More Shorewall 2.2 updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1713 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-24 21:10:47 +00:00
parent 706242aa2c
commit 30bf899901
7 changed files with 471 additions and 120 deletions

View File

@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -41,11 +42,11 @@
chain called <quote>accounting</quote> and can thus be displayed using
<quote>shorewall show accounting</quote>. All traffic passing into, out of
or through the firewall traverses the accounting chain including traffic
that will later be rejected by interface options such as <quote>tcpflags</quote>
and <quote>maclist</quote>. If your kernel doesn&#39;t support the
connection tracking match extension (Kernel 2.4.21) then some traffic
rejected under <quote>norfc1918</quote> will not traverse the accounting
chain.</para>
that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then some
traffic rejected under <quote>norfc1918</quote> will not traverse the
accounting chain.</para>
<para>The columns in the accounting file are as follows:</para>
@ -61,15 +62,15 @@
</listitem>
<listitem>
<para>DONE- Count the match and don&#39;t attempt to match any
following accounting rules.</para>
<para>DONE- Count the match and don't attempt to match any following
accounting rules.</para>
</listitem>
<listitem>
<para><emphasis>&#60;chain&#62;</emphasis> - The name of a chain to
<para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain to
jump to. Shorewall will create the chain automatically. If the name
of the chain is followed by <quote>:COUNT</quote> then a COUNT rule
matching this rule will automatically be added to &#60;chain&#62;.
matching this rule will automatically be added to &lt;chain&gt;.
Chain names must start with a letter, must be composed of letters
and digits, and may contain underscores (<quote>_</quote>) and
periods (<quote>.</quote>). Beginning with Shorewall version 1.4.8,
@ -98,13 +99,20 @@
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
<filename>/etc/protocols</filename>) or a protocol number.</para>
<filename>/etc/protocols</filename>), a protocol number or "ipp2p". For
"ipp2p", your kernel and iptables must have ipp2p match support from
<ulink url="http://www.netfilter.org">Netfilter
Patch_o_matic_ng</ulink>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP or UDP (6 or 17).</para>
number. May only be specified if the protocol is TCP or UDP (6 or 17).
If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p
option without the leading "--" (default "ipp2p"). For a list of value
ipp2p options, as root type <command>iptables -m ipp2p
--help</command>.</para>
</listitem>
<listitem>
@ -112,15 +120,42 @@
Service name from /etc/services or port number. May only be specified if
the protocol is TCP or UDP (6 or 17).</para>
</listitem>
<listitem>
<para><emphasis role="bold">USER/GROUP</emphasis> (Added in Shorewall
2.2.0) - This column may only be non-empty if the CHAIN is OUTPUT. The
column may contain:</para>
<programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if "!" is given).</para>
<para>Examples:</para>
<simplelist>
<member>joe #program must be run by joe</member>
<member>:kids #program must be run by a member of the 'kids'
group.</member>
<member>!:kids #program must not be run by a member of the 'kids'
group</member>
</simplelist>
</listitem>
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,<quote>any</quote>
and <quote>all</quote> are treated as wild-cards.</para>
<para>In all columns except ACTION and CHAIN, the values
<quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as
wild-cards.</para>
<para>The accounting rules are evaluated in the Netfilter <quote>filter</quote>
table. This is the same environment where the <quote>rules</quote> file
rules are evaluated and in this environment, DNAT has already occurred in
inbound packets and SNAT has not yet occurred on outbound ones.</para>
<para>The accounting rules are evaluated in the Netfilter
<quote>filter</quote> table. This is the same environment where the
<quote>rules</quote> file rules are evaluated and in this environment, DNAT
has already occurred in inbound packets and SNAT has not yet occurred on
outbound ones.</para>
<para>Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you have
@ -192,13 +227,13 @@
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting>
<para>Here&#39;s how the same example would be constructed on an HTTP server
<para>Here's how the same example would be constructed on an HTTP server
with only one interface (eth0).</para>
<caution>
<para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis role="bold">SERVER</emphasis>.
