extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-28 15:42:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move HTML files to new project

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1023 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-29 22:21:51 +00:00
parent 83457bf40c
commit 331b2091bb
26 changed files with 47 additions and 11473 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
Shorewall-docs/Banner.html
View File

@ -1,47 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<title>Banner</title>
<meta name="author" content="Tom Eastep">
<base target="main">
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
link="#000099" vlink="#990099" alink="#000099">
<table cellpadding="0"
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
id="AutoNumber3">
<tbody>
<tr>
<td style="text-align: center; width: 34%; vertical-align: top;">
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
align="middle" title=""> </div>
</td>
<td style="vertical-align: top;">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"
style="background-color: rgb(51, 102, 255);"> <strong><font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"><b><font
color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
href="http://lists.shorewall.net/htdig/search.html"
style="color: rgb(255, 255, 255);">Extended Search including Mailing
List Archives<br>
</a></font></b></font></p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
</td>
</tr>
</tbody>
</table>
</body>
</html>

6142
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

34
Shorewall-docs/SeattleInTheSpring.html
View File

@ -1,34 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Springtime in Seattle!!!</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
-+
<h3><font color="#ff6633"></font></h3>
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
</h1>
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the
deck (Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
</body>
</html>

80
Shorewall-docs/Shorewall_CA_html.html
View File

@ -1,80 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
Certificate<br>
</h1>
Given that I develop and support Shorewall without asking for any
renumeration, I can hardly justify paying $200US+ a year to a
Certificate Authority such as Thawte (A Division of VeriSign) for an
X.509 certificate to prove that I am who I am. I have therefore
established my own Certificate Authority (CA) and sign my own X.509
certificates. I use these certificates on my list server (<a
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser
verifies the X.509 certificate supplied by the HTTPS server against the
set of Certificate Authority Certificates that were shipped with your
browser. It is expected that the server's certificate was issued by one
of the authorities whose identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
that the CAs literally have a license to print money -- they are
selling a string of bits (an X.509 certificate) for $200US+ per
year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and
writing Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of
the authorities known to your browser. If you try to connect to my
server using SSL, your browser will frown and give you a dialog box
asking if you want to accept the sleezy X.509 certificate being
presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your
browser asks -- your acceptence of the certificate can be temporary
(for that access only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed)
CA certificate.</a> This will make my Certificate Authority known to
your browser so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am
trustworthy and that Shorewall running on your firewall won't redirect
HTTPS requests intented to go to your bank's server to one of my
systems that will present your browser with a bogus certificate
claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to
https://mail.shorewall.net, the server you are connecting to might not
be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

39
Shorewall-docs/Shorewall_CVS_Access.html
View File

@ -1,39 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall CVS Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">Shorewall CVS Access<br>
</h1>
Lots of people try to download the entire Shorewall website for
off-line browsing, including the CVS portion. In addition to being an
enormous volume of data (HTML versions of all versions of all Shorewall
files), all of the pages in Shorewall CVS access are cgi-generated
which places a tremendous load on my little server. I have therefore
resorted to making CVS access password controlled. When you are asked
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
the user name and the password.<br>
<br>
<div align="center">
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

52
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,52 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta content="en-us" http-equiv="Content-Language">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title>Shorewall Index</title>
<base target="main">
</head>
<body>
<table bgcolor="#3366ff" border="0" cellpadding="0" cellspacing="0"
id="AutoNumber1" style="border-collapse: collapse;" width="100%">
<tbody>
<tr>
<td bgcolor="#ffffff" width="100%">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a> </li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a> <a
href="Install.htm">Configuration</a> </li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a> </li>
<li> <b><a href="Documentation_Index.html">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a> </li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a> </li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p> <a href="http://validator.w3.org/check/referer"><img
src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!"
height="31" width="88"></a> </p>
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2003 Thomas
M. Eastep.</font> </a> </p>
</body>
</html>

68
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,68 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="Documentation_Index.html">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

45
Shorewall-docs/SourceforgeBanner.html
View File

@ -1,45 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<title>Banner</title>
<meta name="author" content="Tom Eastep">
<base target="main">
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
link="#000099" vlink="#990099" alink="#000099">
<table cellpadding="0"
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
id="AutoNumber3">
<tbody>
<tr>
<td style="text-align: center; width: 34%; vertical-align: top;">
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
align="middle" title=""> </div>
</td>
<td style="vertical-align: top;">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"
style="background-color: rgb(51, 102, 255);"> <strong><font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"><b><font
color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
href="http://lists.shorewall.net/htdig/search.html"
style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
</td>
</tr>
</tbody>
</table>
</body>
</html>

30
Shorewall-docs/copyright.htm
View File

@ -1,30 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<h1 style="text-align: center;">Copyright<br>
</h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
2000, 2001, 2003 Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation
License, Version 1.1 or any later version published by the Free
Software Foundation; with no Invariant Sections, with no Front-Cover,
and with no Back-Cover Texts. A copy of the license is included in the
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
License</a>".<br>
&nbsp;</p>
</blockquote>
<br>
<br>
</body>
</html>

191
Shorewall-docs/download.htm
View File

@ -1,191 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Download<br>
</h1>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
distributions that store init scripts in /etc/init.d and that include
chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
completed configuration of your firewall, you can enable startup by
removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td style="vertical-align: top;">Washington State, USA</td>
<td style="vertical-align: top;">Shorewall.net</td>
<td style="vertical-align: top;"><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td style="vertical-align: top;"><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse<br>
</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top"><a href="ftp://ftp.syachile.cl/pub/shorewall"
target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Sourceforge - California, USA (Incomplete)<br>
</td>
<td>Sourceforge.net<br>
</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse<br>
</a></td>
<td>N/A<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 12/29/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

