extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-09 01:04:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@242 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-16 17:13:10 +00:00
parent 4eecdd21fe
commit 329bddd120
25 changed files with 7106 additions and 6131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5384
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

6
Shorewall-docs/FAQ.htm
View File

@ -533,7 +533,9 @@ problem are:</p>
over my console making it unusable!</h4> over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup <p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start.</p> scripts or place it in /etc/shorewall/start. Under RedHat, the max log level
that is sent to the console is specified in /etc/sysconfig/init in the
LOGLEVEL variable.</p>
<h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my <h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?</h4> interfaces properly?</h4>
@ -566,7 +568,7 @@ over my console making it unusable!</h4>
zone is defined as all hosts connected through eth1.</div> zone is defined as all hosts connected through eth1.</div>
<p align="left"><font size="2">Last updated <p align="left"><font size="2">Last updated
8/15/2002 - <a href="support.htm">Tom 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

34
Shorewall-docs/IPIP.htm
View File

@ -42,7 +42,25 @@ parameter to the type of tunnel that you want to create.</p>
<blockquote> <blockquote>
<p align="left">tunnel_type=gre</p> <p align="left">tunnel_type=gre</p>
</blockquote> </blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In <p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
/etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone. In
/etc/shorewall/interfaces:</p> /etc/shorewall/interfaces:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse">
@ -53,7 +71,7 @@ parameter to the type of tunnel that you want to create.</p>
<td><b>OPTIONS</b></td> <td><b>OPTIONS</b></td>
</tr> </tr>
<tr> <tr>
<td>gw</td> <td>vpn</td>
<td>tosysb</td> <td>tosysb</td>
<td>10.255.255.255</td> <td>10.255.255.255</td>
<td>&nbsp;</td> <td>&nbsp;</td>
@ -88,7 +106,7 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
gateway=134.28.54.2<br> gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p> subnet=10.0.0.0/8</p>
</blockquote> </blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b> <p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p> zone. In /etc/shorewall/interfaces:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse">
@ -99,7 +117,7 @@ zone. In /etc/shorewall/interfaces:</p>
<td><b>OPTIONS</b></td> <td><b>OPTIONS</b></td>
</tr> </tr>
<tr> <tr>
<td>gw</td> <td>vpn</td>
<td>tosysa</td> <td>tosysa</td>
<td>192.168.1.255</td> <td>192.168.1.255</td>
<td>&nbsp;</td> <td>&nbsp;</td>
@ -135,7 +153,7 @@ zone. In /etc/shorewall/interfaces:</p>
<p>You can rename the modified tunnel scripts if you like; be sure that they are <p>You can rename the modified tunnel scripts if you like; be sure that they are
secured so that root can execute them. </p> secured so that root can execute them. </p>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and <p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and
the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p> in both directions, you can use the policy file:</p>
@ -150,13 +168,13 @@ secured so that root can execute them. </p>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
<td>gw</td> <td>vpn</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>&nbsp;</td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>gw</td> <td>vpn</td>
<td>loc</td> <td>loc</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>&nbsp;</td> <td>&nbsp;</td>
@ -168,7 +186,7 @@ secured so that root can execute them. </p>
run the modified tunnel script with the &quot;start&quot; argument on each run the modified tunnel script with the &quot;start&quot; argument on each
system. The systems in the two masqueraded subnetworks can now talk to each system. The systems in the two masqueraded subnetworks can now talk to each
other</p> other</p>
<p><font size="2">Updated 5/18/2002 - <a href="support.htm">Tom <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a> </font></p> Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>

7
Shorewall-docs/Install.htm
View File

@ -11,11 +11,14 @@
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation</font></h1> <h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
</td> </td>
</tr> </tr>
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install <a href="#Install_Tarball">Install
using tarball</a><br> using tarball</a><br>
@ -163,7 +166,7 @@ QuickStart Guides</a> contain all of the information you need.</p>
the firewall system.</li> the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul> </ul>
<p><font size="2">Updated 8/7/2002 - <a href="support.htm">Tom <p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p> Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>

2034
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

5
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -44,7 +44,9 @@
<li> <li>
<a href="troubleshoot.htm">Troubleshooting</a></li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <li>
<a href="errata.htm">Errata/Upgrade Issues</a></li> <a href="errata.htm">Errata</a></li>
<li>
<a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <li>
<a href="support.htm">Support</a></li> <a href="support.htm">Support</a></li>
<li> <li>
@ -55,6 +57,7 @@
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> <li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li> <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li> <li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul> </ul>
</li> </li>
</ul> </ul>

128
Shorewall-docs/blacklisting_support.htm
View File

@ -1,67 +1,95 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Blacklisting Support</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Blacklisting Support</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p> <p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2> <h2>Static Blacklisting</h2>
<p>Shorewall
static blacklisting support has the following configuration parameters:</p> <p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<ul> <ul>
<li>You specify whether you want packets from blacklisted hosts dropped or <li>You specify whether you want packets from blacklisted hosts dropped
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a> or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li> setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged and at <li>You specify whether you want packets from blacklisted hosts logged
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> and at what syslog level using the <a
setting in /etc/shorewall/shorewall.conf</li> href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li> /etc/shorewall/shorewall.conf</li>
<li>You specify the interfaces whose incoming packets you want checked against <li>You list the IP addresses/subnets that you wish to blacklist in <a
the blacklist using the &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot; href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
option in /etc/shorewall/interfaces.</li> with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
<li>The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall names in the blacklist file.<br>
refresh</a>&quot; command.</li> </li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul> </ul>
<h2>Dynamic Blacklisting</h2> <h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
/sbin/shorewall commands:</p> doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<ul> <ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP <li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
addresses to be silently dropped by the firewall.</li> IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
addresses to be rejected by the firewall.</li> IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li> from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will be <li>save - save the dynamic blacklisting configuration so that it will
automatically restored the next time that the firewall is restarted.</li> be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li> <li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul> </ul>
<p>Example 1:</p> <p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre> <pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p> <p>Example 2:</p>
<pre> shorewall allow 192.0.2.125</pre> <pre> shorewall allow 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom <p>    Reenables access from 192.0.2.125.</p>
Eastep</a></font></p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html>
</html>

