diff --git a/Shorewall-docs2/Accounting.xml b/Shorewall-docs2/Accounting.xml index fa3695ce4..6db62577f 100644 --- a/Shorewall-docs2/Accounting.xml +++ b/Shorewall-docs2/Accounting.xml @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -41,11 +42,11 @@ chain called accounting and can thus be displayed using shorewall show accounting. All traffic passing into, out of or through the firewall traverses the accounting chain including traffic - that will later be rejected by interface options such as tcpflags - and maclist. If your kernel doesn't support the - connection tracking match extension (Kernel 2.4.21) then some traffic - rejected under norfc1918 will not traverse the accounting - chain. + that will later be rejected by interface options such as + tcpflags and maclist. If your kernel doesn't + support the connection tracking match extension (Kernel 2.4.21) then some + traffic rejected under norfc1918 will not traverse the + accounting chain. The columns in the accounting file are as follows: @@ -61,15 +62,15 @@ - DONE- Count the match and don't attempt to match any - following accounting rules. + DONE- Count the match and don't attempt to match any following + accounting rules. - <chain> - The name of a chain to + <chain> - The name of a chain to jump to. Shorewall will create the chain automatically. If the name of the chain is followed by :COUNT then a COUNT rule - matching this rule will automatically be added to <chain>. + matching this rule will automatically be added to <chain>. Chain names must start with a letter, must be composed of letters and digits, and may contain underscores (_) and periods (.). Beginning with Shorewall version 1.4.8, @@ -98,13 +99,20 @@ PROTOCOL - A protocol name (from - /etc/protocols) or a protocol number. + /etc/protocols), a protocol number or "ipp2p". For + "ipp2p", your kernel and iptables must have ipp2p match support from + Netfilter + Patch_o_matic_ng. DEST PORT - Destination Port number. Service name from /etc/services or port - number. May only be specified if the protocol is TCP or UDP (6 or 17). + number. May only be specified if the protocol is TCP or UDP (6 or 17). + If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p + option without the leading "--" (default "ipp2p"). For a list of value + ipp2p options, as root type iptables -m ipp2p + --help. @@ -112,15 +120,42 @@ Service name from /etc/services or port number. May only be specified if the protocol is TCP or UDP (6 or 17). + + + USER/GROUP (Added in Shorewall + 2.2.0) - This column may only be non-empty if the CHAIN is OUTPUT. The + column may contain: + + [!][<user name or number>][:<group name or number>] + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + <user> and/or <group> specified (or is NOT running under + that id if "!" is given). + + Examples: + + + joe #program must be run by joe + + :kids #program must be run by a member of the 'kids' + group. + + !:kids #program must not be run by a member of the 'kids' + group + + - In all columns except ACTION and CHAIN, the values -,any - and all are treated as wild-cards. + In all columns except ACTION and CHAIN, the values + -,any and all are treated as + wild-cards. - The accounting rules are evaluated in the Netfilter filter - table. This is the same environment where the rules file - rules are evaluated and in this environment, DNAT has already occurred in - inbound packets and SNAT has not yet occurred on outbound ones. + The accounting rules are evaluated in the Netfilter + filter table. This is the same environment where the + rules file rules are evaluated and in this environment, DNAT + has already occurred in inbound packets and SNAT has not yet occurred on + outbound ones. Accounting rules are not stateful -- each rule only handles traffic in one direction. For example, if eth0 is your internet interface and you have @@ -192,13 +227,13 @@ 11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 [root@gateway shorewall]# - Here's how the same example would be constructed on an HTTP server + Here's how the same example would be constructed on an HTTP server with only one interface (eth0). - READ THE ABOVE CAREFULLY -- IT SAYS SERVER. - If you want to account for web browsing, you have to reverse the rules - below. + READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing, + you have to reverse the rules below. #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE @@ -213,7 +248,7 @@ Note that with only one interface, only the SOURCE (for input rules) or the DESTINATION (for output rules) is specified in each rule. - Here's the output: + Here's the output: [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003 @@ -234,5 +269,6 @@ [root@mail shorewall]# For an example of integrating Shorewall Accounting with MRTG, see - http://www.nightbrawler.com/code/shorewall-stats/. + http://www.nightbrawler.com/code/shorewall-stats/. \ No newline at end of file diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index ae1a86aea..b66d03351 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-09-10 + 2004-10-25 2001-2004 @@ -703,6 +703,31 @@ dmz DMZ Demilitarized