196
Shorewall-docs/errata_1.htm
View File

@ -1,196 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata for Version
1.1</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="left"><font color="#660066"><u>To those of you who downloaded
the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
<blockquote>
<p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
pointed to a broken version of the firewall script. This has now been corrected.
I apologize for any confusion this may have caused.</p>
</blockquote>
<h3 align="left">Version 1.1.18</h3>
<blockquote>
<p align="left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.17</font></h3>
<blockquote>
<p align="left">In shorewall.conf, ADD_IP_ALIASES was incorrectly
spelled IP_ADD_ALIASAES. There is a corrected version of the
file <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="left">This problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.16</font></h3>
<blockquote>
<p align="left"> The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
install the <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> corrected
firewall script</a> in the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="left"> This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.14-1.1.15</font></h3>
<blockquote>
<p align="left"> There are no corrections for these versions.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.13</font></h3>
<blockquote>
<p align="left"> The firewall fails to start if a rule with the following
format is given:</p>
<p align="left"> &lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2   
proto    p1,p2,p3</p>
<p align="left"> To correct this problem, install <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.12</font></h3>
<blockquote>
<p align="left"> The LRP version of Shorewall 1.1.12 has the incorrect
/etc/shorewall/functions file. This incorrect file results in many error
messages of the form:</p>
<blockquote>
<p align="left"> separate_list: not found</p>
</blockquote>
<p align="left"><a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> The
correct file may be obtained here</a> . This problem is also corrected
in version 1.1.13.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.11</font></h3>
<blockquote>
<p align="left"> There are no known problems with this version.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.10</font></h3>
<blockquote>
<p align="left"> If the following conditions were met:<br>
</p>
<ol>
<li>
<p align="left"> A LAN segment attached to the firewall was served
by a DHCP server running on the firewall.</p>
</li>
<li>
<p align="left"> There were entries in /etc/shorewall/hosts that referred
to the interface to that LAN segment.</p>
</li>
</ol>
<p align="left"> then up until now it has been necessary to include entries
for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
<a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a> makes those additions unnecessary
provided that you simply include "dhcp" in the options for the interface
in /etc/shorewall/interfaces. Install the script into the location pointed
to by the symbolic link /etc/shorewall/firewall.</p>
<p align="left"> This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.9</font></h3>
<ul>
<li>The shorewall "hits" command lists extraneous service names in
the final report. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> This
version of the shorewall script</a> corrects this problem.<br>
</li>
</ul>
<h3 align="left">Version 1.1.8</h3>
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> This
version of the firewall script</a> corrects this problem. Install
it into the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
</li>
</ul>
<h3 align="left">Version 1.1.7</h3>
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used,
a warning message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li>
</ul>
<blockquote>
<p align="left"> This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2"> Last updated 12/21/2001 - </font><font
size="2"> <a href="support.htm">Tom Eastep</a></font> </p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

425
Shorewall-docs/errata_2.htm
View File

@ -1,425 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" height="90" bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center"> <b><u>If you use a Windows system to download a
corrected script, be sure to run the script through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center"> <u><b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, use the 'cp' (or 'scp')
utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE
OLD /etc/shorewall/firewall before you do that. /etc/shorewall/firewall
is a symbolic link that points to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot and it
is that file that must be overwritten with the corrected script. </b></u></p>
<ul>
<li>
<h3 align="left"><font color="#660066"> <a href="errata_1.htm"> Problems
in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="left"><font color="#660066"><a href="#iptables"> Problem
with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="left">Version 1.2.13</h3>
<ul>
<li>
<p align="left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem,
use the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm").<br>
<br>
The problem stems from the fact that SuSE does not include
a package named "kernel" but rather has a number of packages that
provide the virtual package "kernel". Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt;
all &lt;port number&gt; - &lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that
<u>all</u> connection requests from the &lt;src&gt; zone whose
original destination IP address matches the last column are forwarded
to the &lt;dest&gt; zone, IP address &lt;ip addr&gt;. 
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="left">Version 1.2.11</h3>
<ul>
<li>
<p align="left">The 'try' command is broken. </p>
</li>
<li>
<p align="left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command. </p>
</li>
</ul>
<p align="left">Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="left">Sample Configurations:</h3>
<ul>
<li>
<p align="left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file. </p>
</li>
</ul>
<h3 align="left">All Versions through 1.2.10</h3>
<ul>
<li>
<p align="left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined)
is shown here: </p>
</li>
</ul>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td><u>eth2</u>:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<h3 align="left">All Versions through 1.2.8</h3>
<ul>
<li>
<p align="left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
href="Documentation.htm#Conf">see the corrected online documentation</a>).
Users of the rpm should change the name (and possibly the value)
of this parameter so that Shorewall interacts properly with the
SysV init scripts. The documentation on this web site has been
corrected and <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses
for a zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="left">Version 1.2.7</h3>
<p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="left">Version 1.2.6</h3>
<ul>
<li>
<p align="left">GRE and IPIP tunnels are broken. </p>
</li>
<li>
<p align="left">The following rule results in a start error:<br>
<br>
    ACCEPT    z1    z2    icmp </p>
</li>
</ul>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in  /etc/shorewall/firewall..</p>
<h3 align="left">Version 1.2.5</h3>
<ul>
<li>
<p align="left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name. </p>
</li>
<li>
<p align="left">Errors result if $FW appears in the /etc/shorewall/policy
file. </p>
</li>
<li>
<p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time. </p>
</li>
</ul>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</p>
<p align="left"> </p>
<ul>
<li>
<p align="left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a> </p>
</li>
</ul>
<h3 align="left">Version 1.2.4</h3>
<ul>
<li>
<p align="left">This version will not install "out of the box" without
modification. Before attempting to start the firewall, please change
the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall.
This only applies to fresh installations -- if you are upgrading from
a previous version of Shorewall, version 1.2.4 will work without modification.
</p>
</li>
</ul>
<h3 align="left">Version 1.2.3</h3>
<ul>
<li>
<p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall. </p>
</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="left">Version 1.2.2</h3>
<ul>
<li>The "shorewall status" command hangs after it displays
the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if  you want to simply modify
your copy of /sbin/shorewall, then at line 445 change this:</li>
</ul>
<div align="left">
<pre align="Left"> status)<br> clear</pre>
</div>
<blockquote>
<p align="left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)<br> get_config<br> clear</pre>
</div>
<ul>
<li>The "shorewall monitor" command doesn't show the icmpdef chain
- <a href="pub/shorewall/errata/1.2.2/shorewall">this corrected /sbin/shorewall</a>
fixes that problem as well as the status problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules
is ignored. This is corrected in <a
href="/pub/shorewall/errata/1.2.2/firewall">this updated firewall script</a>. 
Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not described
in the help text in /etc/shorewall/interfaces. An <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall correctly
replies with a TCP RST packet. Previous versions of the firewall
script are broken in the case of a REJECT policy, however; in REJECT
policy chains, all requests are currently replied to with an ICMP
port-unreachable packet. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP
RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<h3 align="left">Version 1.2.0</h3>
<blockquote>
<p align="left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="left">The tunnel script released in version 1.2.0 contained
errors -- a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font face="Century Gothic, Arial, Helvetica"
color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released
an iptables-1.2.4 RPM of their own which you can download from<font
face="Century Gothic, Arial, Helvetica" color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> Last updated
5/24/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