498
Shorewall-docs/download.htm
View File

@ -1,227 +1,305 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Download</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Download</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <p><b>I strongly urge you to read and print a copy of the <a
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
<b> TurboLinux</b> distribution Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
with a 2.4 kernel, you can use the RPM version (note: the you can use the RPM version (note: the RPM should also work
RPM should also work with other distributions that store with other distributions that store init scripts in /etc/init.d
init scripts in /etc/init.d and that include chkconfig or insserv). and that include chkconfig or insserv). If you find that it works
If you find that it works in other cases, let <a href="mailto:teastep@shorewall.net"> in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
me</a> know so that I can mention them here. See the <a
know so that I can mention them here. See the href="Install.htm">Installation Instructions</a> if you have problems
<a href="Install.htm">Installation Instructions</a> if you have problems installing the RPM.</li>
installing the RPM.</li> <li>If you are running LRP, download the .lrp file (you might also want
<li>If you are running LRP, download the .lrp file (you might also want to to download the .tgz so you will have a copy of the documentation).</li>
download the .tgz so you will have a copy of the documentation).</li> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would like a .deb package, Shorewall is in both the <a
like a .deb package, Shorewall is in both the href="http://packages.debian.org/testing/net/shorewall.html">Debian
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing Branch</a> and the <a
Testing Branch</a> and the href="http://packages.debian.org/unstable/net/shorewall.html">Debian
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable Branch</a>.</li>
Unstable Branch</a>.</li> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files and
there is an documentation .deb that also contains the documentation.</p> <p>The documentation in HTML format is included in the .tgz and .rpm files
<p>Please verify the version that you have and there is an documentation .deb that also contains the documentation.</p>
downloaded -- during the release of a new version of Shorewall, the links
below may point to a newer or an older version than is shown below.</p> <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - &quot;rpm -qip LATEST.rpm&quot;</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
name will contain the version)</li> the version)</li>
<li>LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; </li> .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the
version, check the </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font face="Arial"> <p><font face="Arial">Once you have verified the version, check the
to see if there are updates that apply to the version that you have </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
downloaded.</font></p> face="Arial"> to see if there are updates that apply to the version
<p><font color="#FF0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM that you have downloaded.</font></p>
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p> IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
<p>Download Latest Version (<b>1.3.7</b>): <b>Remember that updates to the mirrors AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
occur 1-12 hours after an update to the primary site.</b></p> TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
<blockquote> CONNECTIVITY.</b></font></p>
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
<tr> <p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
<td><b>SERVER LOCATION</b></td> mirrors occur 1-12 hours after an update to the primary site.</b></p>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <blockquote>
<td><b>FTP</b></td> <table border="2" cellspacing="3" cellpadding="3"
</tr> style="border-collapse: collapse;">
<tr> <tbody>
<td>Washington State, USA</td> <tr>
<td>Shorewall.net</td> <td><b>SERVER LOCATION</b></td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><b>DOMAIN</b></td>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download <td><b>HTTP</b></td>
.tgz</a>&nbsp;<br> <td><b>FTP</b></td>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download </tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
Download .rpm</a>&nbsp;<br> target="_blank"> Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
.tgz</a>&nbsp;<br> target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
.lrp</a></td> target="_blank">Download .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><a
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
.tgz</a>&nbsp;<br> <a
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.lrp</a></td> .tgz</a> <br>
<td> <a
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download .lrp</a></td>
.tgz</a>&nbsp;<br> <td> <a target="_blank"
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td> .rpm</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><a
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.tgz</a>&nbsp;<br> .rpm</a><br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <td> <a target="_blank"
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download <a target="_blank"
.tgz</a>&nbsp;<br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download .tgz</a> <br>
.rpm</a></td> <a target="_blank"
</tr> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
<tr> .lrp</a></td>
<td>Hamburg, Germany</td> </tr>
<td>Shorewall.net</td> <tr>
<td><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> <td>Hamburg, Germany</td>
Download .rpm</a><br> <td>Shorewall.net</td>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download <td><a
.tgz</a><br> href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download .rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <td> <a target="_blank"
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
Download .rpm</a>&nbsp;&nbsp;<br> .rpm</a>  <br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download <a target="_blank"
.tgz</a>&nbsp;<br> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download .tgz</a> <br>
.lrp</a></td> <a target="_blank"
</tr> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
<tr> .lrp</a></td>
<td>Martinez (Zona Norte - GBA), Argentina</td> </tr>
<td>Correofuego.com.ar</td>
<td> </tbody>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
</table> </table>
</blockquote> </blockquote>
<p>Browse Download Sites:</p> <p>Browse Download Sites:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <blockquote>
<tr> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<td><b>SERVER LOCATION</b></td> <tbody>
<td><b>DOMAIN</b></td> <tr>
<td><b>HTTP</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>FTP</b></td> <td><b>DOMAIN</b></td>
</tr> <td><b>HTTP</b></td>
<tr> <td><b>FTP</b></td>
<td>Washington State, USA</td> </tr>
<td>Shorewall.net</td> <tr>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td>Washington State, USA</td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> <td>Shorewall.net</td>
</tr> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<tr> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
<td>Slovak Republic</td> target="_blank">Browse</a></td>
<td>Shorewall.net</td> </tr>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <tr>
<td> <td>Slovak Republic</td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> <td>Shorewall.net</td>
</tr> <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<tr> <td> <a target="_blank"
<td>Texas, USA</td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
<td>Infohiiway.com</td> </tr>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <tr>
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> <td>Texas, USA</td>
</tr> <td>Infohiiway.com</td>
<tr> <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td>Hamburg, Germany</td> <td><a target="_blank"
<td>Shorewall.net</td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> </tr>
<td><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> <tr>
</tr> <td>Hamburg, Germany</td>
<tr> <td>Shorewall.net</td>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td>Correofuego.com.ar</td> <td><a target="_blank"
<td><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
<td> </tr>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> <tr>
Browse</a></td> <td>Martinez (Zona Norte - GBA), Argentina</td>
</tr> <td>Correofuego.com.ar</td>
<tr> <td><a
<td>California, USA (Incomplete)</td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td>Sourceforge.net</td> <td> <a target="_blank"
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
<td>N/A</td> </tr>
</tr> <tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">CVS:</p> <p align="left">CVS:</p>
<blockquote> <blockquote>
<p align="left">The <p align="left">The <a target="_top"
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
repository at cvs.shorewall.net</a> contains the latest snapshots of the each cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
Shorewall component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at all.</p>
all.</p> </blockquote>
</blockquote> <p align="left"><font size="2">Last Updated 9/2/2002 - <a
<p align="left"><font size="2">Last Updated 8/22/2002 - <a href="support.htm">Tom href="support.htm">Tom Eastep</a></font></p>
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br>
</body> </body>
</html>
</html>

