extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 21:21:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

1.3.10 Release Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@319 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-09 18:06:34 +00:00
parent c44cb44f7c
commit 3354d96ebb
44 changed files with 10071 additions and 9047 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4337
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1381
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

635
Shorewall-docs/IPSEC.htm
View File

@ -1,284 +1,367 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
</td>
</tr>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
(ipsecX) rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the following (I
haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2>
<font color="#660066">IPSec Gateway
on the Firewall System
</font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="Left">We want systems
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
<p align="Left">To make this work, we need to do two things:</p>
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="Left">b) Allow traffic through the tunnel.</p>
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by
adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="Left">In /etc/shorewall/tunnels
on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created a
zone called &quot;vpn&quot; to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
ZONE</strong></td>
<td><strong>
INTERFACE</strong></td>
<td><strong>
BROADCAST</strong></td>
<td><strong>
OPTIONS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="Left"> Once
you have these entries in place, restart Shorewall (type shorewall restart);
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
FreeS/WAN</a>
.</p>
<h2><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font></h2>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="Left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created a zone
called &quot;vpn&quot; to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table></blockquote>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>     qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>    qt service ipsec start</p>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p>
<p align="left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
<p><font size="2"> Last
updated 8/20/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>ipsec0</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
Warrior)</font></h2>
<p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
local network.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>COMMENTS<br>
</b></td>
</tr>
<tr>
<td valign="top">vpn1<br>
</td>
<td valign="top">VPN-1<br>
</td>
<td valign="top">First VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN-2<br>
</td>
<td valign="top">Second VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn3<br>
</td>
<td valign="top">VPN-3<br>
</td>
<td valign="top">Third VPN Zone<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/tunnels:<br>
<blockquote>
<table cellpadding="2" cellspacing="" border="2"
style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">vpn1,vpn2,vpn3<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>
</html>

343
Shorewall-docs/Install.htm
View File

@ -1,174 +1,207 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file. Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
You can check your rules and host file for 1.3 compatibility using the "shorewall
check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

1961
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

1483
Shorewall-docs/PPTP.htm
View File

File diff suppressed because it is too large Load Diff

171
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,106 +1,121 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a></li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak
Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas,
USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
</tbody>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://www.shorewall.net/pipermail/*]"> </font> </form>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form>
<p><b><a href="htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a></p>
<br>
<br>
<br>
<br>
<br>
</a><br>
</p>
</body>
</html>
</html>

110
Shorewall-docs/blacklisting_support.htm
View File

@ -1,95 +1,95 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged
<li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want checked
</li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will
<li>save - save the dynamic blacklisting configuration so that it will
be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
<p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p>
<pre> shorewall allow 192.0.2.125</pre>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

555
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,300 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the
world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to
the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later
use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field
in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the line
with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a result
of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule. So
change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your inconvenience
by Shorewall. <br>
<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4".</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated list,
the continuation line(s) must begin in column 1 (or there would be
embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of
the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level
policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field
in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the
line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a
result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must
be no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6
hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".</p>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the
corresponding files in /etc/shorewall. The alternate directory need not
contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol>
<p><font size="2"> Updated 9/24/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font size="2"> Updated 10/24/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

124
Shorewall-docs/dhcp.htm
View File

@ -1,60 +1,82 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">DHCP Server on your firewall</h2>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.</li>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
</li>
</ul>
<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option for this interface in
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file and start Shorewall after the interface has started.</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall
refresh&quot; command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation.</li>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always going
to be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance, you
should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a "shorewall refresh"
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>
</html>

533
Shorewall-docs/download.htm
View File

@ -1,304 +1,311 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
you can use the RPM version (note: the RPM should also work with
other distributions that store init scripts in /etc/init.d and
that include chkconfig or insserv). If you find that it works
in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
know so that I can mention them here. See the <a
href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want
to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4
kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts in
/etc/init.d and that include chkconfig or insserv). If you find
that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point to
a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
<p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
<p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
target="_blank"> Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
target="_blank">Download .lrp</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
</tbody>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>Browse Download Sites:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</tbody>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left">CVS:</p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/26/2002 - <a
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 11/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