zone linkend="Conf">/etc/shorewall/shorewall.conf. + + + logmartians + + + (Added in version 2.2.0) - If this option is specified, + the kernel's martian logging facility will be enabled on this + interface + (/proc/sys/net/ipv4/conf/<interface>/log_martians + will be set to 1). See also the LOG_MARTIANS option in shorewall.conf. + + + + + sourceroute + + + (Added in version 2.2.0) - If this option is not + specified for an interface, then source-routed packets will + not be accepted from that interface (sets + /proc/sys/net/ipv4/conf/<interface> + to 1). + + My recommendations concerning options: @@ -710,7 +735,7 @@ dmz DMZ Demilitarized zone External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfs + role="bold">tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians @@ -1666,8 +1691,11 @@ ACCEPT:info - - tc Protocol. Must be a protocol name from /etc/protocols, a - number or all. Specifies the protocol of the - connection request. + number, "ipp2p" or all. Specifies the protocol of the + connection request. If "ipp2p" then your kernel and iptables must + have ipp2p match support from Netfilter + Patch-o-matic-ng. @@ -1678,11 +1706,14 @@ ACCEPT:info - - tc Port or port range (<low port>:<high port>) being connected to. May only be specified if the protocol is tcp, udp or icmp. For icmp, this column's contents are interpreted as an icmp - type. If you don't want to specify DEST PORT(S) but need to include - information in one of the columns to the right, enter - - in this column. You may give a list of ports and/or - port ranges separated by commas. Port numbers may be either integers - or service names from /etc/services. + type. For ipp2p, this column must contain an ipp2p option without + the leading "--" (default "ipp2p" -- for a list of valid options, as + root type iptables -m ipp2p --help). If you don't + want to specify DEST PORT(S) but need to include information in one + of the columns to the right, enter - in this column. + You may give a list of ports and/or port ranges separated by commas. + Port numbers may be either integers or service names from + /etc/services. @@ -2097,6 +2128,20 @@ eth1::192.0.2.32/27 fashion. Beginning with Shorewall version 1.4.7, you may include a list of ranges and/or addresses in this column; again, Netfilter will use all listed ranges/addresses in rounde-robin fashion. + + Beginning with Shorewall 2.2.0, you may also specify the + source port range to be used (the PROTO column must specify tcp or + udp) by following the address or address range if any with ":" and + the port range (in the format <low + port>-<high port>). + + Examples: + + #INTERFACE SUBNET ADDRESS PROTO +eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp + + #INTERFACE SUBNET ADDRESS PROTO +eth0 192.168.1.0/24 :4000-5000 tcp @@ -2501,10 +2546,42 @@ eth0 eth1 206.124.146.176 - + LOGALLNEW - + (Aded at version 2.2.0)- When set to a log level, this option + causes Shorewall to generaate a logging rule as the first rule in + each builtin chain. + + + + The table name is used as the chain name in the log + prefix. + + + + The chain name is used as the target in the log + pref + + + + Example: Using the default LOGFORMAT, the log prefix for + logging from the nat table's PREROUTING chain is: + + Shorewall:nat:PREROUTING + + + There is no rate limiting on these logging rules so use + LOGALLNEW at your own risk; it may cause high CPU and disk + utilization and you may not be able to control your firewall after + you enable this option. + + + + DO NOT USE THIS OPTION IF THE + RESULTING LOG MESSAGES WILL BE SENT TO ANOTHER + SYSTEM. + @@ -2846,6 +2923,21 @@ eth0 eth1 206.124.146.176 + + LOG_MARTIANS + + + (Added in Version 2.2.0) - If set to Yes or yes, sets + /proc/sys/net/ipv4/conf/all/log_martians and + /proc/sys/net/ipv4/conf/default/log_martians to + 1. Default is which sets both of the above to zero. If you do not + enable martian logging for all interfaces, you may still enable it + for individual interfaces using the logmartians interface option in /etc/shorewall/interfaces. + + + DETECT_DNAT_ADDRS @@ -3099,6 +3191,21 @@ LOGBURST=5 + + DELAYBLACKLISTLOAD + + + (Added in Shorewall 2.2.0) - Users with a large static black + list (/etc/shorewall/blacklist) may want to set + the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes, + Shorewall will enable new connections before loading the blacklist + rules. While this may allow connections from blacklisted hosts to + slip by during construction of the blacklist, it can substantially + reduce the time that all new connections are disabled during + shorewall [re]start. + + + CLAMPMSS @@ -3114,6 +3221,11 @@ LOGBURST=5 This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel. + + Beginning with Shorewall version 2.2.0, you may also set + CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This will set the + MSS field in TCP SYN packets going through the firewall to the value + that you specify. @@ -3713,7 +3825,7 @@ eth1 - 1.20 - 2004-10-22 + 2004-10-25 TE diff --git a/Shorewall-docs2/FTP.xml b/Shorewall-docs2/FTP.xml index 0d11ccf5c..bbd9daab4 100644 --- a/Shorewall-docs2/FTP.xml +++ b/Shorewall-docs2/FTP.xml @@ -31,7 +31,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -55,7 +56,8 @@ - Install the Mandrake cooker version of Shorewall. + Install the Mandrake cooker version of + Shorewall. @@ -67,16 +69,17 @@ Mandrake have done it again with their 10.0 release. This time, they have decided that kernel modules should have - "ko.gz" for their suffix. If you are having problems with Mandrake - 10.0 and FTP, change your /etc/shorewall/conf file + "ko.gz" for their suffix. If you are having problems with Mandrake 10.0 + and FTP, change your /etc/shorewall/conf file definition of MODULE_SUFFIX as follows: - MODULE_SUFFIX="o gz ko o.gz ko.gz" + MODULE_SUFFIX="o gz ko o.gz ko.gz" The version of insmod shipped with 10.0 also does not comprehend these module files so you will also need Shorewall 2.0.2 or - later OR you need to change /usr/share/shorewall/firewall - -- replace the line that reads: + later OR you need to change + /usr/share/shorewall/firewall -- replace the line + that reads: insmod $modulefile $* @@ -133,14 +136,14 @@ [teastep@wookie Shorewall]$ ftp ftp1.shorewall.net Connected to lists.shorewall.net. -220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=- +220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=- 220-You are user number 1 of 50 allowed. 220-Local time is now 10:21 and the load is 0.14. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. 500 Security extensions not implemented 500 Security extensions not implemented KERBEROS_V4 rejected as an authentication type -Name (ftp1.shorewall.net:teastep): ftp +Name (ftp1.shorewall.net:teastep): ftp 331-Welcome to ftp.shorewall.net 331- 331 Any password will work @@ -148,31 +151,31 @@ Password: 230 Any password will work Remote system type is UNIX. Using binary mode to transfer files. -ftp> debug +ftp> debug Debugging on (debug=1). -ftp> ls ----> PASV +ftp> ls +---> PASV 227 Entering Passive Mode (192,168,1,193,195,210) ----> LIST +---> LIST 150 Accepted data connection drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub 226-Options: -l 226 3 matches total -ftp> passive +ftp> passive Passive mode off. -ftp> ls ----> PORT 192,168,1,3,142,58 +ftp> ls +---> PORT 192,168,1,3,142,58 200 PORT command successful ----> LIST +---> LIST 150 Connecting to port 36410 drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub 226-Options: -l 226 3 matches total -ftp> +ftp> Things to notice: @@ -184,7 +187,7 @@ ftp> Commands sent by the client to the server are preceded by - ---> + ---> @@ -208,14 +211,14 @@ ftp>
Linux FTP connection-tracking - Given the normal loc->net policy of ACCEPT, passive mode access + Given the normal loc->net policy of ACCEPT, passive mode access from local clients to remote servers will always work but active mode requires the firewall to dynamically open a hole for the - server's connection back to the client. Similarly, if you are running - an FTP server in your local zone then active mode should always work but - passive mode requires the firewall to dynamically open a hole - for the client's second connection to the server. This is the role of - FTP connection-tracking support in the Linux kernel. + server's connection back to the client. Similarly, if you are running an + FTP server in your local zone then active mode should always work but + passive mode requires the firewall to dynamically open a + hole for the client's second connection to the server. This + is the role of FTP connection-tracking support in the Linux kernel. Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved, the PORT commands and PASV responses may also need to be @@ -223,11 +226,12 @@ ftp> function. Including FTP connection-tracking and NAT support normally means - that the modules ip_conntrack_ftp and ip_nat_ftp - need to be loaded. Shorewall automatically loads these helper - modules from /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/ + that the modules ip_conntrack_ftp and + ip_nat_ftp need to be loaded. Shorewall automatically loads + these helper modules from + /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/ and you can determine if they are loaded using the lsmod - command. The <kernel-version> may be obtained + command. The <kernel-version> may be obtained by typing uname -r @@ -292,8 +296,10 @@ jbd 47860 2 [ext3] responses. If you run an FTP server on a nonstandard port or you need to access such a server, you must therefore let the helpers know by specifying the port in /etc/shorewall/modules entries for the helpers. - You must have modularized FTP connection tracking support - in order to use FTP on a non-standard port. + + You must have modularized FTP connection tracking support in + order to use FTP on a non-standard port. + if you run an FTP server that listens on port 49 or you need to @@ -303,8 +309,10 @@ jbd 47860 2 [ext3] <programlisting>loadmodule ip_conntrack_ftp ports=21,49 loadmodule ip_nat_ftp ports=21,49</programlisting> - <para><note><para>you MUST include port 21 in the ports list or you may - have problems accessing regular FTP servers.