176
Shorewall-docs/errata.htm
View File

@ -63,17 +63,17 @@ dos2unix</a></u>
</ol> </ol>
<ul> <ul>
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <li>
<b><font color="#660066"> <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <li>
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <li>
<b><a href="#V1.3">Problems in Version 1.3</a></b></li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <li>
<b><font color="#660066"><a href="#iptables"> <b><font color="#660066"><a href="#iptables">
@ -88,112 +88,66 @@ dos2unix</a></u>
</ul> </ul>
<hr> <hr>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version &gt;= 1.3.7</h3> <h3>Version 1.3.7b</h3>
<p>Users specifying ALLOWRELATED=No in <p>DNAT rules where the source zone is 'fw' ($FW)
/etc/shorewall.conf will need to include the result in an error message. Installing
following rules in their /etc/shorewall/icmpdef <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
file (creating this file if necessary):</p> this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT <h3>Version 1.3.7a</h3>
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now
empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>&quot;shorewall refresh&quot; is not creating the proper
1.3.3 and later:</p> rule for FORWARDPING=Yes. Consequently, after
&quot;shorewall refresh&quot;, the firewall will not forward
icmp echo-request (ping) packets. Installing
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol> <ol>
<li>Be sure you have a backup -- you will need <li>If the firewall is running a DHCP server,
to transcribe any Shorewall configuration the client won't be able to obtain an IP address
changes that you have made to the new lease from that server.</li>
configuration.</li> <li>With this order of checking, the &quot;dhcp&quot;
<li>Replace the shorwall.lrp package provided on option cannot be used as a noise-reduction
the Bering floppy with the later one. If you did measure where there are both dynamic and static
not obtain the later version from Jacques's clients on a LAN segment.</li>
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
setting up a two-interface firewall</a> plus you also need to add the following
two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="Left">Version &gt;= 1.3.6</h3> <p>
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
<p align="Left">If you have a pair of firewall systems configured for This version of the 1.3.7a firewall script </a>
failover, you will need to modify your firewall setup slightly under corrects the problem. It must be installed in /var/lib/shorewall
Shorewall versions &gt;= 1.3.6. </p> as described above.</p>
<ol> <h3>Version 1.3.7</h3>
<li>
<p>Version 1.3.7 dead on arrival -- please use
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add version 1.3.7a and check your version against
the following rule<br> these md5sums -- if there's a difference, please
<br> download again.</p>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
# from non-SYN packets after takeover.<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
&nbsp;</font></li> <p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and
<li> compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7
<p align="Left">Create /etc/shorewall/common (if you don't already version in each sequence from now on.</p>
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
</ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="Left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="Left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3 align="Left">Version 1.3.6</h3> <h3 align="Left">Version 1.3.6</h3>
@ -352,6 +306,13 @@ ACCEPT loc fw tcp 80</pre>
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
<hr>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="Left">The upgrade issues have moved to
<a href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066"> <h3 align="Left"><a name="iptables"></a><font color="#660066">
@ -435,9 +396,9 @@ Aborted (core dumped)
installed, simply use the &quot;--nodeps&quot; option to installed, simply use the &quot;--nodeps&quot; option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
@ -445,7 +406,8 @@ Aborted (core dumped)
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must</p> if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
@ -457,7 +419,7 @@ Aborted (core dumped)
as described above.</li> as described above.</li>
</ul> </ul>
<p><font size="2"> <p><font size="2">
Last updated 8/22/2002 - Last updated 9/1/2002 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

126
Shorewall-docs/gnu_mailman.htm
View File

@ -1,62 +1,76 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>GNU Mailman</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">GNU Mailman/Postfix <tr>
the Easy Way</font></h1> <td width="100%">
</td> <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
</tr> Way</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h1 align="center">&nbsp;</h1> <h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4> <h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br> <p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br> <br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run with aliases file so that rest of mailman's mail handling processes will run
proper uid/gid. Postfix has an ability to run a command specified in an alias as with proper uid/gid. Postfix has an ability to run a command specified in
owner of that alias, thus mailman's wrapper is not needed here. The best method an alias as owner of that alias, thus mailman's wrapper is not needed here.
to invoke mailman's mail handling via aliases is to use separate alias file The best method to invoke mailman's mail handling via aliases is to use
especially for mailman, and made it owned by mailman and group mailman. Like:<br> separate alias file especially for mailman, and made it owned by mailman
<br> and group mailman. Like:<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br> <br>
<br> alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may be <br>
done by executing postalias as mailman userid).<br> Make sure that /var/mailman/aliases.db is owned by mailman user (this may
<br> be done by executing postalias as mailman userid).<br>
Next, instead of using mailman-suggested aliases entries with wrapper, use the <br>
following:<br> Next, instead of using mailman-suggested aliases entries with wrapper, use
<br> the following:<br>
instead of<br> <br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br> instead of<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br> mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br> mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
...<br> mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
<br> ...<br>
use<br> <br>
mailinglist: /var/mailman/scripts/post mailinglist<br> use<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br> mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br> mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
...</p> mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.7 together ...</p>
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.</h4>
<p align="left"><font size="2">Last updated 5/4/2002 - <a href="support.htm">Tom <h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together
Eastep</a></font></p> with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <p align="left"><font size="2">Last updated 9/14/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html>
</html>

