 @@ -56,9 +56,13 @@ One-to-one NAT can be used to make the systems with the 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we assume that the interface to the upper subnet is eth0, then the following - /etc/shorewall/NAT file would make the lower left-hand system appear to - have IP address 130.252.100.18 and the right-hand one to have IP address - 130.252.100.19. + /etc/shorewall/nat file would make the lower + left-hand system appear to have IP address 130.252.100.18 and the + right-hand one to have IP address 130.252.100.19. It should be stressed + that these entries in the /etc/shorewall/nat file do + not automatically enable traffic between the external network and the + internal host(s) — such traffic is still subject to your policies and + rules. /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 130.252.100.18 eth0 10.1.1.2 no no @@ -66,7 +70,7 @@ Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above example) is (are) not included in any specification in - /etc/shorewall/masq or /etc/shorewall/proxyarp. + /etc/shorewall/masq or /etc/shorewall/proxyarp. The ALL INTERFACES column is used to specify @@ -86,9 +90,9 @@ Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES=no - (or No) in /etc/shorewall/shorewall.conf; If you do not - set ADD_IP_ALIASES or if you set it to Yes or - yes then you must NOT configure your own alias(es). + (or No) in /etc/shorewall/shorewall.conf; + If you do not set ADD_IP_ALIASES or if you set it to Yes + or yes then you must NOT configure your own alias(es). Shorewall versions earlier than 1.4.6 can only add external addresses to an interface that is configured with a single diff --git a/Shorewall-docs2/ProxyARP.xml b/Shorewall-docs2/ProxyARP.xml index f703d7493..6180d69e9 100644 --- a/Shorewall-docs2/ProxyARP.xml +++ b/Shorewall-docs2/ProxyARP.xml @@ -15,7 +15,7 @@ - 2004-07-22 + 2004-08-10 2001-2004 @@ -68,7 +68,7 @@ pass ARP requests and other network packets in both directions between the server machine and the PUBNET network, making the server machine appear to be connected to the PUBNET network even though it is on the PRIVNET network - hidden behind the router. + hidden behind the router. Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide. @@ -92,7 +92,8 @@ Be sure that the internal systems (130.242.100.18 and 130.252.100.19 in the above example) are not included in any specification in - /etc/shorewall/masq or /etc/shorewall/nat. + /etc/shorewall/masq or /etc/shorewall/nat. + I've used an RFC1918 IP address for eth1 - that IP address is @@ -103,7 +104,7 @@ their subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured. In other words, they should be configured just like they would be if they were parallel to the - firewall rather than behind it. + firewall rather than behind it. Do not add the Proxy ARP'ed address(es) (130.252.100.18 and @@ -111,6 +112,13 @@ this example) of the firewall. + + It should be stressed that entries in the proxyarp file do not + automatically enable traffic between the external network and the + internal host(s) — such traffic is still subject to your policies and + rules. + + While the address given to the firewall interface is largely irrelevant, one approach you can take is to make that address the same as the address of your external interface! diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index f97369947..399adb7d0 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2004-08-01 + 2004-08-10 2004 @@ -57,7 +57,7 @@ - /etc/shorewall ̶ The default directory + /etc/shorewall — The default directory where Shorewall looks for configuration files. See the section entitled Alternate Configuration Directories for information about how you can direct Shorewall to look in other @@ -66,19 +66,19 @@ /etc/init.d/shorewall (/etc/rc.d/firewall.rc - on Slackware) ̶ The script run by init (the program + on Slackware) — The script run by init (the program responsible for startup and shutdown of your system) to start Shorewall at boot time and to stop Shorewall at shutdown. - /usr/share/shorewall/firewall ̶ The program + /usr/share/shorewall/firewall — The program responsible for configuring Netfilter based on your configuration files. - /usr/share/shorewall/functions ̶ A library + /usr/share/shorewall/functions — A library of Bourne Shell functions used by both /sbin/shorewall and /usr/share/shorewall/firewall. @@ -188,8 +188,8 @@ /var/lib/shorewall/restore. The default may be changed using the RESTOREFILE option in /etc/shorewall/shorewall.conf. A - different file name may also be specified in the specified in the - save command: + different file name may also be specified in the save + command: shorewall save <filename>