</para></note></para> + <para><note> + <para>you MUST include port 21 in the ports list or you may have + problems accessing regular FTP servers.</para> + </note></para> <para>If there is a possibility that these modules might be loaded before Shorewall starts, then you should include the port list in @@ -313,9 +321,22 @@ loadmodule ip_nat_ftp ports=21,49</programlisting> <programlisting>options ip_conntrack_ftp ports=21,49 options ip_nat_ftp ports=21,49</programlisting> - <para><important><para>Once you have made these changes to - /etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload - the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para> + <para><important> + <para>Once you have made these changes to /etc/shorewall/modules + and/or /etc/modules.conf, you must either:</para> + + <orderedlist> + <listitem> + <para>Unload the modules and restart shorewall:</para> + + <programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting> + </listitem> + + <listitem> + <para>Reboot</para> + </listitem> + </orderedlist> + </important></para> </example> </section> @@ -323,15 +344,15 @@ options ip_nat_ftp ports=21,49</programlisting> <title>Rules If the policy from the source zone to the destination zone is ACCEPT - and you don't need DNAT (see FAQ 30) + and you don't need DNAT (see FAQ 30) then you need no rule. - Otherwise, for FTP you need exactly one - rule: + Otherwise, for FTP you need exactly one rule: #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -ACCEPT or <source> <destination> tcp 21 <external IP addr> if +ACCEPT or <source> <destination> tcp 21 <external IP addr> if DNAT ACTION = DNAT You need an entry in the ORIGINAL DESTINATION column only if the @@ -341,23 +362,32 @@ DNAT ACTION = Note that you do NOT need a rule with 20 (ftp-data) in the PORT(S) column. If you post your rules on the mailing list and they show 20 in the PORT(S) column, I will know that you - haven't read this article and I will either ignore your post or tell - you to RTFM.Server running behind a Masquerading GatewaySuppose - that you run an FTP server on 192.168.1.5 in your local zone using the - standard port (21). You need this rule: #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL + haven't read this article and I will either ignore your post or tell you + to RTFM. + Server running behind a Masquerading Gateway + + Suppose that you run an FTP server on 192.168.1.5 in your local + zone using the standard port (21). You need this rule: + + #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -DNAT net loc:192.168.1.5 tcp 21Allow - your DMZ FTP access to the Internet#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL +DNAT net loc:192.168.1.5 tcp 21 + + Allow your DMZ FTP access to the Internet + + #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -ACCEPT dmz net tcp 21 +ACCEPT dmz net tcp 21 + Note that the FTP connection tracking in the kernel cannot handle cases where a PORT command (or PASV reply) is broken across two packets. - When such cases occur, you will see a console message similar to this one: + When such cases occur, you will see a console message similar to this + one: Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1 - I see this problem occasionally with the FTP server in my DMZ. My + I see this problem occasionally with the FTP server in my DMZ. My solution is to add the following rule: #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL diff --git a/Shorewall-docs2/blacklisting_support.xml b/Shorewall-docs2/blacklisting_support.xml index adade65a4..e4f1ea0dd 100644 --- a/Shorewall-docs2/blacklisting_support.xml +++ b/Shorewall-docs2/blacklisting_support.xml @@ -15,7 +15,7 @@ - 2004-02-17 + 2004-10-25 2002-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -43,7 +44,7 @@ - BLACKLISTNEWONLY=No --  All incoming packets are checked + BLACKLISTNEWONLY=No --  All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections. Versions of Shorewall prior to 1.4.8 behave in this manner. @@ -88,12 +89,14 @@ You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in /etc/shorewall/shorewall.conf. + in /etc/shorewall/shorewall.conf. You list the IP addresses/subnets that you wish to blacklist in - /etc/shorewall/blacklist. + /etc/shorewall/blacklist. Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service names in the blacklist file. @@ -101,40 +104,52 @@ You specify the interfaces whose incoming packets you want checked against the blacklist using the blacklist - option in /etc/shorewall/interfaces. + option in /etc/shorewall/interfaces. - The black list is refreshed from /etc/shorewall/blacklist - by the shorewall + The black list is refreshed from + /etc/shorewall/blacklist by the shorewall refresh command. + + Users with a large static black list may want to set the + DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version + 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections + before loading the blacklist rules. While this may allow connections from + blacklisted hosts to slip by during construction of the blacklist, it can + substantially reduce the time that all new connections are disabled during + "shorewall [re]start".