656
Shorewall-docs/errata_3.html
View File

@ -1,656 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a
href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
<li>The firewall fails to start in the case where you have "eth0 eth1"
in /etc/shorewall/masq and the default route is through eth1.<br>
</li>
</ul>
These problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.13</h3>
<ul>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of
insertion too big".<br>
</li>
</ul>
All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this
problem. Thanks go to Roger Aich who analyzed this problem and provided
a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) result in an error
message. Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes.
Consequently, after "shorewall refresh", the firewall will not
forward icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as options on a
given interface then RFC 1918 checking is occurring before DHCP
checking. This means that if a DHCP client broadcasts using
an RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the client
won't be able to obtain an IP address lease from
that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction measure where there are both
dynamic and static clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described
above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use version 1.3.7a and check
your version against these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in /var/lib/shorewall/
as described above. These problems are also corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in
/var/lib/pub/shorewall/firewall as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after "Activating
rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this
case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the download
sites contained an incorrect version of the .lrp file. That file
can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more
than one interface in /etc/shorewall/interfaces then
depending on the option, Shorewall may ignore all but
the first appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options:
dhcp, dropunclean, logunclean, norfc1918, routefilter,
multi, filterping and noping. An additional bug has been
found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
rpm which you can download here</a>. If you are currently running
RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

57
Shorewall-docs/gnu_mailman.htm
View File

@ -1,57 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head>
<body>
<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in
system-wide aliases file so that rest of mailman's mail handling
processes will run with proper uid/gid. Postfix has an ability to run a
command specified in an alias as owner of that alias, thus mailman's
wrapper is not needed here. The best method to invoke mailman's mail
handling via aliases is to use separate alias file especially for
mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
something very similar so that no workaround is necessary. See the
README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

19
Shorewall-docs/index.htm
View File

@ -1,19 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<title>Shoreline Firewall</title>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8"></head>
<frameset rows="110,*" cols="*" frameborder="yes"
border="1"framespacing="0"> <frame
src="Banner.html" name="topFrame"scrolling="NO"
noresize >
<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
<frame src="Shorewall_index_frame.htm" name="contents"> <frame src="seattlefirewall_index.htm"
name="main">
</frameset>
</frameset>
<noframes><body><p>This page uses frames, but your browser doesn't
support them.</p></body></noframes>
</html>

264
Shorewall-docs/mailing_list.htm
View File

@ -1,264 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left"
style="background-color: rgb(255, 255, 255);">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> </a></h1>
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> </a>
<p align="right" style="background-color: rgb(255, 255, 255);"><font
color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center"
style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
<h1 align="center">Shorewall Mailing Lists</h1>
</td>
<td valign="middle" width="33%"
style="background-color: rgb(255, 255, 255);"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> </a> </div>
<br>
<div align="right"><b><font color="#ffffff"><br>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</table>
<br>
<big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to
tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
<ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the
names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input
type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download
the entire
Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Newbies Mailing List</h2>
This list provides a place where people who are new to Shorewall can
get questions answered and can receive help with problems.<br>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a href="http://shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-newbies</a></p>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-newbies@lists.shorewall.net">shorewall-newbies@lists.shorewall.net</a>.<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-newbies/index.html">http://lists.shorewall.net/pipermail/shorewall-newbies</a>.</p>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for
users to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted to
this list.<br>
</p>
<p align="left">The Shorewall author does not monitor this list.<br>
</p>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a href="http://shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<span style="font-weight: bold;">IMPORTANT: </span>If you are not
subscribed to the list, please say so -- otherwise, you will not be
included in any replies.<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was
hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to
the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</p>
<a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top"></a>
<ul>
</ul>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
of the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
attempted to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to
subscribe to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email address in
the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your
password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 12/03/2003 - <a
href="http://shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