566
Shorewall-docs/errata.htm
View File

@ -1,109 +1,152 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
</li>
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels
&gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.8</h3>
<h3>Version 1.3.9a</h3>
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with different
port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
</ul>
Installing <a
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems.
as described above corrects these problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
@ -111,325 +154,348 @@ port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<b
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
has two problems:</p>
<ol>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the "dhcp"
option cannot be used as a noise-reduction
measure where there are both dynamic and
static clients on a LAN segment.</li>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic
and static clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p>
corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT
alias. </p>
</li>
<li>
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This
problem is corrected by <a
possible to  include a single host specification on each line. This
problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p>
</div>
<div align="left">
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
as described above.</p>
<ul>
<li>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For
example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option.
For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<br>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
<li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6
you may install
<a
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6
you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
as described above.</li>
</ul>
<p><font size="2"> Last updated 9/28/2002 -
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>

BIN
Shorewall-docs/images/DMZ.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
Shorewall-docs/images/DMZ2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
Shorewall-docs/images/DMZ3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
Shorewall-docs/images/basics1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
Shorewall-docs/images/network.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 72 KiB

BIN
Shorewall-docs/images/proxyarp.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
Shorewall-docs/images/proxyarp.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/proxyarp.vsd
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

100
Shorewall-docs/mailing_list_problems.htm
View File

@ -1,59 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
<a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm">
<font face="Trebuchet MS">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left">&nbsp;</p>
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>
</html>

243
Shorewall-docs/myfiles.htm
View File

@ -1,133 +1,134 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1>My Current Network </h1>
<blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24). </p>
<blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br>
</p>
</p>
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local
network.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through
the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local
network.</p>
<p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p>
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p>
<p align="center"> <img border="0"
src="images/network.png" width="764" height="846">
</p>
</p>
<p> </p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see
below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall
version 1.3.4.</font></p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3>
<pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT
@ -135,34 +136,40 @@ Ethernet interfaces. </p>
all me CONTINUE #<font
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<p><font size="2"> Last updated 10/14/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
</body>
</html>

266
Shorewall-docs/ports.htm
View File

@ -1,122 +1,192 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</table>
<p>In addition to those applications described in <a href="Documentation.htm">the
/etc/shorewall/rules documentation</a>, here are some other
services/applications that you may need to configure your firewall to accommodate.</p>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your firewall
to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
<blockquote>
<blockquote>
<p>UDP Port 123</p>
</blockquote>
<p>rdate</p>
<blockquote>
</blockquote>
<p>rdate</p>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
<p>TCP Port 119</p>
</blockquote>
</blockquote>
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want to
open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return long
replies to queries or if you need to enable ZONE transfers.&nbsp;In the latter
case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ&nbsp;&nbsp;&nbsp;</p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which you
can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return
long replies to queries or if you need to enable ZONE transfers. In the
latter case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ   </p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>PPTP</p>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a href="PPTP.htm">Lots more
information here</a>).</p>
</blockquote>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port 500.
These should be opened in both directions.</p>
</blockquote>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions.</p>
</blockquote>
<p>SMTP</p>
<blockquote>
<p>&nbsp;TCP Port 25.</p>
</blockquote>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>POP3</p>
<blockquote>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
</blockquote>
<p>TELNET</p>
<blockquote>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
</blockquote>
<p>SSH</p>
<blockquote>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP</p>
<blockquote>
<p>Server configuration is covered on in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,</p>
</blockquote>
<p>FTP</p>
<blockquote>
<p>Server configuration is covered on in <a
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.&nbsp;</p>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote>
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
<p>Traceroute</p>
<blockquote>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS</p>
<blockquote>
<p>There's some good information at&nbsp;
<a href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try
<a href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 8/21/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
</blockquote>
<p>NFS</p>
<blockquote>
<p>There's some good information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</body>
</html>

145
Shorewall-docs/quotes.htm
View File

@ -1,101 +1,104 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
7 machines up and running with shorewall on several versions - starting
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
-- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld by
request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