6
Shorewall-docs/mailing_list.htm
View File

@ -6,16 +6,18 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="boldstri 011"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html"> <h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1> <img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</b></font>
</td> </td>
</tr> </tr>
</table> </table>

4
Shorewall-docs/mailing_list_problems.htm
View File

@ -26,6 +26,7 @@ to at least one address in each of the following domains:</h2>
<pre>2020ca - delivery to this domain has been disabled (cause unknown) <pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown) excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain) epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown) gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota) hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown) intercom.net - delivery to this domain has been disabled (cause unknown)
@ -33,6 +34,7 @@ initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found). intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems) khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator) kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown) opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out) penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown) scip-online.de - delivery to this domain has been disabled (cause unknown)
@ -42,7 +44,7 @@ yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div> </div>
</blockquote> </blockquote>
<p align="left"><font size="2">Last updated 7/26/2002 19:39 GMT - <p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
<a href="support.htm">Tom <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>

434
Shorewall-docs/myfiles.htm
View File

@ -1,297 +1,165 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title> <title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <table border="0" cellpadding="0" cellspacing="0"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<h1 align="center"><font color="#FFFFFF">About My Network</font></h1> bgcolor="#400169" height="90">
</td> <tbody>
</tr> <tr>
</table> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
<blockquote> </blockquote> </td>
</tr>
<h1>My Current Network </h1>
</tbody>
<blockquote> </table>
<p>
I have DSL service and have 5 static IP addresses (206.124.146.176-180). <blockquote> </blockquote>
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) is connected to eth0. I have
a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected <h1>My Current Network </h1>
to eth1 (192.168.2.0/24). </p>
<p> <blockquote>
I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry) <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
and the Wireless Access Point (wap) which are My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
masqueraded through the primary gateway address (206.124.146.176).</p> is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
<p> and a DMZ connected to eth1 (192.168.2.0/24). </p>
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
<p> <p> I use:<br>
My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa) </p>
is 192.168.1.5. Wookie <ul>
runs Samba and acts as the a WINS server.&nbsp; Wookie is in its own 'whitelist' zone <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
called 'me'.</p> and external address 206.124.146.178.</li>
<p> <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own <a href="http://www.sygate.com"> 192.168.1.3/24 and 206.124.146.179/24.</li>
Sygate</a> firewall software and is managed by Proxy ARP. It connects to the <li>SNAT through the primary gateway address (206.124.146.176) for  my
local network through the PopTop server running on my firewall. </p> Wife's system (tarry) and the Wireless Access Point (wap)</li>
<p> </ul>
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier
IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p> old and current ISPs. That server is managed through Proxy ARP.</p>
<p>
The firewall system itself runs a DHCP server that serves the local network.</p> <p> The firewall system itself runs a DHCP server that serves the local
<p> network.</p>
All administration and publishing is done using ssh/scp.</p>
<p> <p> All administration and publishing is done using ssh/scp.</p>
I run an SNMP server on my firewall to serve <a href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/">
MRTG</a> running in the DMZ.</p> <p> I run an SNMP server on my firewall to serve <a
<p align="center"> href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
<img border="0" src="images/network.png" width="764" height="846"></p> in the DMZ.</p>
<p>&nbsp;</p>
<p>The ethernet interface in the Server is configured <p align="center"> <img border="0"
with IP address 206.124.146.177, netmask src="images/network.png" width="764" height="846">
255.255.255.0. The server's default gateway is </p>
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall, <p> </p>
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because of <p>The ethernet interface in the Server is configured
the entry in /etc/shorewall/proxyarp (see below).</p> with IP address 206.124.146.177, netmask
<p>A similar setup is used on eth3 (192.168.3.1) which 255.255.255.0. The server's default gateway is
interfaces to my laptop (206.124.146.180).</p> 206.124.146.254 (Router at my ISP. This is the same
<p><font color="#ff0000" size="5"> default gateway used by the firewall itself). On the firewall,
Note: My files use features not available before Shorewall automatically adds a host route to
Shorewall version 1.3.4.</font></p> 206.124.146.177 through eth1 (192.168.2.1) because
</blockquote> of the entry in /etc/shorewall/proxyarp (see below).</p>
<h3>Shorewall.conf</h3>
<p>A similar setup is used on eth3 (192.168.3.1) which
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall interfaces to my laptop (206.124.146.180).</p>
STATEDIR=/var/state/shorewall
<p><font color="#ff0000" size="5"> Note: My files
LOGRATE= use features not available before Shorewall version
LOGBURST= 1.3.4.</font></p>
</blockquote>
ADD_IP_ALIASES=&quot;Yes&quot;
<h3>Shorewall.conf</h3>
CLAMPMSS=Yes
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
MULTIPORT=Yes</pre>
<h3>Zones File:</h3> <h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS
net Internet Internet <pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
me Eastep My Workstation
loc Local Local networks <h3>Interfaces File: </h3>
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas <blockquote>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre> <p> This is set up so that I can start the firewall before bringing up
<h3>Interfaces File: </h3> my Ethernet interfaces. </p>
</blockquote>
<blockquote>
<p> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
This is set up so that I can start the firewall before bringing up my Ethernet
interfaces. </p> <h3>Hosts File: </h3>
</blockquote> <pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS <h3>Routestopped File:</h3>
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp <pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
dmz eth1 206.124.146.255 -
net eth3 206.124.146.255 norfc1918 <h3>Common File: </h3>
- texas -
loc ppp+ <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3> <h3>Policy File:</h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS <pre><font size="2" face="Courier">
me eth2:192.168.1.3
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3>
<pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT me all ACCEPT
tx me ACCEPT #Give Texas access to my personal system tx me ACCEPT #Give Texas access to my personal system
all me CONTINUE #<font color="#FF0000">WARNING: You must be running Shorewall 1.3.1 or later for all me CONTINUE #<font
</font>#<font color="#FF0000"> this policy to work as expected!!!</font> color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
loc loc ACCEPT color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
loc net ACCEPT
$FW loc ACCEPT <h3>Masq File: </h3>
$FW tx ACCEPT
loc tx ACCEPT <blockquote>
loc fw REJECT <p> Although most of our internal systems use static NAT, my wife's system
net net ACCEPT (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
net all DROP info 10/sec:40 </blockquote>
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Masq File: </h3>
<h3>NAT File: </h3>
<blockquote>
<p> <pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p> <h3>Proxy ARP File:</h3>
</blockquote>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176 <h3>Rules File (The shell variables
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> are set in /etc/shorewall/params):</h3>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No <p><font size="2"> Last updated 9/14/2002 - </font><font size="2">
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <a href="support.htm">Tom Eastep</a></font>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
ACCEPT net fw tcp 1723
ACCEPT net fw gre
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2">
Last updated 8/9/2002
- </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