29
Shorewall-docs/myfiles.xml
View File

@ -157,7 +157,7 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=No
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
@ -199,9 +199,9 @@ tx Texas Peer Network in Dallas
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp,newnotsyn
dmz eth1 192.168.2.255 newnotsyn
WiFi eth3 192.168.3.255 dhcp,maclist,newnotsyn
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
@ -592,27 +592,6 @@ gre net $TEXAS
<para>My tcstart file is just the HTB version of WonderShaper.</para>
</section>
<section>
<title>Newnotsyn file (/etc/shorewall/newnotsyn):</title>
<blockquote>
<para>I prefer to allow FIN and RST packets unconditionally rather
than just on <quote>newnotsyn</quote> interfaces as is the case with
the standard Shorewall ruleset. This file deletes the
Shorewall-generated rules for these packets and creates my own.</para>
<programlisting>#!/bin/sh
for interface in `find_interfaces_by_option newnotsyn`; do
run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
done
run_iptables -A newnotsyn -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -p tcp --tcp-flags FIN FIN -j ACCEPT</programlisting>
</blockquote>
</section>
<section>
<title>/sbin/ifup-local</title>

396
Shorewall-docs/seattlefirewall_index.htm
View File

@ -1,396 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta content="HTML Tidy, see www.w3.org" name="generator">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<div>
<table border="0" cellpadding="0" cellspacing="0" id="AutoNumber4"
style="border-collapse: collapse; width: 100%; height: 100%;">
<tbody>
<tr>
<td width="90%">
<h2>Introduction to Shorewall</h2>
<h3>This is the Shorewall 1.4 Web Site</h3>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.</li>
</ul>
<h3>Glossary</h3>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the
packet filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
Linux kernels. Also the name of the utility program used to configure
and control that facility. Netfilter can be used in ipchains
compatibility mode.</li>
<li>iptables - the utility program used to configure and
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).</li>
</ul>
<h3>What is Shorewall?</h3>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state tracking
capabilities.<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is complete
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
program can be used at any time to monitor the Netfilter firewall</a>.<br>
<h3>Getting Started with Shorewall</h3>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step instructions.<br>
<h3>Looking for Information?</h3>
The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the frame
above.
<h3>License</h3>
This program is free software; you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<p>This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more detail.</p>
<p>You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled <a>"GNU Free
Documentation License"</a>.
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
If so, the documentation <b></b>on this site will not apply directly
to your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<h2>News</h2>
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
On-line</b> <b><img alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
</b></p>
<p>Our high-capacity server has been restored to service --
please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
find any problems.<br>
</p>
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b><b> </b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
</div>
<p>Problems Corrected since version 1.4.8:</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
all instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
will no longer produce an error if they attempt to add a rule that
would override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.</li>
</ol>
<p>Migration Issues:<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features: </p>
<ol>
<li>To cut down on the number of "Why are these ports closed
rather than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
<li>For easier identification, packets logged under the
'norfc1918' interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
new naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX is
not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined &lt;action&gt;,
copy this file to /etc/shorewall/action.&lt;action&gt; and add the
appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
DROP, etc.) in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level and
accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
<br>
</li>
</ol>
<p><b>12/03/2003 - Support Torch Passed</b> <b><img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
Effective today, I am reducing my participation in the day-to-day
support of Shorewall. As part of this shift to community-based
Shorewall support a new <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
Newbies mailing list</a> has been established to field questions and
problems from new users. I will not monitor that list personally. I
will continue my active development of Shorewall and will be available
via the development list to handle development issues -- Tom.
<p><b>11/07/2003 - Shorewall 1.4.8</b><b><br>
<br>
</b> Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs using some versions of 'ash'. The symptom is that "shorewall
start" fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd" for
most zones defined using the /etc/shorewall/hosts file. It has since
been discovered that in many cases these new chains contain redundant
rules and that the "optimization" turns out to be less than optimal.
The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or ":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the
SUBSYSLOCK option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the ROUTE_FILTER parameter were working properly. This has been
corrected (thanks to Eric Bowles for his analysis and patch). The
definition of the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during
startup.</li>
<li>he NONE policy's intended use is to suppress the generating
of rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW or
"all". Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces
(e.g., "tun+"). This has been corrected so that 'routeback' now works
as expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows you to pass connection requests to a user-space filter such as
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the 'loc' zone, you would add the
following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
shorewall.conf. When this option is set to "Yes", the blacklists
(dynamic and static) are only consulted for new connection requests.
When set to "No" (the default if the variable is not set), the
blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards</b> <b><img align="middle" alt="" src="images/j0233056.gif"
style="border: 0px solid ; width: 50px; height: 80px;" title="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c script produces a ruleset that should work for everyone even if
it is not quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
code is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs using some versions of 'ash'. The symptom is that "shorewall
start" fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd" for
most zones defined using the /etc/shorewall/hosts file. It has since
been discovered that in many cases these new chains contain redundant
rules and that the "optimization" turns out to be less than optimal.
The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or ":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.<br>
</li>
</ol>
<p><a href="News.htm">More News</a></p>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
alt="(Leaf Logo)" border="0" height="36" src="images/leaflogo.gif"
width="49"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!<br>
<br>
</b>
<div style="text-align: center;"><a
href="http://www.shorewall.net" target="_top"><img
alt="(Protected by Shorewall)" src="images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
<b> </b>
<div>
<div style="text-align: center;"> </div>
</div>
<h2><a name="Donations"></a>Donations</h2>
<p style="text-align: left;"><a href="http://www.starlight.org"><img
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
style="border: 4px solid ; width: 57px; height: 100px;" title=""></a><br>
<big>Shorewall is free but if you try it and find it useful,
please consider making a donation to <a href="http://www.starlight.org">Starlight
Children's Foundation</a>. Thanks!</big><br>
<a href="http://www.starlight.org"></a></p>
</td>
</tr>
</tbody>
</table>
</div>
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom Eastep</a></font><br>
</p>
</body>
</html>