584
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,294 +2,396 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.<br>
<br>
You should have received a copy of the GNU General
Public License along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF
distribution called <i>Bering</i> that features Shorewall-1.3.3
and Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>News</h2>
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
<p>In this version:<br>
</p>
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
</ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
<li>Only one page of matches was presented.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:<br>
</p>
<ul>
<li>A NEWNOTSYN option has been added to shorewall.conf.
This option determines whether Shorewall accepts TCP packets which
are not part of an established connection and that are not 'SYN' packets
(SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the case
where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
</li>
<div align="center"><a href="1.2" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
</ul>
</li>
<h2 align="left">What is it?</h2>
</ul>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD
or compact flash) distribution called <i>Bering</i> that
features Shorewall-1.3.9b and Kernel-2.4.18. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You might want to reconsider -- this site is <u><b>213 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the whole
thing (my SDSL is only 384kbs so I'll have lots of time to catch you). Besides,
if you simply download the product and install it, you get the essential
parts of the site in a fraction of the time. And do you really want to download:<br>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
</li>
<li>Both text and HTML versions of every post ever made on three
different mailing lists (65 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall
and Seawall (92MB and 10MB respectively)?</li>
<li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
</li>
<li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this site.
Happy downloading!<br>
<h2>News</h2>
<h2></h2>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents
of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily within
<a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
on ethernet segments. You can specify the set of allowed MAC addresses on
the segment and you can optionally tie each MAC address to one or more IP
addresses.</li>
<li>PPTP Servers and Clients running on the firewall system may
now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when the
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package is now a part
of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html">
MAC verification</a> on ethernet segments. You can specify the set of
allowed MAC addresses on the segment and you can optionally tie each
MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when
the <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to the
firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now
running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be
qualified by both interface and IP address in a <a
href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled
after initial installation until the file /etc/shorewall/startup_disabled
is removed. This avoids nasty surprises at reboot for users
who install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version' files
and the 'firewall' symbolic link have been moved from /var/lib/shorewall
to /usr/lib/shorewall to appease the LFS police at Debian.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
  </a></p>
  </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
</td>
</tr>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</tbody>
</table>
<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

169
Shorewall-docs/shoreline.htm
View File

@ -1,111 +1,118 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Hiking1.jpg"
alt="Tom on the PCT - 1991" width="374" height="365">
</p>
<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington  -- Sept 1991.<br>
<font size="2">Photo by Ken Mazawa</font></p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated ipchains
and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392">
</p>
<p align="center">Tarry &amp; Tom -- August 2002<br>
<br>
</p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian Woody</a>
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
</a> </font></p>
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

26
Shorewall-docs/shorewall_ca_certificate.htm
View File

@ -1,26 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall CA Certificate</title>
</head>
<body>
<h1 align="center">Shorewall CA Certificate</h1>
<p align="center">Load <a href="ca.crt">this certificate</a> into your browser
to use SSL to the Shorewall Site</p>
<p align="left"><font size="2">Last updated
8/10/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

188
Shorewall-docs/shorewall_features.htm
View File

@ -1,91 +1,111 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
</tbody>
</table>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i>
and gives you complete control over the connections permitted between
each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help
get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b>
included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can use all
types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT">
Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp">
Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring
with an audible alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP
Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
and uninstall facilities</b></a> for users who can't use or choose not
to use the RPM or Debian packages.</li>
<li>Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net">
LEAF</a>
</b>
.</li>
</ul>
</li>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to
help get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a>
</b> included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can use
all types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
and uninstall facilities</b></a> for users who can't use or choose
not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
</ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li>
</ul>
<p><font size="2">Last updated 7/14/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font></p>
<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>
</html>

312
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,209 +1,221 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1>
</td>
</tr>
</tbody>
Version 3.1</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting
as a firewall/router for a small local network and a DMZ.</li>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a
<p><font size="2">Last modified 11/3/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

302
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -1,13 +1,13 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
@ -15,211 +15,227 @@
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your firewall
differently from this default, you can use the "--level" option in
chkconfig (see "man chkconfig") or using your favorite graphical run-level
editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can use the "--level" option
in chkconfig (see "man chkconfig") or using your favorite graphical
run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
</ul>
<p> The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li>
<li>shorewall
show
tc - displays information
about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the
standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li>
<li>shorewall
show
tc - displays information
about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using
the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a
href="#Configs"> Shorewall configuration</a> to use:</p>
<blockquote>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<ul>
<li>mkdir /etc/test</li>
<li>mkdir /etc/test</li>
<li>cd /etc/test</li>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li>
<li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li>
<li>shorewall -c . check</li>
<li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li>
<li>/sbin/shorewall try .</li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li>cp * /etc/shorewall</li>
<li>cp * /etc/shorewall</li>
<li>cd</li>
<li>cd</li>
<li>rm -rf /etc/test</li>
<li>rm -rf /etc/test</li>
</ul>
<p><font size="2"> Updated 9/26/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