If you want to account for web browsing, you have to reverse the rules
below.</para>
<para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis
role="bold">SERVER</emphasis>. If you want to account for web browsing,
you have to reverse the rules below.</para>
</caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
@ -213,7 +248,7 @@
<para>Note that with only one interface, only the SOURCE (for input rules)
or the DESTINATION (for output rules) is specified in each rule.</para>
<para>Here&#39;s the output:</para>
<para>Here's the output:</para>
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
@ -234,5 +269,6 @@
[root@mail shorewall]#</programlisting>
<para>For an example of integrating Shorewall Accounting with MRTG, see
<ulink url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
<ulink
url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
</article>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-10</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2001-2004</year>
@ -703,6 +703,31 @@ dmz DMZ Demilitarized zone</programlisting>
linkend="Conf">/etc/shorewall/shorewall.conf</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>logmartians</term>
<listitem>
<para>(Added in version 2.2.0) - If this option is specified,
the kernel's martian logging facility will be enabled on this
interface
(/proc/sys/net/ipv4/conf/&lt;<emphasis>interface</emphasis>&gt;/log_martians
will be set to 1). See also the LOG_MARTIANS option in <link
linkend="Conf">shorewall.conf</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sourceroute</term>
<listitem>
<para>(Added in version 2.2.0) - If this option is not
specified for an interface, then source-routed packets will
not be accepted from that interface (sets
<filename>/proc/sys/net/ipv4/conf/&lt;interface&gt;</filename>
to 1).</para>
</listitem>
</varlistentry>
</variablelist>
<para>My recommendations concerning options:</para>
@ -710,7 +735,7 @@ dmz DMZ Demilitarized zone</programlisting>
<itemizedlist>
<listitem>
<para>External Interface -- <emphasis
role="bold">tcpflags,blacklist,norfc1918,routefilter,nosmurfs</emphasis></para>
role="bold">tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians</emphasis></para>
</listitem>
<listitem>
@ -1666,8 +1691,11 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<listitem>
<para>Protocol. Must be a protocol name from /etc/protocols, a
number or <quote>all</quote>. Specifies the protocol of the
connection request.</para>
number, "ipp2p" or <quote>all</quote>. Specifies the protocol of the
connection request. If "ipp2p" then your kernel and iptables must
have ipp2p match support from <ulink
url="http://www.netfilter.org">Netfilter
Patch-o-matic-ng</ulink>.</para>
</listitem>
</varlistentry>
@ -1678,11 +1706,14 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<para>Port or port range (&lt;low port&gt;:&lt;high port&gt;) being
connected to. May only be specified if the protocol is tcp, udp or
icmp. For icmp, this column's contents are interpreted as an icmp
type. If you don't want to specify DEST PORT(S) but need to include
information in one of the columns to the right, enter
<quote>-</quote> in this column. You may give a list of ports and/or
port ranges separated by commas. Port numbers may be either integers
or service names from /etc/services.</para>
type. For ipp2p, this column must contain an ipp2p option without
the leading "--" (default "ipp2p" -- for a list of valid options, as
root type <command>iptables -m ipp2p --help</command>). If you don't
want to specify DEST PORT(S) but need to include information in one
of the columns to the right, enter <quote>-</quote> in this column.
You may give a list of ports and/or port ranges separated by commas.