Dynamic Blacklisting Dynamic blacklisting support was added in version 1.3.2. Dynamic - blacklisting doesn't use any configuration parameters but is rather + blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall commands: - drop <ip address list> - causes + drop <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall. - reject <ip address list> - causes - packets from the listed IP addresses to be rejected by the firewall. + reject <ip address list> - causes + packets from the listed IP addresses to be rejected by the + firewall. - allow <ip address list> - - re-enables receipt of packets from hosts previously blacklisted by a - drop or reject command. + allow <ip address list> - re-enables + receipt of packets from hosts previously blacklisted by a + drop or reject + command. @@ -144,12 +159,14 @@ - show dynamic - displays the dynamic blacklisting configuration. + show dynamic - displays the dynamic blacklisting + configuration. - Dynamic blacklisting is not dependent on the blacklist - option in /etc/shorewall/interfaces. + Dynamic blacklisting is not dependent on the + blacklist option in + /etc/shorewall/interfaces. Ignore packets from a pair of systems diff --git a/Shorewall-docs2/shorewall_quickstart_guide.xml b/Shorewall-docs2/shorewall_quickstart_guide.xml index fefbd8f9a..61307812c 100644 --- a/Shorewall-docs2/shorewall_quickstart_guide.xml +++ b/Shorewall-docs2/shorewall_quickstart_guide.xml @@ -58,8 +58,8 @@
- If you have a <emphasis role="bold">single public IP - address</emphasis> + If you want the firewall system to handle a <emphasis + role="bold">single public IP address</emphasis> These guides are designed to get your first firewall up and running quickly in the three most common Shorewall configurations. If @@ -88,7 +88,8 @@
- If you have more than one public IP address + If you want the firewall system to handle more than one public IP + address The Shorewall Setup Guide outlines the steps necessary to set up a firewall where @@ -99,11 +100,11 @@
- Guide that Others have Written + Guides that Others have Written Andrew Allen has provided this guide for installing Shorewall on standalone webhosting servers.
- \ No newline at end of file + diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index 410a5e5a9..3142f7f38 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2004-09-12 + 2004-10-25 2004 @@ -278,11 +278,19 @@ restart, shorewall check, and shorewall try commands allow you to specify a different directory for Shorewall to check before looking in /etc/shorewall: + class="directory">/etc/shorewall. + + Shorewall versions before Shorewall 2.2.0: shorewall [ -c <configuration-directory> ] {start|restart|check} shorewall try <configuration-directory> [ <timeout> ] + Shorewall versions 2.2.0 and later the -c option is + deprecated: + + shorewall {start|restart|check} <configuration-directory> + shorewall try <configuration-directory> [ <timeout> ] + If a <configuration-directory> is specified, each time that Shorewall is going to use a file in /etc/shorewall it will first look in @@ -313,7 +321,7 @@ - shorewall -c ./ check + shorewall check ./ @@ -388,7 +396,7 @@ - check + check (Shorewall versions prior to 2.2.0) shorewall [ -c <configuration-directory> ] @@ -402,6 +410,21 @@ + + check (Shorewall 2.2.0 and later) + + + shorewall [-q] check [ + <configuration-directory> ] + + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits you + have made to the shorewall configuration. See above for a recommended way to make + changes. + + + clear @@ -584,7 +607,7 @@ - restart + restart (Prior to Shorewall version 2.2.0) shorewall [ -q ] [ -c <configuration-directory> @@ -597,6 +620,20 @@ + + restart (Shorewall version 2.2.0 and later) + + + shorewall [ -q ] restart + <configuration-directory> + + Restart is similar to shorewall stop + followed by shorewall start. Existing connections + are maintained. If -q is specified, less detail is displayed making + it easier to spot warnings + + + restore @@ -671,7 +708,7 @@ - start + start (Shorewall versions prior to 2.2.0) shorewall [ -q ] [ -f ] [ -c @@ -688,6 +725,24 @@ + + start (Shorewall 2.2.0 and later) + + + shorewall [ -q ] [ -f ] start [ + <configuration-directory> ] + + Start