389
Shorewall-docs/seattlefirewall_index.htm
View File

@ -1,161 +1,256 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<base target="_self">
<base target="_self">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" style="border-collapse: collapse" width="100%" id="AutoNumber3" bgcolor="#4B017C">
<tr> <table border="0" cellpadding="0" cellspacing="4"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber3"
<h1 align="center"> <font size="4"><i> bgcolor="#4b017c">
<a href="http://www.cityofshoreline.com"> <tbody>
<img border="0" src="images/washington.jpg" align="right" width="100" height="82"><img border="0" src="images/washington.jpg" align="left" width="100" height="82"></a></i></font><font color="#FFFFFF">Shorewall 1.3 - <font size="4">&quot;<i>iptables made easy&quot;</i></font></font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"> <font size="4"><i> <a
</table> href="http://www.cityofshoreline.com"> <img border="0"
src="images/washington.jpg" align="right" width="100" height="82">
<div align="center"> <img border="0" src="images/washington.jpg" align="left"
<center> width="100" height="82">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4"> </a></i></font><font color="#ffffff">Shorewall 1.3 - <font
<tr> size="4">"<i>iptables made easy"</i></font></font></h1>
<td width="90%"> </td>
</tr>
<h2 align="Left">What is it?</h2>
</tbody>
<p>The Shoreline Firewall, more commonly known as &quot;Shorewall&quot;,&nbsp; is a </table>
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function <div align="center">
gateway/router/server or on a standalone GNU/Linux system.</p> <center>
<table border="0" cellpadding="0" cellspacing="0"
<p>This program is free software; you can redistribute it and/or modify it style="border-collapse: collapse;" width="100%" id="AutoNumber4">
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version <tbody>
2 of the GNU General Public License</a> as published by the Free Software <tr>
Foundation.<br> <td width="90%">
<br>
This program is distributed in the hope that it will be useful, but <h2 align="left">What is it?</h2>
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
for more details.<br> a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
<br> firewall that can be used on a dedicated firewall system, a multi-function
You should have received a copy of the GNU General Public License gateway/router/server or on a standalone GNU/Linux system.</p>
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
<p>&nbsp;<a href="http://leaf.sourceforge.net" target="_top"><img border="0" src="images/leaflogo.gif" width="49" height="36"></a>Jacques border="0" src="images/leaflogo.gif" width="49" height="36">
Nilo and Eric Wolzak have a LEAF distribution called <i>Bering</i> that </a>Jacques Nilo and Eric Wolzak have a LEAF distribution called
features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: <i>Bering</i> that features Shorewall-1.3.3 and Kernel-2.4.18.
<a href="http://leaf.sourceforge.net/devel/jnilo"> You can find their work at: <a
http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>News</h2> <h2>News</h2>
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002 <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p> src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
height="12">
<p>Features in this release include:</p> </b></p>
<p>In this version:<br>
</p>
<ul> <ul>
<li>The 'icmp.def' file is now empty! The rules in that file were <li>A NEWNOTSYN option has been added to shorewall.conf. This option
required in ipchains firewalls but are not required in Shorewall. Users determines whether Shorewall accepts TCP packets which are not part of an
who have ALLOWRELATED=No in <a href="Documentation.htm#Conf"> established connection and that are not 'SYN' packets (SYN flag on and ACK
shorewall.conf</a> should see the <a href="errata.htm#Upgrade">Upgrade flag off).</li>
Issues</a>.</li> <li>The need for the 'multi' option to communicate between zones
<li>A 'FORWARDPING' option has been added to za and zb on the same interface is removed in the case where the chain 'za2zb'
<a href="Documentation.htm#Conf">shorewall.conf</a>. The effect of and/or 'zb2za' exists. 'za2zb' will exist if:</li>
setting this variable to Yes is the same as the effect of adding an <ul>
ACCEPT rule for ICMP echo-request in <li>
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>. <blockquote>There is a policy for za to zb; or</blockquote>
Users who have such a rule in icmpdef are encouraged to switch to </li>
FORWARDPING=Yes.</li> <li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to the <blockquote>There is at least one rule for za to zb.</blockquote>
rfc1918 file.</li> </li>
<li>Shorewall now works with iptables 1.2.7.</li> </ul>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul> </ul>
<p>I would like to thank John Distler for his valuable input regarding TCP SYN <ul>
and ICMP treatment in Shorewall. That input has led to marked improvement in <li>The /etc/shorewall/blacklist file now contains three columns.
Shorewall in the last two releases.</p> In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
PORT columns to block only certain applications from the blacklisted addresses.<br>
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> </li>
CVS Repository</a></b></p> </ul>
<p>The Shorewall-docs project now contains just the HTML and image files - the <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
Frontpage files have been removed.</p>
<p>Apt-get sources listed at <a
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
CVS Repository</a></b></p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p> <p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p> <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>Now there is one place to go to look for issues involved with upgrading to <p>This is a role up of the "shorewall refresh" bug fix and the change
recent versions of Shorewall.</p> which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p> <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p> <p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
<ul> is now available.</p>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li> <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<li>Shorewall will now DROP TCP packets that are not part of or related to an
existing connection and that are not SYN packets. These &quot;New not SYN&quot; packets <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
may be optionally logged by setting the LOGNEWNOTSYN option in <a href="Documentation.htm#Conf"> mirrored at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of &quot;New not SYN&quot; packets may be extended by commands in <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
the new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul> <p>Lorenzo Martignoni reports that the packages for version 1.3.7a
are available at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
its Author -- Shorewall 1.3.7a released <img border="0"
src="images/j0233056.gif" width="50" height="80" align="middle">
</b></p>
<p>1.3.7a corrects problems occurring in rules file processing when
starting Shorewall 1.3.7.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf"> shorewall.conf</a> should see the
<a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a
href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to
the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding
TCP SYN and ICMP treatment in Shorewall. That input has led to marked improvement
in Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image
files - the Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS
Repository</a></b></p>
<p>This branch will only be updated after I release a new version of
Shorewall so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
</a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or related
to an existing connection and that are not SYN packets. These "New not
SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended by commands
in the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
script</a>.</li>
</ul>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
</td> <td width="88" bgcolor="#4b017c" valign="top"
<td width="88" bgcolor="#4B017C" valign="top" align="center"><a href="http://sourceforge.net" target="_top"> align="center"> <a href="http://sourceforge.net">M</a></td>
<img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" border="0" hspace="14" vspace="5" align="center"></a></td> </tr>
</tr>
</table> </tbody>
</center> </table>
</div> </center>
</div>
<table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber2" bgcolor="#4B017C">
<tr> <table border="0" cellpadding="5" cellspacing="0"
<td width="100%" style="margin-top: 1"> style="border-collapse: collapse;" width="100%" id="AutoNumber2"
<p align="center"><a href="http://www.starlight.org"> bgcolor="#4b017c">
<img border="4" src="images/newlog.gif" width="57" height="100" align="left" hspace="10"><img border="4" src="images/newlog.gif" width="57" height="100" align="right" hspace="10"></a></p> <tbody>
<p align="center"><font size="4" color="#FFFFFF">Shorewall is free but if <tr>
you try it and find it useful, please consider making a donation to <td width="100%" style="margin-top: 1px;">
<a href="http://www.starlight.org"><font color="#FFFFFF">Starlight Children's Foundation.</font></a> Thanks!</font></td> <p align="center"><a href="http://www.starlight.org"> <img
</tr> border="4" src="images/newlog.gif" width="57" height="100" align="left"
</table> hspace="10">
<img border="4" src="images/newlog.gif" width="57" height="100"
<p><font size="2">Updated align="right" hspace="10">
8/22/2002 - <a href="support.htm">Tom Eastep</a> </a></p>
</font>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
</p> to <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</body> </tr>
</html>
</tbody>
</table>
<p><font size="2">Updated 9/16/2002 - <a href="support.htm">Tom Eastep</a>
</font>
</p>
<br>
</body>
</html>