Port numbers may be either integers or service names from
/etc/services.</para>
</listitem>
</varlistentry>
@ -2097,6 +2128,20 @@ eth1::192.0.2.32/27
fashion. Beginning with Shorewall version 1.4.7, you may include a
list of ranges and/or addresses in this column; again, Netfilter
will use all listed ranges/addresses in rounde-robin fashion.</para>
<para>Beginning with Shorewall 2.2.0, you may also specify the
source port range to be used (the PROTO column must specify tcp or
udp) by following the address or address range if any with ":" and
the port range (in the format &lt;<emphasis>low
port</emphasis>&gt;-&lt;<emphasis>high port</emphasis>&gt;).</para>
<para>Examples:</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO
eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO
eth0 192.168.1.0/24 :4000-5000 tcp</programlisting>
</listitem>
</varlistentry>
@ -2501,10 +2546,42 @@ eth0 eth1 206.124.146.176</programlisting>
</varlistentry>
<varlistentry>
<term></term>
<term>LOGALLNEW</term>
<listitem>
<para></para>
<para>(Aded at version 2.2.0)- When set to a log level, this option
causes Shorewall to generaate a logging rule as the first rule in
each builtin chain.</para>
<itemizedlist>
<listitem>
<para>The table name is used as the chain name in the log
prefix.</para>
</listitem>
<listitem>
<para>The chain name is used as the target in the log
pref</para>
</listitem>
</itemizedlist>
<para>Example: Using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is: </para>
<programlisting>Shorewall:nat:PREROUTING</programlisting>
<important>
<para>There is no rate limiting on these logging rules so use
LOGALLNEW at your own risk; it may cause high CPU and disk
utilization and you may not be able to control your firewall after
you enable this option.</para>
</important>
<caution>
<para><emphasis role="bold">DO NOT USE THIS OPTION IF THE
RESULTING LOG MESSAGES WILL BE SENT TO ANOTHER
SYSTEM.</emphasis></para>
</caution>
</listitem>
</varlistentry>
@ -2846,6 +2923,21 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>LOG_MARTIANS</term>
<listitem>
<para>(Added in Version 2.2.0) - If set to Yes or yes, sets
<filename>/proc/sys/net/ipv4/conf/all/log_martians</filename> and
<filename>/proc/sys/net/ipv4/conf/default/log_martians</filename> to
1. Default is which sets both of the above to zero. If you do not
enable martian logging for all interfaces, you may still enable it
for individual interfaces using the <emphasis
role="bold">logmartians</emphasis> interface option in <link
linkend="Interfaces">/etc/shorewall/interfaces</link>. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>DETECT_DNAT_ADDRS</term>
@ -3099,6 +3191,21 @@ LOGBURST=5</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>DELAYBLACKLISTLOAD</term>
<listitem>
<para>(Added in Shorewall 2.2.0) - Users with a large static black
list (<filename>/etc/shorewall/blacklist</filename>) may want to set
the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes,
Shorewall will enable new connections before loading the blacklist
rules. While this may allow connections from blacklisted hosts to
slip by during construction of the blacklist, it can substantially
reduce the time that all new connections are disabled during
<command>shorewall [re]start</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CLAMPMSS</term>
@ -3114,6 +3221,11 @@ LOGBURST=5</programlisting>
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS <ulink
url="kernel.htm">in your kernel</ulink>.</para>
</note>
<para>Beginning with Shorewall version 2.2.0, you may also set
CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This will set the
MSS field in TCP SYN packets going through the firewall to the value
that you specify.</para>
</listitem>
</varlistentry>
@ -3713,7 +3825,7 @@ eth1 -</programlisting>
<revision>
<revnumber>1.20</revnumber>
<date>2004-10-22</date>
<date>2004-10-25</date>
<authorinitials>TE</authorinitials>

View File

@ -31,7 +31,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -55,7 +56,8 @@
</listitem>
<listitem>
<para>Install the Mandrake <quote>cooker</quote> version of Shorewall.</para>
<para>Install the Mandrake <quote>cooker</quote> version of
Shorewall.</para>
</listitem>
<listitem>
@ -67,16 +69,17 @@
<important>
<para><trademark>Mandrake</trademark> have done it again with their 10.0
release. This time, they have decided that kernel modules should have
&#34;ko.gz&#34; for their suffix. If you are having problems with Mandrake
10.0 and FTP, change your <filename>/etc/shorewall/conf</filename> file
"ko.gz" for their suffix. If you are having problems with Mandrake 10.0
and FTP, change your <filename>/etc/shorewall/conf</filename> file
definition of MODULE_SUFFIX as follows:</para>
<programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
<programlisting>MODULE_SUFFIX="o gz ko o.gz ko.gz"</programlisting>
<para>The version of <command>insmod</command> shipped with 10.0 also does
not comprehend these module files so you will also need Shorewall 2.0.2 or
later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
-- replace the line that reads:</para>
later OR you need to change
<filename>/usr/share/shorewall/firewall</filename> -- replace the line
that reads:</para>
<programlisting> insmod $modulefile $*</programlisting>
@ -133,14 +136,14 @@
<programlisting>[teastep@wookie Shorewall]$ <emphasis role="bold">ftp ftp1.shorewall.net</emphasis>
Connected to lists.shorewall.net.
220-=(&#60;*&#62;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&#60;*&#62;)=-
220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-
220-You are user number 1 of 50 allowed.
220-Local time is now 10:21 and the load is 0.14. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
500 Security extensions not implemented
500 Security extensions not implemented
KERBEROS_V4 rejected as an authentication type
Name (ftp1.shorewall.net:teastep): ftp
Name (ftp1.shorewall.net:teastep): <command>ftp</command>
331-Welcome to ftp.shorewall.net
331-
331 Any password will work
@ -148,31 +151,31 @@ Password:
230 Any password will work
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&#62; <emphasis role="bold">debug</emphasis>
ftp&gt; <emphasis role="bold">debug</emphasis>
Debugging on (debug=1).
ftp&#62; <emphasis role="bold">ls</emphasis>
---&#62; <emphasis>PASV</emphasis>
ftp&gt; <emphasis role="bold">ls</emphasis>
---&gt; <emphasis>PASV</emphasis>
<emphasis>227 Entering Passive Mode (192,168,1,193,195,210)</emphasis>
---&#62; LIST
---&gt; LIST
150 Accepted data connection
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp&#62; <emphasis role="bold">passive</emphasis>
ftp&gt; <emphasis role="bold">passive</emphasis>
Passive mode off.
ftp&#62; <emphasis role="bold">ls</emphasis>
<emphasis>---&#62; PORT 192,168,1,3,142,58</emphasis>
ftp&gt; <emphasis role="bold">ls</emphasis>
<emphasis>---&gt; PORT 192,168,1,3,142,58</emphasis>
200 PORT command successful
---&#62; LIST
---&gt; LIST
150 Connecting to port 36410
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp&#62;</programlisting>
ftp&gt;</programlisting>
<para>Things to notice:</para>
@ -184,7 +187,7 @@ ftp&#62;</programlisting>
<listitem>
<para>Commands sent by the client to the server are preceded by
---&#62;</para>
---&gt;</para>
</listitem>
<listitem>
@ -208,14 +211,14 @@ ftp&#62;</programlisting>
<section>
<title>Linux FTP connection-tracking</title>
<para>Given the normal loc-&#62;net policy of ACCEPT, passive mode access
<para>Given the normal loc-&gt;net policy of ACCEPT, passive mode access
from local clients to remote servers will always work but active mode
requires the firewall to dynamically open a <quote>hole</quote> for the
server&#39;s connection back to the client. Similarly, if you are running
an FTP server in your local zone then active mode should always work but
passive mode requires the firewall to dynamically open a <quote>hole</quote>
for the client&#39;s second connection to the server. This is the role of
FTP connection-tracking support in the Linux kernel.</para>
server's connection back to the client. Similarly, if you are running an
FTP server in your local zone then active mode should always work but
passive mode requires the firewall to dynamically open a
<quote>hole</quote> for the client's second connection to the server. This
is the role of FTP connection-tracking support in the Linux kernel.</para>
<para>Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
@ -223,11 +226,12 @@ ftp&#62;</programlisting>
function.</para>
<para>Including FTP connection-tracking and NAT support normally means
that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
need to be loaded. Shorewall automatically loads these <quote>helper</quote>
modules from /lib/modules/&#60;<emphasis>kernel-version</emphasis>&#62;/kernel/net/ipv4/netfilter/
that the modules <quote>ip_conntrack_ftp</quote> and
<quote>ip_nat_ftp</quote> need to be loaded. Shorewall automatically loads
these <quote>helper</quote> modules from
/lib/modules/&lt;<emphasis>kernel-version</emphasis>&gt;/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the <quote>lsmod</quote>
command. The &#60;<emphasis>kernel-version</emphasis>&#62; may be obtained
command. The &lt;<emphasis>kernel-version</emphasis>&gt; may be obtained
by typing</para>
<programlisting><command>uname -r</command></programlisting>
@ -292,8 +296,10 @@ jbd 47860 2 [ext3]
responses. If you run an FTP server on a nonstandard port or you need to
access such a server, you must therefore let the helpers know by
specifying the port in /etc/shorewall/modules entries for the helpers.
<caution><para>You must have modularized FTP connection tracking support
in order to use FTP on a non-standard port.</para></caution></para>
<caution>
<para>You must have modularized FTP connection tracking support in
order to use FTP on a non-standard port.</para>
</caution></para>
<example>
<title>if you run an FTP server that listens on port 49 or you need to
@ -303,8 +309,10 @@ jbd 47860 2 [ext3]
<programlisting>loadmodule ip_conntrack_ftp ports=21,49
loadmodule ip_nat_ftp ports=21,49</programlisting>
<para><note><para>you MUST include port 21 in the ports list or you may
have problems accessing regular FTP servers.</para></note></para>
<para><note>
<para>you MUST include port 21 in the ports list or you may have
problems accessing regular FTP servers.</para>
</note></para>
<para>If there is a possibility that these modules might be loaded
before Shorewall starts, then you should include the port list in
@ -313,9 +321,22 @@ loadmodule ip_nat_ftp ports=21,49</programlisting>
<programlisting>options ip_conntrack_ftp ports=21,49
options ip_nat_ftp ports=21,49</programlisting>
<para><important><para>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
<para><important>
<para>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:</para>
<orderedlist>
<listitem>
<para>Unload the modules and restart shorewall:</para>
<programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting>
</listitem>
<listitem>
<para>Reboot</para>
</listitem>
</orderedlist>
</important></para>
</example>
</section>
@ -323,15 +344,15 @@ options ip_nat_ftp ports=21,49</programlisting>
<title>Rules</title>
<para>If the policy from the source zone to the destination zone is ACCEPT
and you don&#39;t need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
and you don't need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
then <emphasis role="bold">you need no rule</emphasis>.</para>
<para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
rule:</para>
<para>Otherwise, for FTP you need exactly <emphasis
role="bold">one</emphasis> rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT or &#60;<emphasis>source</emphasis>&#62; &#60;<emphasis>destination</emphasis>&#62; tcp 21 &#60;external IP addr&#62; if
ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 &lt;external IP addr&gt; if
DNAT ACTION = DNAT</programlisting>
<para>You need an entry in the ORIGINAL DESTINATION column only if the
@ -341,23 +362,32 @@ DNAT ACTION =
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
mailing list and they show 20 in the PORT(S) column, I will know that you
haven&#39;t read this article and I will either ignore your post or tell
you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
that you run an FTP server on 192.168.1.5 in your local zone using the
standard port (21). You need this rule: </para><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
haven't read this article and I will either ignore your post or tell you
to RTFM.<example>
<title>Server running behind a Masquerading Gateway</title>
<para>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
DNAT net loc:192.168.1.5 tcp 21</programlisting></example><example><title>Allow
your DMZ FTP access to the Internet</title><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
DNAT net loc:192.168.1.5 tcp 21</programlisting>
</example><example>
<title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT dmz net tcp 21</programlisting></example></para>
ACCEPT dmz net tcp 21</programlisting>
</example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle
cases where a PORT command (or PASV reply) is broken across two packets.
When such cases occur, you will see a console message similar to this one:</para>
When such cases occur, you will see a console message similar to this
one:</para>
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
<para> I see this problem occasionally with the FTP server in my DMZ. My
<para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-17</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2002-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -43,7 +44,7 @@
<orderedlist>
<listitem>
<para>BLACKLISTNEWONLY=No --&#x00A0; All incoming packets are checked
<para>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.</para>
@ -88,12 +89,14 @@
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
in <ulink
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in
<ulink url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
<ulink
url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and Port numbers/Service names in the blacklist file.</para>
</listitem>
@ -101,40 +104,52 @@
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
option in <ulink
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
</listitem>
<listitem>
<para>The black list is refreshed from <filename>/etc/shorewall/blacklist</filename>
by the <quote><ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
<para>The black list is refreshed from
<filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
refresh</command></ulink></quote> command.</para>
</listitem>
</itemizedlist>
<para>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
before loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it can
substantially reduce the time that all new connections are disabled during
"shorewall [re]start".</para>
</section>
<section>
<title>Dynamic Blacklisting</title>
<para>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn&#39;t use any configuration parameters but is rather
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</para>
<itemizedlist>
<listitem>
<para>drop <emphasis>&#60;ip address list&#62;</emphasis> - causes
<para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be silently dropped by the
firewall.</para>
</listitem>
<listitem>
<para>reject <emphasis>&#60;ip address list&#62;</emphasis> - causes
packets from the listed IP addresses to be rejected by the firewall.</para>
<para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>allow <emphasis>&#60;ip address list&#62;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> command.</para>
<para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<listitem>
@ -144,12 +159,14 @@
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting configuration.</para>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
option in <filename>/etc/shorewall/interfaces</filename>.</para>
<para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para>
<example>
<title>Ignore packets from a pair of systems</title>

View File

@ -58,8 +58,8 @@
</section>
<section>
<title>If you have a <emphasis role="bold">single public IP
address</emphasis></title>
<title>If you want the firewall system to handle a <emphasis
role="bold">single public IP address</emphasis></title>
<para>These guides are designed to get your first firewall up and
running quickly in the three most common Shorewall configurations. If
@ -88,7 +88,8 @@
</section>
<section>
<title>If you have more than one public IP address</title>
<title>If you want the firewall system to handle more than one public IP
address</title>
<para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> outlines the steps necessary to set up a firewall where
@ -99,7 +100,7 @@
</section>
<section>
<title>Guide that Others have Written</title>
<title>Guides that Others have Written</title>
<para>Andrew Allen has provided <ulink
url="http://unofficial-support.com/node/view/46">this guide</ulink> for

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-12</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2004</year>
@ -278,11 +278,19 @@
restart</command>, <command>shorewall check</command>, and
<command>shorewall try </command>commands allow you to specify a different
directory for Shorewall to check before looking in <filename
class="directory">/etc/shorewall</filename>:</para>
class="directory">/etc/shorewall</filename>.</para>
<para>Shorewall versions before Shorewall 2.2.0:</para>
<programlisting> <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
<command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
<para>Shorewall versions 2.2.0 and later the -c option is
deprecated:</para>
<programlisting> <command>shorewall {start|restart|check} &lt;configuration-directory&gt;</command>
<command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
<para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
specified, each time that Shorewall is going to use a file in <filename
class="directory">/etc/shorewall</filename> it will first look in
@ -313,7 +321,7 @@
</listitem>
<listitem>
<para><command>shorewall -c ./ check</command></para>
<para><command>shorewall check ./</command></para>
</listitem>
<listitem>
@ -388,7 +396,7 @@
</varlistentry>
<varlistentry>
<term>check</term>
<term>check (Shorewall versions prior to 2.2.0)</term>
<listitem>
<para><command>shorewall [ -c &lt;configuration-directory&gt; ]
@ -402,6 +410,21 @@
</listitem>
</varlistentry>
<varlistentry>
<term>check (Shorewall 2.2.0 and later)</term>
<listitem>
<para><command>shorewall [-q] check [
&lt;configuration-directory&gt; ]</command></para>
<para>Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits you
have made to the shorewall configuration. See <link
linkend="AltConfig">above</link> for a recommended way to make
changes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>clear</term>
@ -584,7 +607,7 @@
</varlistentry>
<varlistentry>
<term>restart</term>
<term>restart (Prior to Shorewall version 2.2.0)</term>
<listitem>
<para><command>shorewall [ -q ] [ -c &lt;configuration-directory&gt;
@ -597,6 +620,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>restart (Shorewall version 2.2.0 and later)</term>
<listitem>
<para><command>shorewall [ -q ] restart
&lt;configuration-directory&gt;</command></para>
<para>Restart is similar to <command>shorewall stop</command>
followed by <command>shorewall start</command>. Existing connections
are maintained. If -q is specified, less detail is displayed making
it easier to spot warnings</para>
</listitem>
</varlistentry>
<varlistentry>
<term>restore</term>
@ -671,7 +708,7 @@
</varlistentry>
<varlistentry>
<term>start</term>
<term>start (Shorewall versions prior to 2.2.0)</term>
<listitem>
<para><command>shorewall [ -q ] [ -f ] [ -c
@ -688,6 +725,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>start (Shorewall 2.2.0 and later)</term>
<listitem>
<para><command>shorewall [ -q ] [ -f ] start [
&lt;configuration-directory&gt; ]</command></para>
<para>Start shorewall. Existing connections through shorewall
managed interfaces are untouched. New connections will be allowed
only if they are allowed by the firewall rules or policies. If -q is
specified, less detail is displayed making it easier to spot
warnings If -f is specified, the saved configuration specified by
the RESTOREFILE option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
will be restored if that saved configuration exists</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stop</term>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-30</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2001-2004</year>
@ -203,6 +203,77 @@
chains respectively. If this additional specification is omitted, the
chain used to mark packets will be determined by the setting of the
MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
<para>This possible values in this field were expanded in Shorewall
version 2.2.0:</para>
<itemizedlist>
<listitem>
<para>If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet</para>
<itemizedlist>
<listitem>
<para>The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection
mark to actually be set).</para>
</listitem>
<listitem>
<para>The mark and optional mask are then followed by one
of:<simplelist>
<member>C: Mark the connection in the chain determined by
the setting of MARK_IN_FORWARD_CHAIN</member>
<member>CF: Mark the conneciton in the FORWARD
chain</member>
<member>CP: Mark the connection in the PREROUTING
chain.</member>
</simplelist></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>A classification of the form &lt;major&gt;:&lt;minor&gt;
where &lt;major&gt; and &lt;minor&gt; are integers. Corresponds to
the 'class' specification in these traffic shaping
modules:<simplelist>
<member>- atm</member>
<member>- cbq</member>
<member>- dsmark</member>
<member>- pfifo_fast</member>
<member>- htb</member>
<member>- prio</member>
</simplelist>Classification always occurs in the POSTROUTING
chain.</para>
</listitem>
<listitem>
<para>RESTORE[/mask] -- restore the packet's mark from the
connection's mark using the supplied mask if any. Your kernel and
iptables must include CONNMARK support. As iabove, may be followed
by ":P" or ":F</para>
</listitem>
<listitem>
<para>SAVE[/mask] -- save the packet's mark to the connection's
mark using the supplied mask if any. Your kernel and iptables must
include CONNMARK support. As above, may be followed by ":P" or
":F</para>
</listitem>
<listitem>
<para>CONTINUE -- don't process any more marking rules in the
table. As above, may be followed by ":P" or ":F".</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
@ -222,14 +293,20 @@
<listitem>
<para>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or <quote>all</quote></para>
/etc/protocol, "ipp2p", a number or "all". For "ipp2p", your kernel
and iptables must have ipp2p match support from <ulink
url="http://www.netfilter.org">Netfilter
Patch_o_matic_ng</ulink>.</para>
</listitem>
<listitem>
<para>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
if the protocol is <quote>icmp</quote>, this column is interpreted as
the destination icmp type(s).</para>
the destination icmp type(s). If the protocol is "ipp2p", then this
column is interpreted as an ipp2p option (default "ipp2p"). For a list
of value ipp2p options, as root type <command>iptables -m ipp2p
--help</command>.</para>
</listitem>
<listitem>
@ -252,6 +329,29 @@
<para>Examples : john: / john / :users / john:users</para>
</listitem>
<listitem>
<para>TEST (added in Shorewall version 2.2.0). Defines a test on the
existing packet or connection mark. The rule will match only if the
test returns true. Tests have the format </para>
<programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
<para>where</para>
<simplelist>
<member>! Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; Value of the packet or
connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; A mask to be applied to
the mark before testing</member>
<member>:C Designates a connection mark. If omitted, the packet
mark's value is tested.</member>
</simplelist>
</listitem>
</itemizedlist>
<example>
@ -261,7 +361,7 @@
arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
@ -274,7 +374,7 @@
<para>All GRE (protocol 47) packets not originating on the firewall and
destined for 155.186.235.151 should be marked with 12.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST
12 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
@ -284,7 +384,7 @@
<para>All SSH packets originating in 192.168.1.0/24 and destined for
155.186.235.151 should be marked with 22.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
</section>