shorewall. Existing connections through shorewall + managed interfaces are untouched. New connections will be allowed + only if they are allowed by the firewall rules or policies. If -q is + specified, less detail is displayed making it easier to spot + warnings If -f is specified, the saved configuration specified by + the RESTOREFILE option in /etc/shorewall/shorewall.conf + will be restored if that saved configuration exists + + + stop diff --git a/Shorewall-docs2/traffic_shaping.xml b/Shorewall-docs2/traffic_shaping.xml index 320a4e6c8..56ee29d4f 100644 --- a/Shorewall-docs2/traffic_shaping.xml +++ b/Shorewall-docs2/traffic_shaping.xml @@ -15,7 +15,7 @@ - 2004-09-30 + 2004-10-25 2001-2004 @@ -203,6 +203,77 @@ chains respectively. If this additional specification is omitted, the chain used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf. + + This possible values in this field were expanded in Shorewall + version 2.2.0: + + + + If your kernel and iptables include CONNMARK support then + you can also mark the connection rather than the packet + + + + The mark value may be optionally followed by "/" and a + mask value (used to determine those bits of the connection + mark to actually be set). + + + + The mark and optional mask are then followed by one + of: + C: Mark the connection in the chain determined by + the setting of MARK_IN_FORWARD_CHAIN + + CF: Mark the conneciton in the FORWARD + chain + + CP: Mark the connection in the PREROUTING + chain. + + + + + + + A classification of the form <major>:<minor> + where <major> and <minor> are integers. Corresponds to + the 'class' specification in these traffic shaping + modules: + - atm + + - cbq + + - dsmark + + - pfifo_fast + + - htb + + - prio + Classification always occurs in the POSTROUTING + chain. + + + + RESTORE[/mask] -- restore the packet's mark from the + connection's mark using the supplied mask if any. Your kernel and + iptables must include CONNMARK support. As iabove, may be followed + by ":P" or ":F + + + + SAVE[/mask] -- save the packet's mark to the connection's + mark using the supplied mask if any. Your kernel and iptables must + include CONNMARK support. As above, may be followed by ":P" or + ":F + + + + CONTINUE -- don't process any more marking rules in the + table. As above, may be followed by ":P" or ":F". + + @@ -222,14 +293,20 @@ PROTO - Protocol - Must be the name of a protocol from - /etc/protocol, a number or all + /etc/protocol, "ipp2p", a number or "all". For "ipp2p", your kernel + and iptables must have ipp2p match support from Netfilter + Patch_o_matic_ng. PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges (e.g., 21:22); if the protocol is icmp, this column is interpreted as - the destination icmp type(s). + the destination icmp type(s). If the protocol is "ipp2p", then this + column is interpreted as an ipp2p option (default "ipp2p"). For a list + of value ipp2p options, as root type iptables -m ipp2p + --help. @@ -252,6 +329,29 @@ Examples : john: / john / :users / john:users + + + TEST (added in Shorewall version 2.2.0). Defines a test on the + existing packet or connection mark. The rule will match only if the + test returns true. Tests have the format + + [!]<value>[/<mask>][:C] + + where + + + ! Inverts the test (not equal) + + <value> Value of the packet or + connection mark. + + <mask> A mask to be applied to + the mark before testing + + :C Designates a connection mark. If omitted, the packet + mark's value is tested. + + @@ -261,7 +361,7 @@ arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3. - #MARK SOURCE DESTINATION PROTOCOL USER/GROUP + #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST 1 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0 all 2 eth3 0.0.0.0/0 all @@ -274,7 +374,7 @@ All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12. - #MARK SOURCE DESTINATION PROTOCOL USER/GROUP + #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST 12 0.0.0.0/0 155.182.235.151 47 @@ -284,7 +384,7 @@ All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22. - #MARK SOURCE DESTINATION PROTOCOL USER/GROUP + #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST 22 192.168.1.0/24 155.182.235.151 tcp 22