11
Shorewall-docs/shoreline.htm
View File

@ -73,17 +73,20 @@ Washington</a>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX
(Tulip) NIC - My personal Windows system.</li> (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
personal Linux System which runs Samba configured as a WINS server.</li> personal Linux System which runs Samba configured as a WINS server. This
system also has <a href="http://www.vmware.com/">VMware</a> installed and
can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server - Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li> (Bind).</li>
<li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3 <li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP
server.  Also runs PoPToP for road warrior access.</li> server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li> <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
in expansion base - My main work system.</li> in expansion base and LinkSys WAC11 - My main work system.</li>
</ul> </ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall <p>For more about our network see <a href="myfiles.htm">my Shorewall
Configuration</a>.</p> Configuration</a>.</p>

2
Shorewall-docs/shorewall_features.htm
View File

@ -50,7 +50,7 @@
</li> </li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li> IP addresses and subnetworks is supported.</li>
<li><a href="Documentation.htm#Starting"><b>Operational support</b></a>: <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul> <ul>
<li>Commands to start, stop and clear the firewall</li> <li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring <li>Supports status monitoring

29
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -43,7 +43,11 @@ from the internet and from the DMZ and in some cases, from each other.</li
network hosts.</p> network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common), <p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p> there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Packets entering the firewall first pass through the <i>mangle </i>table's <p>For a general picture of how packets traverse a Netfilter firewall, see
<a href="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES">
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.</a><br>
<br>
Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing &quot;shorewall show PREROUTING chain (you can see the mangle table by typing &quot;shorewall show
mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b> mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop
@ -55,10 +59,25 @@ from the internet and from the DMZ and in some cases, from each other.</li
control.</p> control.</p>
<p>Next, if the packet isn't part of an established connection, it passes <p>Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
typing &quot;shorewall show nat&quot;). </p> typing &quot;shorewall show nat&quot;). If you are doing both static nat and
port forwarding, the order in which chains are traversed is dependent on the
setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then
packets will ender a chain called <i>interface_</i>in where <i>interface</i> is
the name of the interface on which the packet entered. Here it's destination IP
is compared to each of the <i>EXTERNAL</i> IP addresses from /etc/shorewall/nat
that correspond to this interface; if there is a match, DNAT is applied and the
packet header is modified to the IP in the <i>INTERNAL</i> column of the nat
file record. If the destination address doesn't match any of the rules in the
<i>interface_</i>in chain then the packet enters a chain called <i>sourcezone</i>_dnat
where <i>sourcezone</i> is the source zone of the packet. There it is compared
for a match against each of the DNAT records in the rules file that specify <i>
sourcezone </i>as the source zone. If a match is found, the destination IP
address (and possibly the destination port) is modified based on the rule
matched. If NAT_BEFORE_RULES is off, then the order of traversal of the <i>
interface_</i>in and <i>sourcezone</i>_dnat is reversed.</p>
<p> <p>
Traffic entering the Traffic is next sent to an<i> input </i>chain in the mail Netfilter table
firewall is sent to an<i> input </i>chain. If the traffic is destined for the (called 'filter'). If the traffic is destined for the
firewall itself, the name of the input chain is formed by appending &quot;_in&quot; to firewall itself, the name of the input chain is formed by appending &quot;_in&quot; to
the interface name. So traffic on eth0 destined for the firewall will enter a the interface name. So traffic on eth0 destined for the firewall will enter a
chain called <i>eth0_in</i>. The input chain for traffic that will be routed to chain called <i>eth0_in</i>. The input chain for traffic that will be routed to
@ -151,6 +170,6 @@ its own separate connection from the firewall to zone B.</p>
zone and you are having problems connecting from a local client to an internet zone and you are having problems connecting from a local client to an internet
server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font> server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
(see point 3 above).</p> (see point 3 above).</p>
<p><font size="2">Last modified 7/26/2002 - <a href="support.htm">Tom <p><font size="2">Last modified 8/22/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm"> Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