22
Shorewall-docs/sfindex.htm
View File

@ -1,22 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
<frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
</frameset>
</html>

59
Shorewall-docs/shoreline.htm
View File

@ -1,59 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<p align="center"> </p>
<h1 style="text-align: center;">Tom Eastep<br>
</h1>
<p align="center"><img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>
</p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net">
Seattle Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where
I live with my wife Tarry.&nbsp; </p>
<p></p>
<ul>
</ul>
<p>For information about our home network see <a href="myfiles.htm">my
Shorewall Configuration files.</a></p>
<p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

24
Shorewall-docs/shorewall_index.htm
View File

@ -1,24 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Border" content="none, default">
</head>
<frameset rows="90,*">
<frame name="banner" scrolling="no" noresize target="contents" src="Shorewall_Banner.htm">
<frameset cols="262,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self">
</frameset>
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</body>
</noframes>
</frameset>
</html>

84
Shorewall-docs/shorewall_mirrors.htm
View File

@ -1,84 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Mirrors<br>
</h1>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net"
target="_top">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
(Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
- Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
(Brazil)</li>
<li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
-- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://ftp.syachile.cl/pub/shorewall" target="_top">ftp://ftp.syachile.cl/pub/shorewall
</a>(Santiago Chile)<br>
</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 11/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep</font></a></font><br>
</p>
<br>
</body>
</html>

452
Shorewall-docs/sourceforge_index.htm
View File

@ -1,452 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2>Introduction<br>
</h2>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the
packet
filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.<br>
</li>
<li>iptables - the utility program used to configure and
control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).<br>
</li>
</ul>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of
configuration files. Shorewall reads those configuration files and
with the help of the iptables utility, Shorewall configures
Netfilter to match your requirements. Shorewall can be used on a
dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system. Shorewall does not use
Netfilter's ipchains compatibility mode and can thus take advantage
of Netfilter's connection state tracking capabilities.
<p>This program is free software; you can redistribute it and/or
modify it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General
Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p> Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <a>"GNU
Free Documentation License"</a>.</p>
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step
instructions.<br>
<h2>Looking for Information?</h2>
The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the
frame above.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation <b></b>on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
<h2><b>News</b></h2>
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
On-line</b> <b><img alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
</b></p>
<p>Our high-capacity server has been restored to service --
please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
find any problems.<br>
</p>
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""><br>
</b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
</div>
<p>Problems Corrected since version 1.4.8:<br>
</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all instances of "Static NAT" have been replaced with
"One-to-one NAT" in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
will
no longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.<br>
</li>
</ol>
<p>Migration Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
</p>
<ol>
<li>To cut down on the number of "Why are these ports closed
rather
than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to
'DROP'.</li>
<li>For easier identification, packets logged under the
'norfc1918'
interface option are now logged out of chains named 'rfc1918'.
Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
suffix for module names in your particular distribution. If
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension).
Set MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined
&lt;action&gt;, copy this file to
/etc/shorewall/action.&lt;action&gt; and add the appropriate rules
for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
</ol>
<p><b>12/03/2003 - Support Torch Passed</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b></p>
Effective today, I am reducing my participation in the day-to-day
support of Shorewall. As part of this shift to community-based
Shorewall support a new <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
Newbies mailing list</a> has been established to field questions
and problems from new users. I will not monitor that list
personally. I will continue my active development of Shorewall and
will be available via the development list to handle development
issues -- Tom.
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b> <b></b></p>
Given the small number of new features and the relatively few lines
of code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<br>
</b> Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or
directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to
use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall
start" to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all
entries.</li>
<li>An incorrect comment concerning Debian's use of the
SUBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the
ROUTE_FILTER parameter were working properly. This has been
corrected (thanks to Eric Bowles for his analysis and patch). The
definition of the ROUTE_FILTER option has changed however.
Previously, ROUTE_FILTER=Yes was documented as enabling route
filtering on all interfaces (which didn't work). Beginning with
this release, setting ROUTE_FILTER=Yes will enable route filtering
of all interfaces brought up while Shorewall is started. As a
consequence, ROUTE_FILTER=Yes can coexist with the use of the
'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during
startup.</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows
you to pass connection requests to a user-space filter such as
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any
ACCEPT rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
shorewall.conf.
When this option is set to "Yes", the blacklists (dynamic and
static) are only consulted for new connection requests. When set to
"No" (the default if the variable is not set), the blacklists are
consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now
begin with a digit ([0-9]) and may contain embedded dashes
("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag
awards</b> <b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c
script produces a ruleset that should work for everyone even if it
is not quite optimal. My apologies for this ongoing mess.</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
code is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem
corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or
directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to
use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall
start" to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all
entries.</li>
</ol>
<p><b><a href="News.htm">More News</a></b></p>
<b></b>
<h2><b></b></h2>
<b></b>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash)
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!</b> <br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"></a></b></h1>
<b></b>
<h4><b></b></h4>
<b></b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a></b></h2>
<br>
<br>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b></b></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
id="AutoNumber2">
<tbody>
<tr>
<td style="width: 100%; margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"><img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="Starlight Foundation Logo"></a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and find it
useful, please consider making a donation to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom
Eastep</a></font><br>
</p>
</body>
</html>

73
Shorewall-docs/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2003-12-28</pubdate>
<pubdate>2003-12-29</pubdate>
<copyright>
<year>2001-2003</year>
@ -39,11 +39,13 @@
<para>If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you have
installed <quote>firewall</quote> in your init.d directory, simply type
<quote><command>chkconfig --add firewall</command></quote>. This will
start the firewall in run levels 2-5 and stop it in run levels 1 and 6. If
you want to configure your firewall differently from this default, you can
use the <quote>--level</quote> option in chkconfig (see <quote>man
chkconfig</quote>) or using your favorite graphical run-level editor.</para>
<quote><command>chkconfig --add shorewall</command></quote> (<quote><command>insserv
-d shorewall</command></quote> if your distribution uses insserv to
install startup scripts). This will start the firewall in run levels 2-5
and stop it in run levels 1 and 6. If you want to configure your firewall
differently from this default, you can use the <quote>--level</quote>
option in chkconfig (see <quote>man chkconfig</quote>) or using your
favorite graphical run-level editor.</para>
<caution>
<itemizedlist>
@ -120,11 +122,11 @@
</listitem>
<listitem>
<para><command>shorewall show chain1 [ chain2 ... ]</command> -
produce a verbose report about the listed chains (iptables -L chain -n
-v) Note: You may only list one chain in the show command when running
Shorewall version 1.4.6 and earlier. Version 1.4.7 and later allow you
to list multiple chains in one command.</para>
<para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
]</command> - produce a verbose report about the listed chains
(iptables -L chain -n -v) Note: You may only list one chain in the
show command when running Shorewall version 1.4.6 and earlier. Version
1.4.7 and later allow you to list multiple chains in one command.</para>
</listitem>
<listitem>
@ -153,9 +155,11 @@
</listitem>
<listitem>
<para><command>shorewall monitor [ delay ]</command> - Continuously
display the firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</para>
<para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded. The
<emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
between updates with the default being 10 seconds.</para>
</listitem>
<listitem>
@ -183,10 +187,11 @@
<listitem>
<para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
[ timeout ]</command> - Restart shorewall using the specified
configuration and if an error occurs or if the timeout option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</para>
[ &#60;timeout&#62; ]</command> - Restart shorewall using the
specified configuration and if an error occurs or if the
<emphasis>&#60;timeout&#62;</emphasis> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</para>
</listitem>
<listitem>
@ -210,7 +215,7 @@
<listitem>
<para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
- Decomposes the specified range of IP addresses into the equivalent
list of network/host addresses.</para>
list of network/host addresses</para>
</listitem>
</itemizedlist>
@ -267,21 +272,25 @@
<command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
</listitem>
</itemizedlist>
</section>
<para>The shorewall start, shorewall restart, shorewall check, and
shorewall try commands allow you to specify which Shorewall configuration
to use:</para>
<section>
<title>Alternate Configurations</title>
<para>The <command>shorewall start</command>, <command>shorewall restart</command>,
<command>shorewall check</command>, and <command>shorewall try </command>commands
allow you to specify which Shorewall configuration to use:</para>
<programlisting> <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
<command>shorewall try &#60;configuration-directory&#62;</command></programlisting>
<para>If a <emphasis>configuration-directory</emphasis> is specified, each
time that Shorewall is going to use a file in /etc/shorewall it will first
look in the<emphasis> configuration-directory</emphasis> . If the file is
present in the <emphasis>configuration-directory,</emphasis> that file
will be used; otherwise, the file in /etc/shorewall will be used. When
changing the configuration of a production firewall, I recommend the
following:</para>
<para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
specified, each time that Shorewall is going to use a file in
/etc/shorewall it will first look in the<emphasis>
&#60;configuration-directory&#62;</emphasis> . If the file is present in
the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
be used; otherwise, the file in /etc/shorewall will be used. When changing
the configuration of a production firewall, I recommend the following:</para>
<itemizedlist>
<listitem>
@ -298,7 +307,7 @@
</listitem>
<listitem>
<para><command>shorewall -c . check</command></para>
<para><command>shorewall -c ./ check</command></para>
</listitem>
<listitem>
@ -330,6 +339,10 @@
<para><command>rm -rf /etc/test</command></para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall State Diagram</title>
<para>The Shorewall State Diargram is depicted below.<graphic
align="center" fileref="images/State_Diagram.png" /></para>