160
Shorewall-docs/support.htm
View File

@ -1,77 +1,78 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3>
<p>There are a number of sources for problem solution information.</p>
<ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li>
<li>The Mailing List Archives search facility can locate posts about
<li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li>
<li>The Mailing List Archives search facility can locate posts about
similar problems:</li>
</ul>
<h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -80,65 +81,66 @@ contains a number of tips to help you solve common problems.</li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden" name="config" value="htdig"> <input
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
</form>
<h3 align="left">Problem Reporting Guidelines</h3>
<ul>
<li>When reporting a problem, give as much information as you can.
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
<b></b>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p>
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>

1818
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

427
Shorewall-docs/traffic_shaping.htm
View File

@ -1,214 +1,257 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
</td>
</tr>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later. You must also install
the iproute (iproute2) package to provide the &quot;ip&quot; and &quot;tc&quot;
utilities.</p>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling.<br>
</li>
<li>/etc/shorewall/tcrules - A file where you can specify
firewall marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control.<br>
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is
sourced by Shorewall during &quot;shorewall start&quot; and which you can
use to define your traffic shaping disciplines and classes. I have provided
a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of the
HOWTO mentioned above, you can probably code your own faster than you can
learn how to use my sample. I personally use <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB</a>
(see below). HTB
support may eventually become an integral part of Shorewall since HTB is a
lot simpler and better-documented than CBQ. HTB is currently not a standard
part of either the kernel or iproute2 so both must be patched in order to
use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is
sourced by Shorewall when it is clearing traffic shaping. This file is
normally not required as Shorewall's method of clearing qdisc and filter
definitions is pretty general.</li>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
also requires that you enable packet mangling.<br>
</li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets
for traffic shaping/control.<br>
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define
your traffic shaping disciplines and classes. I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of
the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB
is a lot simpler and better-documented than CBQ. HTB is currently not
a standard part of either the kernel or iproute2 so both must be patched
in order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally
not required as Shorewall's method of clearing qdisc and filter definitions
is pretty general.</li>
</ul>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
for specifying these marks in a tabular fashion.</p>
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
means for specifying these marks in a tabular fashion.</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place &quot;fw&quot; in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
&nbsp;&nbsp;&nbsp; eth0<br>
&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or &quot;all&quot;<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); if
the protocol is &quot;icmp&quot;, this column is interpreted as the
destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate list
of port names, port numbers or port ranges.</li>
<li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates on
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
list of interface names, IP addresses, MAC addresses in <a
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list of IP
addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
protocol is "icmp", this column is interpreted as the destination icmp
type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
any source port is acceptable. Specified as a comma-separate list of port
names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked with
1. All packets arriving on eth2 should be marked with 2. All packets originating
on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating on the
firewall and destined for 155.186.235.151 should be marked with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
</tr>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody>
</table>
<h3>Hierarchical Token Bucket</h3>
<p>I personally use HTB. I have found a couple of things that may be of
use to others.</p>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p>
<ul>
<li>The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB
website</a> didn't work for me -- I had to download the lastest version of
the <a href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>The HTB example in the HOWTO seems to be full of errors. I'm currently
running with this set of shaping rules in my tcstart file so I know that it works.</li>
<li>The gzipped tc binary at the <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
for me -- I had to download the lastest version of the <a
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<blockquote>
<p><font face="Courier" size="2">run_tc qdisc add dev eth0 root handle 1: htb default 30<br>
<br>
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k<br>
<br>
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k<br>
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k<br>
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil&nbsp;&nbsp;
10mbit burst 15k<br>
<br>
run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>
run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>
run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10<br>
<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
</font></p>
<p>My tcrules file is shown in Example 1 above. You can look at my <a href="myfiles.htm">network
configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
</font></p>
</blockquote>
<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want
these particular rules.<font face="Courier" size="2"><br>
</font></p>
</blockquote>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>
</html>

372
Shorewall-docs/troubleshoot.htm
View File

@ -1,205 +1,199 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version of
the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
<h3 align="Left">Check the Errata</h3>
<p align="Left">Check the <a href="errata.htm">Shorewall Errata</a>
to be sure that there isn't an update that you are missing for your version
of the firewall.</p>
<h3 align="Left">Check the FAQs</h3>
<p align="Left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common problems.</p>
<h3 align="Left">If the firewall fails to start</h3>
If you
receive an error message when starting or restarting the firewall and you
can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine what
the problem is.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<ul>
<li>Port
Forwarding where client and server are in the same subnet. See <a href="FAQ.htm">FAQ
2.</a></li>
<li>Changing the IP address of a local system to be in the external subnet,
thinking that Shorewall will suddenly believe that the system is in the
'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the way
that the Linux kernel respond to ARP &quot;who-has&quot; requests, this type of setup
does NOT work the way that you expect it to.</li>
</ul>
<h3 align="Left">If you are having
connection problems:</h3>
<p align="Left">If the appropriate policy for the connection that you
are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
<p align="Left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of your
best diagnostic tools - the &quot;Shorewall&quot; messages that Netfilter will
generate when you try to connect in a way that isn't permitted by your
rule set.</p>
<p align="Left">Check your log. If you don't see Shorewall messages,
then your problem is probably NOT a Shorewall problem. If you DO see packet
messages, it is an indication that you are missing one or more rules.</p>
<p align="Left">While you are troubleshooting, it is a good idea to clear
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the
way that the Linux kernel respond to ARP "who-has" requests, this type
of setup does NOT work the way that you expect it to.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
to your rule set and they represent a big security hole in the event that
you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="Left">LOGRATE=&quot;&quot;<br>
LOGBURST=&quot;&quot;</p>
<p align="Left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="Left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="Left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="Left">Let's look at the important parts of this message:</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
<ul>
<li>all2all:REJECT - the packet was rejected under the "all"-&gt;"all" REJECT
policy</li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="Left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
<p align="Left">ACCEPT    dmz    loc    udp    53</p>
<h3 align="Left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:<ol>
<li>your zone definitions are screwed up and the host that is sending the
packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53</p>
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
requests to be sent between zones. If you want pings to be allowed between
zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have the
following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 between
the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you
<br>
The ramifications of this can be subtle. For example, if you have the
following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 between
the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface must be
up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need to
be configured with their default gateway set to the IP address of their
nearest firewall interface. One often overlooked aspect of routing is that
in order for two hosts to communicate, the routing between them must be set
up <u>in both directions.</u> So when setting up routing between <b>A</b>
and<b> B</b>, be sure to verify that the route from <b>B</b> back to <b>A</b>
is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell with
broken variable expansion. <a href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz">
You can get a corrected shell from the Shorewall Errata download site.</a>
</li>
<li>Do you have your kernel properly configured? <a href="kernel.htm">Click
here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally included
in the "iproute" package which should be included with your distribution
(though many distributions don't install iproute by default). You
may also download the latest source tarball from <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need
to be configured with their default gateway set to the IP address of
their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell
with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts then the
zone must be entirely defined in /etc/shorewall/hosts unless you have
specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if
a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts
then hosts attached to the other interface will <u>not</u> be considered
part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external addresses
to be use with NAT unless you have set <a href="Documentation.htm#Aliases">
ADD_IP_ALIASES</a>
=No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless you
have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external
addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font> </p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 9/13/2002 -
Tom Eastep</font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>
</html>

1521
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

269
Shorewall-docs/upgrade_issues.htm
View File

@ -1,165 +1,176 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.7,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules in
their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules
in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will
need to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided
on the Bering floppy with the later one.
If you did not obtain the later version from
Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry
if present. Then do not forget to backup
root.lrp !</li>
<li>Be sure you have a backup -- you
will need to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package
provided on the Bering floppy with the later
one. If you did not obtain the later version
from Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget to
backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN #
So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets
after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add the
following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 and
1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So
that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets after
takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 9/28/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 11/09/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

7
Shorewall/changelog.txt
View File

@ -35,3 +35,10 @@ Changes since 1.3.9
17. Add MAC verificaiton
18. Conserve space by removing comment decorations.
19. Improve comments in interfaces file re: use of aliases
20. Clear nat and mangle counters during 'shorewall reset'
21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.10b1
%define version 1.3.10
%define release 1
%define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10b1
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{