7
Shorewall-docs/shorewall_mirrors.htm
View File

@ -36,6 +36,8 @@ It is mirrored at:</p>
<li><a target="_top" href="http://germany.shorewall.net"> <li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li> http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li> <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
</ul> </ul>
<p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a> <p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
and is located in Washington State, USA.&nbsp; and is located in Washington State, USA.&nbsp;
@ -50,8 +52,11 @@ It is mirrored at:</p>
ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li> ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li>
<li> <li>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li> <a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
<li>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
</ul> </ul>
<p align="left"><font size="2">Last Updated 7/16/2002 - <a href="support.htm">Tom <p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">

4
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -18,7 +18,7 @@
</tr> </tr>
</table> </table>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm"> <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
Check here for kernel configuration information.</a> Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall"> If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
see the Seattle Firewall site</a> see the Seattle Firewall site</a>
@ -43,7 +43,7 @@
<li>The firewall monitoring display is greatly improved if you have awk <li>The firewall monitoring display is greatly improved if you have awk
(gawk) installed.</li> (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 8/4/2002 - <a href="support.htm">Tom <p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">

322
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,150 +1,202 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<tr> bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall QuickStart Guides<br> <tr>
Version 3.0</font></h1> <td width="100%">
</td> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
</tr> Version 3.1</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we must <p align="center">With thanks to Richard who reminded me once again that
all first walk before we can run.</p> we must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall in
common firewall setups.</p> <p>These guides provide step-by-step instructions for configuring Shorewall
<p>The following guides are for firewalls with a single external IP address:</p> in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting as a <li><a href="two-interface.htm">Two-interface</a> Linux System acting
firewall/router for a small local network</li> as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting as a <li><a href="three-interface.htm">Three-interface</a> Linux System acting
firewall/router for a small local network and a DMZ.</li> as a firewall/router for a small local network and a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> <p>The above guides are designed to get your first firewall up and running
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines quickly in the three most common Shorewall configurations.</p>
the steps necessary to set up a firewall where there are multiple public IP
addresses involved or if you want to learn more about Shorewall than is <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
explained in the single-address guides above.</p> the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li> <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li> <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets and Routing</a><ul> <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> and Routing</a>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
</ul> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<ul> <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a><ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a><ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li> </ul>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> </li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
Stopping the Firewall</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Additional Documentation</h2> <h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements the
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described above.</p> <p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a><ul> <li><a href="blacklisting_support.htm">Blacklisting</a>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <ul>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
</ul> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file features</a><ul> </ul>
<li>Comments in configuration files</li> </li>
<li>Line Continuation</li> <li><a href="configuration_file_basics.htm">Common configuration file
<li>Port Numbers/Service Names</li> features</a>
<li>Port Ranges</li> <ul>
<li>Using Shell Variables</li> <li>Comments in configuration files</li>
<li>Complementing an IP address or Subnet</li> <li>Line Continuation</li>
<li>Shorewall Configurations (making a test configuration)</li> <li>Port Numbers/Service Names</li>
<li>Using MAC Addresses in Shorewall</li> <li>Port Ranges</li>
</ul> <li>Using Shell Variables</li>
</li> <li>Complementing an IP address or Subnet</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a><ul> <li>Shorewall Configurations (making a test configuration)</li>
<li> <li>Using MAC Addresses in Shorewall</li>
<a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> </ul>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li> </li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><a href="Documentation.htm">Configuration File Reference Manual</a>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li> <ul>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
</ul> <li><a href="Documentation.htm#modules">modules</a></li>
</li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension Scripts</a></font> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
(How to extend Shorewall without modifying Shorewall code)</li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> </ul>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> </li>
<li><a href="myfiles.htm">My <li><a href="dhcp.htm">DHCP</a></li>
Configuration Files</a> (How I personally use Shorewall)</li> <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
<li><a href="ports.htm">Port Information</a><ul> Scripts</a></font> (How to extend Shorewall without modifying Shorewall
<li>Which applications use which ports</li> code)</li>
<li>Ports used by Trojans</li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
</ul> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
</li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="myfiles.htm">My Configuration Files</a> (How I personally
<li><a href="samba.htm">Samba</a></li> use Shorewall)</li>
<li><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> <li><a href="ports.htm">Port Information</a>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <ul>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li>Which applications use which ports</li>
<li>Tunnels<ul> <li>Ports used by Trojans</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> </ul>
<li><a href="PPTP.htm">PPTP</a></li> </li>
</ul> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
</li> <li><a href="samba.htm">Samba</a></li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p> <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
</body> </body>
</html>
</html>