1080
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

956
Shorewall-docs/two-interface.htm
View File

@ -1,956 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
</h1>
<p align="left">Setting up a Linux system as a firewall for a small
network is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features
of Shorewall. It rather focuses on what is required to configure
Shorewall in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li style="font-weight: bold;">Single public IP address. If you have
more than one public IP address, this is not the guide you want -- see
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
instead.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
dial-up ...</li>
</ul>
<p align="left">Here is a schematic of a typical installation.</p>
<p align="center"> <img border="0" src="images/basics.png" width="444"
height="635"> </p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can
easily configure the above setup using the Mandrake "Internet
Connection
Sharing" applet. From the Mandrake Control Center, select "Network
&amp; Internet" then "Connection Sharing".<br>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by
Mandrake Internet Connection Sharing is strange and is apt to confuse
you if you use the rest of this documentation (it has two local zones;
"loc" and "masq" where "loc" is empty; this conflicts with this
documentation which assumes a single local zone "loc"). We therefore
recommend that once you have set up this sharing that you uninstall the
Mandrake Shorewall RPM and install the one from the <a
href="download.htm">download page</a> then follow the instructions in
this Guide.</b><br>
</p>
<p>Shorewall requires that you have the iproute/iproute2 package
installed (on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize
yourself with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0" src="images/BD21298_.gif"
width="13" height="13"> . Configuration notes that are unique to
LEAF/Bering are marked with&nbsp;<img src="images/leaflogo.gif"
alt="(LEAF Logo)" width="49" height="36"> </p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
&nbsp;&nbsp;&nbsp; If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports that
option or you must run them through dos2unix before trying
to use them. Similarly, if you copy a configuration file from your
Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version
of dos2unix</a></li>
</ul>
<h2 align="left">PPTP/ADSL</h2>
<img style="border: 0px solid ; width: 13px; height: 13px;"
src="images/BD21298_3.gif" title="" alt="">&nbsp;&nbsp;&nbsp; If you
have an ADSL Modem and you use PPTP to communicate with a server in
that modem, you must make the <a href="PPTP.htm#PPTP_ADSL">changes
recommended here</a> in addition to those detailed below. ADSL with
PPTP is most commonly found in Europe, notably in Austria.<br>
<h2 align="left">Shorewall Concepts</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> &nbsp;&nbsp;&nbsp; The configuration files for Shorewall are
contained in the directory /etc/shorewall -- for simple setups, you
will only need to deal with a few of these as described in this guide.
After you have <a href="Install.htm">installed Shorewall</a>, <b>download
the <a href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the
files
to /etc/shorewall (these files will replace files with the same
name).</b></p>
<p>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of
a set of <i>zones.</i> In the two-interface sample configuration, the
following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
<tr>
<td><b>loc</b></td>
<td><b>Your Local Network</b></td>
</tr>
</tbody>
</table>
<p>Zones are defined in the <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a> file.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <b>fw.</b></p>
<p>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is
first checked against the /etc/shorewall/rules file. If no rule in
that file matches the connection request then the first policy
in /etc/shorewall/policy that matches the request is applied.
If that policy is REJECT or DROP&nbsp; the request is first checked
against
the rules in /etc/shorewall/common if that file exists; otherwise the
rules in /etc/shorewall/common.def are checked.</p>
<p>The /etc/shorewall/policy file included with the two-interface
sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<blockquote>
<p>In the two-interface sample, the line below is included but
commented out. If you want your firewall system to have full access to
servers on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
&nbsp;&nbsp;&nbsp; At this point, edit your /etc/shorewall/policy
and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
<p align="center"> <img border="0" src="images/basics.png" width="444"
height="635"> </p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will
be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)&nbsp;
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the
External Interface will be a ppp interface (e.g., <b>ppp0</b>). If you
connect via a regular modem, your External Interface will also be <b>ppp0</b>.
If you connect via ISDN, your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; If your external interface is <b>ppp0</b>
or<b> ippp0</b>&nbsp; then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet
adapter (eth1 or eth0) and will be connected to a hub or switch. Your
other computers will be connected to the same hub/switch (note:
If you have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> </b></u>Do not connect the internal and
external interface to the same hub or switch except for testing AND you
are running Shorewall version 1.4.7 or later.&nbsp; When using these
recent versions, you can test using this kind of configuration if you
specify the <span style="font-weight: bold;">arp_filter</span> option
in /etc/shorewall/interfaces for all interfaces connected to the common
hub/switch. Using such a setup with a production firewall is strongly
recommended against.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> &nbsp;&nbsp;&nbsp; The Shorewall two-interface
sample configuration assumes that the external interface is <b>eth0</b>
and the internal interface is <b>eth1</b>. If your configuration is
different, you will have to modify the sample <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of
options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about
Internet Protocol (IP) <i>addresses</i>. Normally, your ISP will
assign you a single <i> Public</i> IP address. This address may be
assigned via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or
as part of establishing your connection when you dial in (standard
modem) or establish your PPP connection. In rare cases, your ISP may
assign you a<i> static</i> IP address; that means that you configure
your firewall's external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your
systems when you access the Internet. You will have to assign your own
addresses in your internal network (the Internal Interface on your
firewall plus your other computers). RFC 1918 reserves several <i>Private
</i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; Before starting Shorewall, you should
look at the IP address of your external interface and if it is one of
the above ranges, you should remove the 'norfc1918' option from the
external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.&nbsp; For our purposes, we can
consider a subnet to consists of a range of addresses x.y.z.0 -
x.y.z.255. Such a subnet will have a <i>Subnet Mask </i>of
255.255.255.0. The
address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In
Shorewall, a subnet is described using&nbsp;<a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
Routing </i>(CIDR) notation</a> with consists of the subnet address
followed by "/24". The "24" refers to the number of consecutive leading
"1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
<p align="left">Example sub-network:</p>
</div>
<div align="left">
<blockquote>
<table border="1" style="border-collapse: collapse;" id="AutoNumber1"
cellpadding="2">
<tbody>
<tr>
<td><b>Range:</b></td>
<td>10.10.10.0 - 10.10.10.255</td>
</tr>
<tr>
<td><b>Subnet Address:</b></td>
<td>10.10.10.0</td>
</tr>
<tr>
<td><b>Broadcast Address:</b></td>
<td>10.10.10.255</td>
</tr>
<tr>
<td><b>CIDR&nbsp;Notation:</b></td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">It is conventional to assign the internal interface
either the first usable address in the subnet (10.10.10.1 in the above
example) or the last usable address (10.10.10.254).</p>
</div>
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all
computers in the subnet to understand which other computers can be
communicated with directly. To communicate with systems outside of the
subnetwork, systems send packets through a<i>&nbsp; gateway</i>&nbsp;
(router).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; Your local computers (computer 1 and
computer 2 in the above diagram) should be configured with their<i>
default gateway</i> to be the IP address of the firewall's internal
interface.<i>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the
surface regarding subnetting and routing. If you are interested in
learning more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have
configured your network as shown here:</p>
<p align="center"> <img border="0" src="images/basics1.png" width="444"
height="635"> </p>
<p align="left">The default gateway for computer's 1 &amp; 2 would be
10.10.10.254.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> &nbsp;&nbsp;&nbsp; <font color="#ff0000"><b>WARNING:
</b></font><b>Your ISP might assign your external interface an RFC 1918
address. If that address
is in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT
RFC 1918 subnet for your local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes
referred to as <i>non-routable</i> because the Internet backbone
routers don't forward packets which have an RFC-1918 destination
address. When one of your local systems (let's assume computer 1) sends
a
connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites
the source address in the packet to be the address of the firewall's
external interface; in other words, the firewall makes it look as
if the firewall itself is initiating the connection.&nbsp; This is
necessary
so that the destination host will be able to route return packets back
to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed across the internet so the
remote host can't address its response to computer 1). When the
firewall
receives a return packet, it rewrites the destination address back to
10.10.10.1 and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred
to
as<i> IP Masquerading</i> but you will also see the term <i>Source
Network
Address Translation </i>(SNAT) used. Shorewall follows the convention
used
with Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let
your firewall system automatically detect the external interface
address. </p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly
specify the source address that you want outbound packets from your
local network to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured
with entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; If your external firewall interface is
<b>eth0</b>, you do not need to modify the file provided with the
sample. Otherwise, edit /etc/shorewall/masq and change the first column
to the name of your external interface and the second column to the
name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; If your external IP is static, you can
enter it in the third column in the /etc/shorewall/masq entry if you
like although your firewall will work fine if you leave that column
empty. Entering your static IP in column 3 makes processing outgoing
packets a little more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
&nbsp;&nbsp;&nbsp; If you are using the Debian package, please check
your
shorewall.conf file to ensure that the following are set correctly;
if they are not, change them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals may be to run one or more servers on
your local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination
address to the address of your server and forwards the packet to
that server. When your server responds, the firewall automatically
performs SNAT to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in
/etc/shorewall/rules is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Example 1 - you run a Web Server on computer 2 and you want to
forward
incoming TCP port 80 to that system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.2</td>
<td>tcp</td>
<td>80</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Example 2 - you run an FTP Server on computer 1 so you want to
forward
incoming TCP port 21 to that system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.1</td>
<td>tcp</td>
<td>21<br>
</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>For FTP, you will also need to have FTP connection tracking and NAT
support
in your kernel. For vendor-supplied kernels, this means that the
ip_conntrack_ftp
and ip_nat_ftp modules must be loaded. Shorewall will automatically
load
these modules if they are available and located in the standard place
under
/lib/modules/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.<br>
</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2 or
on the firewall). If you want to be able to access your web server
and/or FTP server from inside your firewall using the IP address of
your external interface, see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
</ul>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.2:80</td>
<td>tcp</td>
<td>5000</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
&nbsp;&nbsp;&nbsp; At this point, modify /etc/shorewall/rules to
add any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of
getting an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to
manually configure as your primary and secondary name servers.
Regardless
of how DNS gets configured on your firewall, it is <u>your</u>
responsibility to configure the resolver in your internal systems. You
can take
one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your
ISP's name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your
firewall system -- the name servers are given in "nameserver" records
in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; You can configure a<i> Caching Name
Server </i>on your firewall.<i> </i>Red Hat has an RPM for a caching
name server (the RPM also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the firewall itself as their primary (and
only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address. To
allow your local systems to talk to your caching name server, you
must open port 53 (both UDP and TCP) from the local network to the
firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<div align="left">
<h2 align="left">Other Connections</h2>
</div>
<div align="left">
<p align="left">The two-interface sample includes the following rules:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>udp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may
be removed if you uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
<p align="left">The sample also includes:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">That rule allows you to run an SSH server on your
firewall and connect to that server from your local systems.</p>
</div>
<div align="left">
<p align="left">If you wish to enable other connections between your
firewall and other systems, the general format is:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td><i>&lt;source zone&gt;</i></td>
<td><i>&lt;destination zone&gt;</i></td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>#Allow web access</td>
<td>from the internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>#Allow web access</td>
<td>from the local network</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Those two rules would of course be in addition to the
rules listed above under "You can configure a Caching Name Server
on your firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet
to/from the internet because it uses clear text (even for login!).
If you want shell access to your firewall from the internet,
use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36"> &nbsp;&nbsp;&nbsp; Bering users will want to
add the following two rules to be
compatible with Jacques's Shorewall configuration.</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc<br>
</td>
<td>fw</td>
<td>udp<br>
</td>
<td>53<br>
</td>
<td>#Allow DNS Cache to</td>
<td>work<br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>#Allow weblet to work</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<p align="left"><br>
<img border="0" src="images/BD21298_.gif" width="13" height="13">
&nbsp;&nbsp;&nbsp; Now edit your /etc/shorewall/rules file to add or
delete other connections as required.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> &nbsp;&nbsp;&nbsp; The <a href="Install.htm">installation
procedure </a> configures your system to start Shorewall at system
boot&nbsp; but
beginning with Shorewall version 1.3.9 startup is disabled so that
your system won't try to start Shorewall before configuration is
complete.
Once you have completed configuration of your firewall, you can enable
Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
color="#ff0000">Users of the .deb package must edit
/etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start"
command and stopped using "shorewall stop". When the firewall is
stopped, routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
A running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from your
Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> &nbsp;&nbsp;&nbsp; The two-interface sample assumes that
you want
to enable routing to/from <b>eth1 </b>(the local network) when
Shorewall is stopped. If your local network isn't connected to <b>eth1</b>
or if you wish to enable access to/from other hosts, change
/etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall
from the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better
to create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.
</div>
<p align="left"><font size="2">Last updated 11/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>
</p>
</body>
</html>