250
Shorewall-docs/support.htm
View File

@ -1,127 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Support</title> content="text/html; charset=windows-1252">
<meta name="Microsoft Theme" content="none">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<tr> bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Support</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer with tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Weitse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<blockquote>
<h3 align="left"> <span style="font-weight: 400"><i>
&quot;It is easier to post a problem than to use your own brain&quot; -- </i>
<font size="2">Weitse Venema (creator of Postfix)</font></span></h3>
</blockquote>
<p>There are a number of sources for problem solution information.</p> <p>There are a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
number of tips to help you solve common problems.</li> <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains
<li>The <a href="errata.htm"> Errata</a> has links to download updated a number of tips to help you solve common problems.</li>
components.</li> <li>The <a href="errata.htm"> Errata</a> has links to download updated
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> components.</li>
<li>The Mailing List Archives are a useful source of problem solving <li>The Mailing List Archives are a useful source of problem solving
information.</li> information.</li>
</ul> </ul>
<blockquote>
<p>The archives from the mailing List are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> <blockquote>
<p>The archives from the mailing List are at <a
<h3>Search the Mailing List Archives at Shorewall.net</h3> href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch"> <h3>Search the Mailing List Archives at Shorewall.net</h3>
<p>
<font size="-1"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
Match: <select name="method"> <p> <font size="-1"> Match:
<option value="and">All <select name="method">
<option value="or">Any <option value="and">All </option>
<option value="boolean">Boolean <option value="or">Any </option>
</select> <option value="boolean">Boolean </option>
Format: <select name="format"> </select>
<option value="builtin-long">Long Format:
<option value="builtin-short">Short <select name="format">
</select> <option value="builtin-long">Long </option>
Sort by: <select name="sort"> <option value="builtin-short">Short </option>
<option value="score">Score </select>
<option value="time">Time Sort by:
<option value="title">Title <select name="sort">
<option value="revscore">Reverse Score <option value="score">Score </option>
<option value="revtime">Reverse Time <option value="time">Time </option>
<option value="revtitle">Reverse Title <option value="title">Title </option>
</select> <option value="revscore">Reverse Score </option>
</font> <option value="revtime">Reverse Time </option>
<input type="hidden" name="config" value="htdig"> <option value="revtitle">Reverse Title </option>
<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]"> </select>
<input type="hidden" name="exclude" value=""> </font> <input type="hidden" name="config" value="htdig"> <input
<br> type="hidden" name="restrict"
Search: value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
<input type="text" size="30" name="words" value=""> name="exclude" value=""> <br>
<input type="submit" value="Search"> </p> Search: <input type="text" size="30" name="words" value=""> <input
</form> type="submit" value="Search"> </p>
</form>
</blockquote> </blockquote>
<h3 align="Left">Problem Reporting Guidelines</h3> <h3 align="left">Problem Reporting Guidelines</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. Reports <li>When reporting a problem, give as much information as you can. Reports
that say "I tried XYZ and it didn't work&quot; are not at all helpful.</li> that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send you <li>Please don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your questions but we custom configuration files. We're here to answer your questions
can't do your job for you.</li> but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when you exercise <li>Do you see any "Shorewall" messages in /var/log/messages when
the function that is giving you problems?</li> you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump to try to <li>Have you looked at the packet flow with a tool like tcpdump to
understand what is going on?</li> try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application that <li>Have you tried using the diagnostic capabilities of the application
isn't working? For example, if "ssh" isn't able to connect, using the that isn't working? For example, if "ssh" isn't able to connect, using
"-v" option gives you a lot of valuable diagnostic information.</li> the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially the <li>Please include any of the Shorewall configuration files (especially
/etc/shorewall/hosts file if you have modified that file) that you think are the /etc/shorewall/hosts file if you have modified that file) that you
relevant. If an error occurs when you try to &quot;shorewall start&quot;, include a think are relevant. If an error occurs when you try to "shorewall start",
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section for include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
instructions).</li> section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your <li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li> network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem
Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400">please
post your question or problem to the <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
<a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> post your question or problem to the <a
<p>Otherwise, please post your question or problem to the href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<a href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem <p>Otherwise, please post your question or problem to the <a
description and their responses will be placed in the mailing list archives to href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
help people who have a similar question or problem in the future.</p> there are lots of folks there who are willing to help you. Your question/problem
<blockquote> description and their responses will be placed in the mailing list archives
<h3><span style="font-weight: 400"><i>&quot;It irks me when people believe that free software to help people who have a similar question or problem in the future.</p>
comes at no cost. The cost is incredibly high.&quot;</i> - <font size="2">
Weitse Venema</font></span></h3> <p>I don't look at problems sent to me directly but I try to spend some amount
</blockquote> of time each day responding to problems posted on the mailing list.</p>
<p>I do not answer questions or work on problems sent to me personally but I try
to respond promptly to mailing list posts.&nbsp;&nbsp; <a href="mailto:teastep@shorewall.net">-Tom</a></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
<p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 8/17/2002 - Tom <p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p>
Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br>
</body> </body>
</html>
</html>

1836
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

5
Shorewall-docs/traffic_shaping.htm
View File

@ -55,6 +55,9 @@ utilities.</p>
normally not required as Shorewall's method of clearing qdisc and filter normally not required as Shorewall's method of clearing qdisc and filter
definitions is pretty general.</li> definitions is pretty general.</li>
</ul> </ul>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
@ -200,7 +203,7 @@ use to others.</p>
configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br> configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
</font></p> </font></p>
</blockquote> </blockquote>
<p><font size="2">Last Updated 6/18/2002 - <a href="support.htm">Tom <p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

13
Shorewall-docs/troubleshoot.htm
View File

@ -126,6 +126,17 @@ policy</li>
<h3 align="Left">Other Gotchas</h3> <h3 align="Left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:<ol>
<li>your zone definitions are screwed up and the host that is sending the
packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping") <li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
requests to be sent between zones. If you want pings to be allowed between requests to be sent between zones. If you want pings to be allowed between
zones, you need a rule of the form:<br> zones, you need a rule of the form:<br>
@ -183,7 +194,7 @@ ADD_IP_ALIASES</a>
</font> </font>
<p><font size="2">Last updated 7/27/2002 - <p><font size="2">Last updated 9/13/2002 -
Tom Eastep</font> Tom Eastep</font>
</p> </p>

1527
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff