extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-13 13:16:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

1.3.10 Release Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@319 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-09 18:06:34 +00:00
parent c44cb44f7c
commit 3354d96ebb
44 changed files with 10071 additions and 9047 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3433
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

903
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

549
Shorewall-docs/IPSEC.htm
View File

@ -2,283 +2,366 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title> <title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</head> </tbody>
<body> </table>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
</td>
</tr>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
(ipsecX) rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the following (I
haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2>
<font color="#660066">IPSec Gateway <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
on the Firewall System There is an excellent guide to configuring IPSEC tunnels at<a
</font></h2> href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>Suppose that we have the following sutuation:</p> <p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
<font color="#660066"> <p>In /etc/shorewall/init, include:</p>
<p align="Center"><font face="Century Gothic, Arial, Helvetica"> <p>     qt service ipsec stop</p>
<img src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font> <p>In /etc/shorewall/start, include:</p>
<p align="Left">We want systems <p>    qt service ipsec start</p>
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
<p align="Left">To make this work, we need to do two things:</p> <h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established <p>Suppose that we have the following sutuation:</p>
(allow the ESP and AH protocols and UDP Port 500). </p> <font color="#660066">
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="Left">b) Allow traffic through the tunnel.</p> <p align="left">To make this work, we need to do two things:</p>
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by <p align="left">a) Open the firewall so that the IPSEC tunnel can be established
adding an entry to the /etc/shorewall/tunnels file.</p> (allow the ESP and AH protocols and UDP Port 500). </p>
<p align="Left">In /etc/shorewall/tunnels <p align="left">b) Allow traffic through the tunnel.</p>
on system A, we need the following </p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><strong> <td><strong> TYPE</strong></td>
TYPE</strong></td> <td><strong> ZONE</strong></td>
<td><strong> <td><strong> GATEWAY</strong></td>
ZONE</strong></td> <td><strong> GATEWAY ZONE</strong></td>
<td><strong> </tr>
GATEWAY</strong></td> <tr>
<td><strong> <td>ipsec</td>
GATEWAY ZONE</strong></td> <td>net</td>
</tr> <td>134.28.54.2</td>
<tr> <td> </td>
<td>ipsec</td> </tr>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody> </tbody>
</table></blockquote> </table>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created a
zone called &quot;vpn&quot; to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote> </blockquote>
<p align="Left">At both <p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><strong> <td><strong> TYPE</strong></td>
ZONE</strong></td> <td><strong> ZONE</strong></td>
<td><strong> <td><strong> GATEWAY</strong></td>
INTERFACE</strong></td> <td><strong> GATEWAY ZONE</strong></td>
<td><strong> </tr>
BROADCAST</strong></td> <tr>
<td><strong> <td>ipsec</td>
OPTIONS</strong></td> <td>net</td>
</tr> <td>206.161.148.9</td>
<tr> <td> </td>
<td>vpn</td> </tr>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody> </tbody>
</table></blockquote> </table>
</blockquote>
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>ipsec0</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p> directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<blockquote> </tbody>
<table border="2" cellpadding="2" style="border-collapse: collapse"> </table>
<tr> </blockquote>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr> <p align="left"> Once you have these entries in place, restart Shorewall (type
<td>vpn</td> shorewall restart); you are now ready to configure the tunnel in <a
<td>loc</td> href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table> <h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
</blockquote> Warrior)</font></h2>
<p align="Left"> Once <p>Suppose that you have a laptop system (B) that you take with you when you
you have these entries in place, restart Shorewall (type shorewall restart); travel and you want to be able to establish a secure connection back to your
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/"> local network.</p>
FreeS/WAN</a>
.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<h2><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font></h2>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426"> <img src="images/Mobile.png" width="677" height="426">
</font></strong></p> </font></strong></p>
<p align="Left">You need to define a zone for the laptop or include it in <p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created a zone your local zone. In this example, we'll assume that you have created
called &quot;vpn&quot; to represent the remote host.</p> a zone called "vpn" to represent the remote host.</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><strong>ZONE</strong></td> <tr>
<td><strong>DISPLAY</strong></td> <td><strong>ZONE</strong></td>
<td><strong>COMMENTS</strong></td> <td><strong>DISPLAY</strong></td>
</tr> <td><strong>COMMENTS</strong></td>
<tr> </tr>
<td>vpn</td> <tr>
<td>VPN</td> <td>vpn</td>
<td>Remote Subnet</td> <td>VPN</td>
</tr> <td>Remote Subnet</td>
</tr>
</table> </tbody>
</table>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table>
</blockquote> </blockquote>
<p align="Left"> In this <p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot to peer subnetworks. This indicates that the gateway system itself comprises
be determined in advance. In the /etc/shorewall/tunnels file on system A, the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
the following entry should be made:</p>
<blockquote> <p>You will need to configure /etc/shorewall/interfaces and establish
<table border="2" cellpadding="2" style="border-collapse: collapse"> your "through the tunnel" policy as shown under the first example above.<br>
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table></blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
<p><font size="2"> Last
updated 8/20/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p> </p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> <blockquote>
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>COMMENTS<br>
</b></td>
</tr>
<tr>
<td valign="top">vpn1<br>
</td>
<td valign="top">VPN-1<br>
</td>
<td valign="top">First VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN-2<br>
</td>
<td valign="top">Second VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn3<br>
</td>
<td valign="top">VPN-3<br>
</td>
<td valign="top">Third VPN Zone<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/tunnels:<br>
<blockquote>
<table cellpadding="2" cellspacing="" border="2"
style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">vpn1,vpn2,vpn3<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body> </body>
</html> </html>

365
Shorewall-docs/Install.htm
View File

@ -1,174 +1,207 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body> <meta http-equiv="Content-Type"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> content="text/html; charset=windows-1252">
<tr> <title>Shorewall Installation</title>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
</td>
</tr> <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the <p align="center"><b>Before upgrading, be sure to review the <a
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install <a href="#Install_Tarball">Install using tarball</a><br>
using tarball</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
<a href="#Upgrade_Tarball">Upgrade <a href="#Config_Files">Configuring Shorewall</a><br>
using tarball</a><br> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file. Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
You can check your rules and host file for 1.3 compatibility using the "shorewall
check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

1303
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

1439
Shorewall-docs/PPTP.htm
View File

File diff suppressed because it is too large Load Diff

127
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -11,7 +11,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -19,75 +20,93 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a></li> <li> <a href="download.htm">Download</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<li> <a href="errata.htm">Errata</a></li> <a href="Install.htm">Configuration</a><br>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> </li>
<li> <a href="support.htm">Support</a></li> <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
<li> <a href="mailing_list.htm">Mailing Lists</a></li> (HOWTOs)</a><br>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak <li><a target="_top"
Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, <li><a target="_top"
USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li> <li><a target="_top"
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li> <li><a target="_top"
href="http://france.shorewall.net">France</a></li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li> <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<p> <strong>Quick Search</strong><br> <b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<font face="Arial" size="-1"> <input type="text" name="words" <strong></strong>
size="15"></font><font size="-1"> </font> <font face="Arial" <p><strong>Quick Search</strong><br>
size="-1"> <input type="hidden" name="format" value="long"> <input <font face="Arial" size="-1"> <input type="text"
type="hidden" name="method" value="and"> <input type="hidden" name="words" size="15"></font><font size="-1"> </font> <font
name="config" value="htdig"> <input type="submit" value="Search"></font> face="Arial" size="-1"> <input type="hidden" name="format"
</p> value="long"> <input type="hidden" name="method" value="and"> <input
<font face="Arial"> <input type="hidden" name="exclude" type="hidden" name="config" value="htdig"> <input type="submit"
value="[http://www.shorewall.net/pipermail/*]"> </font> </form> value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form>
<p><b><a href="htdig/search.html">Extended Search</a></b></p> <p><b><a href="htdig/search.html">Extended Search</a></b></p>
@ -96,11 +115,7 @@
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a></p> </a><br>
<br> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

48
Shorewall-docs/blacklisting_support.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1> <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -31,27 +31,26 @@
<h2>Static Blacklisting</h2> <h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration <p>Shorewall static blacklisting support has the following configuration parameters:</p>
parameters:</p>
<ul> <ul>
<li>You specify whether you want packets from blacklisted hosts dropped <li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a> or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li> setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged <li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li> /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a <li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
names in the blacklist file.<br> names in the blacklist file.<br>
</li> </li>
<li>You specify the interfaces whose incoming packets you want checked <li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li> href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a <li>The black list is refreshed from /etc/shorewall/blacklist by the
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li> "<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul> </ul>
@ -59,24 +58,24 @@ against the blacklist using the "<a
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p> /sbin/shorewall commands:</p>
<ul> <ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li> IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be rejected by the firewall.</li> IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li> from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will <li>save - save the dynamic blacklisting configuration so that it will
be automatically restored the next time that the firewall is restarted.</li> be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li> <li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul> </ul>
<p>Example 1:</p> <p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre> <pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p> <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>    Reenables access from 192.0.2.125.</p> <p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
</body> </body>
</html> </html>

307
Shorewall-docs/configuration_file_basics.htm
View File

@ -17,66 +17,67 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall <li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li> parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables <li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li> that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the <li>/etc/shorewall/zones - partition the firewall's view of
world into <i>zones.</i></li> the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li> <li>/etc/shorewall/policy - establishes firewall high-level
<li>/etc/shorewall/interfaces - describes the interfaces on the policy.</li>
firewall system.</li> <li>/etc/shorewall/interfaces - describes the interfaces on
<li>/etc/shorewall/hosts - allows defining zones in terms of individual the firewall system.</li>
hosts and subnetworks.</li> <li>/etc/shorewall/hosts - allows defining zones in terms of
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one individual hosts and subnetworks.</li>
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source <li>/etc/shorewall/masq - directs the firewall where to use
Network Address Translation (SNAT).</li> many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
<li>/etc/shorewall/modules - directs the firewall to load kernel and Source Network Address Translation (SNAT).</li>
modules.</li> <li>/etc/shorewall/modules - directs the firewall to load kernel
<li>/etc/shorewall/rules - defines rules that are exceptions to modules.</li>
the overall policies established in /etc/shorewall/policy.</li> <li>/etc/shorewall/rules - defines rules that are exceptions
<li>/etc/shorewall/nat - defines static NAT rules.</li> to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
<li>/etc/shorewall/tcrules - defines marking of packets for later - defines hosts accessible when Shorewall is stopped.</li>
use by traffic control/shaping or policy routing.</li> <li>/etc/shorewall/tcrules - defines marking of packets for
<li>/etc/shorewall/tos - defines rules for setting the TOS field later use by traffic control/shaping or policy routing.</li>
in packet headers.</li> <li>/etc/shorewall/tos - defines rules for setting the TOS field
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels in packet headers.</li>
with end-points on the firewall system.</li> <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC with end-points on the firewall system.</li>
addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
</ul> </ul>
<h2>Comments</h2> <h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the line of any line, again by delimiting the comment from the rest of the
with a pound sign.</p> line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -87,7 +88,7 @@ with a pound sign.</p>
<h2>Line Continuation</h2> <h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash <p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p> ("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
@ -98,203 +99,221 @@ with a pound sign.</p>
<p align="left"> </p> <p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a result you are called out of bed at 2:00AM because Shorewall won't start as a
of DNS problems then don't say that you were not forewarned. <br> result of DNS problems then don't say that you were not forewarned. <br>
</b></p> </b></p>
<p align="left"><b>    -Tom<br> <p align="left"><b>    -Tom<br>
</b></p> </b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br> configuration files may be specified either as IP addresses or as DNS Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as they first appear. DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule. So to one or more IP addresses and inserts those addresses into the rule.
change in the DNS-&gt;IP address relationship that occur after the firewall So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p> has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p> <p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li> <li>If your /etc/resolv.conf is wrong then your firewall won't
<li>If your /etc/nsswitch.conf is wrong then your firewall won't start.</li> start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't start.</li> <li>If your /etc/nsswitch.conf is wrong then your firewall won't
<li>If your startup scripts try to start your firewall before starting start.</li>
your DNS server then your firewall won't start.<br> <li>If your Name Server(s) is(are) down then your firewall won't
</li> start.</li>
<li>Factors totally outside your control (your ISP's router is down <li>If your startup scripts try to start your firewall before starting
for example), can prevent your firewall from starting.</li> your DNS server then your firewall won't start.<br>
<li>You must bring up your network interfaces prior to starting your firewall.<br> </li>
</li> <li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
</li>
</ul> </ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum <p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration by Shorewall to insure backward compatibility with existing configuration
files.<br> files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net.</li> <li>shorewall.net.</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li> <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li> <li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These are iptables restrictions and are not simply imposed for your inconvenience These are iptables restrictions and are not simply imposed for your
by Shorewall. <br> inconvenience by Shorewall. <br>
<br> <br>
<h2>Complementing an Address or Subnet</h2> <h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4".</p> example, !192.168.1.4 means "any host but 192.168.1.4". There must
be no white space following the "!".</p>
<h2>Comma-separated Lists</h2> <h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated list, <li>If you use line continuation to break a comma-separated
the continuation line(s) must begin in column 1 (or there would be list, the continuation line(s) must begin in column 1 (or there
embedded white space)</li> would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li> <li>Entries in a comma-separated list may appear in any order.</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2> <h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p> port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2>Using MAC Addresses</h2> <h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as a series of 6 In GNU/Linux, MAC addresses are usually written as a series of
hex numbers separated by colons. Example:<br> 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>      collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)<br>      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
     Interrupt:11 Base address:0x1800<br> Mb)<br>
<br>      Interrupt:11 Base address:0x1800<br>
Because Shorewall uses colons as a separator for address fields, <br>
Shorewall requires MAC addresses to be written in another way. In Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".</p> the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2>Shorewall Configurations</h2> <h2>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a> The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding Shorewall will use the files in the alternate directory rather than the
files in /etc/shorewall. The alternate directory need not contain a complete corresponding files in /etc/shorewall. The alternate directory need not
configuration; those files not in the alternate directory will be read from contain a complete configuration; those files not in the alternate directory
/etc/shorewall.</p> will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from /etc/shorewall <li> copying the files that need modification from /etc/shorewall
to a separate directory;</li> to a separate directory;</li>
<li> modify those files in the separate directory; and</li> <li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or <li> specifying the separate directory in a shorewall start
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i> or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
).</li> restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 9/24/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 10/24/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

102
Shorewall-docs/dhcp.htm
View File

@ -1,60 +1,82 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>DHCP</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
</td>
</tr>
</table> </table>
<h2 align="left">DHCP Server on your firewall</h2>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul> <ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall system. </p>
</li>
<li> <li>
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be <p align="left">When starting "dhcpd", you need to list those interfaces
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
file.</li> </p>
<li> </li>
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.</li>
</ul> </ul>
<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul> <ul>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li> <li>
<p align="left">Specify the &quot;dhcp&quot; option for this interface in <p align="left">If you know that the dynamic address is always going
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> to be in the same subnet, you can specify the subnet address in the interface's
file.</li>
<li>
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li> file. </p>
</li>
<li> <li>
<p align="left">If you don't know the subnet address in advance, you should <p align="left">If you don't know the subnet address in advance, you
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> should specify "detect" for the interface's subnet address in the <a
file and start Shorewall after the interface has started.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li> <li>
<p align="left">In the event that the subnet address might change while <p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall Shorewall is started, you need to arrange for a "shorewall refresh"
refresh&quot; command to be executed when a new dynamic IP address gets command to be executed when a new dynamic IP address gets assigned to
assigned to the interface. Check your DHCP client's documentation.</li> the interface. Check your DHCP client's documentation. </p>
</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p> <p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html> </html>

431
Shorewall-docs/download.htm
View File

@ -17,288 +17,295 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel, Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4
you can use the RPM version (note: the RPM should also work with kernel, you can use the RPM version (note: the RPM should
other distributions that store init scripts in /etc/init.d and also work with other distributions that store init scripts in
that include chkconfig or insserv). If you find that it works /etc/init.d and that include chkconfig or insserv). If you find
in other cases, let <a href="mailto:teastep@shorewall.net"> me</a> that it works in other cases, let <a
know so that I can mention them here. See the <a href="mailto:teastep@shorewall.net"> me</a> know so that
href="Install.htm">Installation Instructions</a> if you have problems I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want <li>If you are running LRP, download the .lrp file (you might also
to download the .tgz so you will have a copy of the documentation).</li> want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is in both the <a would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing href="http://packages.debian.org/testing/net/shorewall.html">Debian
Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point to release of a new version of Shorewall, the links below may point
a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li> the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the <p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p> mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download <td><a
.rpm</a><br> href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download <a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download <a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" <td><a
target="_blank"> Download .rpm</a> <br> href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
target="_blank">Download .tgz</a> <br> target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
target="_blank">Download .lrp</a></td> target="_blank">Download .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>Browse Download Sites:</p> <p>Browse Download Sites:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td> target="_blank">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>California, USA (Incomplete)</td> <td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td> <td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td> <td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">CVS:</p> <p align="left">CVS:</p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p> component. There's no guarantee that what you find there will work at
</blockquote> all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/26/2002 - <a <p align="left"><font size="2">Last Updated 11/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

370
Shorewall-docs/errata.htm
View File

@ -17,12 +17,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,68 +31,110 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/" href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to to the 'shorewall' file used by your system initialization scripts
start Shorewall during boot. It is that file that must be overwritten to start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p> with the corrected script.</b></p>
</li> </li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version <li> <b><a href="#V1.3">Problems in
1.3</a></b></li> Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems <li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li> in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a <li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li> href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a <li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li> href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels <li> <b><a href="#Debug">Problems with
&gt;= 2.4.18 and RedHat iptables</a></b></li> kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li> <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and <li><b><a href="#Multiport">Problems with iptables version 1.2.7
MULTIPORT=Yes</a></b></li> and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.8</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
policy file doesn't work.</li> the following message appears during "shorewall [re]start":</li>
<li>A DNAT rule with the same original and new IP addresses but with different </ul>
port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li> <pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
</li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
@ -100,7 +143,7 @@ port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<b
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
@ -111,7 +154,7 @@ port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<b
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
@ -121,24 +164,24 @@ port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<b
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running a DHCP <li>If the firewall is running a DHCP
server, the client won't be able to obtain server, the client won't be able to obtain
an IP address lease from that server.</li> an IP address lease from that server.</li>
<li>With this order of checking, the "dhcp" <li>With this order of checking, the
option cannot be used as a noise-reduction "dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic and measure where there are both dynamic
static clients on a LAN segment.</li> and static clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
@ -150,24 +193,25 @@ an IP address lease from that server.</li>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT an error occurs when the firewall script attempts to add an
alias. </p> SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
@ -181,7 +225,7 @@ an IP address lease from that server.</li>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
@ -203,20 +247,20 @@ an IP address lease from that server.</li>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This possible to  include a single host specification on each line. This
problem is corrected by <a problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
@ -224,7 +268,7 @@ an IP address lease from that server.</li>
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p> as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
@ -233,17 +277,17 @@ an IP address lease from that server.</li>
file have been previously defined in the /etc/shorewall/zones file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message Shorewall 1.3.3 and later versions produce a clearer error
in this case.</p> message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
@ -253,71 +297,73 @@ so it's a good idea to run that command after you have made configura
version has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry in <li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from /etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li> working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
"NAT_BEFORE_RULES=Yes".</li> like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li> packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li> generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in <li>When an option is given for more than one interface
/etc/shorewall/interfaces then depending on the option, Shorewall in /etc/shorewall/interfaces then depending on the option,
may ignore all but the first appearence of the option. For Shorewall may ignore all but the first appearence of the option.
example:<br> For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet <li>Update 17 June 2002 - The bug described in the prior
affects the following options: dhcp, dropunclean, logunclean, bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional norfc1918, routefilter, multi, filterping and noping. An
bug has been found that affects only the 'routestopped' option.<br> additional bug has been found that affects only the 'routestopped'
<br> option.<br>
Users who downloaded the corrected script prior to 1850 GMT <br>
today should download and install the corrected script again Users who downloaded the corrected script prior to 1850
to ensure that this second problem is corrected.</li> GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on the download <li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li> you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
@ -331,68 +377,69 @@ example:<br>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p> this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p> </font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by installing
<a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g., iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
@ -413,23 +460,42 @@ from<font color="#ff6633"> <a
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 <li>if you are running Shorewall 1.3.6
you may install you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<p><font size="2"> Last updated 9/28/2002 - <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

BIN
Shorewall-docs/images/DMZ.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
Shorewall-docs/images/DMZ2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
Shorewall-docs/images/DMZ3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
Shorewall-docs/images/basics1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
Shorewall-docs/images/network.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 72 KiB

BIN
Shorewall-docs/images/proxyarp.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
Shorewall-docs/images/proxyarp.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/proxyarp.vsd
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

80
Shorewall-docs/mailing_list_problems.htm
View File

@ -1,59 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Mailing List Problems</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
</td>
</tr>
</table> </table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2> to at least one address in each of the following domains:</h2>
<blockquote> <blockquote>
<div align="left"> <div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown) <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
excite.com - delivery to this domain has been disabled (cause unknown) </div>
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain) </blockquote>
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT - <p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
<a href="support.htm">Tom href="support.htm">Tom Eastep</a></font></p>
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
<font face="Trebuchet MS"> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left">&nbsp;</p>
<p align="left"> </p>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

105
Shorewall-docs/myfiles.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1> <h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -33,69 +33,70 @@
<blockquote> <blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) is connected to eth0. I have a local network connected to eth2 (subnet
and a DMZ connected to eth1 (192.168.2.0/24). </p> 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br> <p> I use:<br>
</p> </p>
<ul> <ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li> and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: <li>Proxy ARP for wookie (my Linux System). This system has two IP
192.168.1.3/24 and 206.124.146.179/24.</li> addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for  <li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li> my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul> </ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p> <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its <p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p> own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable. <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the and is managed by Proxy ARP. It connects to the local network through
PopTop server running on my firewall. </p> the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix, <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our (Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p> old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local <p> The firewall system itself runs a DHCP server that serves the local
network.</p> network.</p>
<p> All administration and publishing is done using ssh/scp.</p> <p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a <p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p> in the DMZ.</p>
<p align="center"> <img border="0" <p align="center"> <img border="0"
src="images/network.png" width="764" height="846"> src="images/network.png" width="764" height="846">
</p> </p>
<p> </p> <p> </p>
<p>The ethernet interface in the Server is configured <p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same 206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall, default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because 206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p> of the entry in /etc/shorewall/proxyarp (see
below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which <p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p> interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files <p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version use features not available before Shorewall
1.3.4.</font></p> version 1.3.4.</font></p>
</blockquote> </blockquote>
<h3>Shorewall.conf</h3> <h3>Shorewall.conf</h3>
@ -108,11 +109,11 @@ of the entry in /etc/shorewall/proxyarp (see below).</
<h3>Interfaces File: </h3> <h3>Interfaces File: </h3>
<blockquote> <blockquote>
<p> This is set up so that I can start the firewall before bringing up my <p> This is set up so that I can start the firewall before bringing up
Ethernet interfaces. </p> my Ethernet interfaces. </p>
</blockquote> </blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3> <h3>Hosts File: </h3>
@ -140,10 +141,11 @@ Ethernet interfaces. </p>
<blockquote> <blockquote>
<p> Although most of our internal systems use static NAT, my wife's system <p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p> (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
</blockquote> laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3> <h3>NAT File: </h3>
@ -151,18 +153,23 @@ Ethernet interfaces. </p>
<h3>Proxy ARP File:</h3> <h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables <h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3> are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2"> <p><font size="2"> Last updated 10/14/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

222
Shorewall-docs/ports.htm
View File

@ -1,122 +1,192 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body> <meta http-equiv="Content-Type"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> content="text/html; charset=windows-1252">
<tr> <title>Shorewall Port Information</title>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
</td>
</tr> <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>In addition to those applications described in <a href="Documentation.htm">the <p>In addition to those applications described in <a
/etc/shorewall/rules documentation</a>, here are some other href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
services/applications that you may need to configure your firewall to accommodate.</p> are some other services/applications that you may need to configure your firewall
to accommodate.</p>
<p>NTP (Network Time Protocol)</p> <p>NTP (Network Time Protocol)</p>
<blockquote> <blockquote>
<p>UDP Port 123</p> <p>UDP Port 123</p>
</blockquote> </blockquote>
<p>rdate</p>
<p>rdate</p>
<blockquote> <blockquote>
<p>TCP Port 37</p> <p>TCP Port 37</p>
</blockquote> </blockquote>
<p>UseNet (NNTP)</p>
<p>UseNet (NNTP)</p>
<blockquote> <blockquote>
<p>TCP Port 119</p> <p>TCP Port 119</p>
</blockquote> </blockquote>
<p>DNS</p> <p>DNS</p>
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want to <p>UDP Port 53. If you are configuring a DNS client, you will probably want
open TCP Port 53 as well.<br> to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return long If you are configuring a server, only open TCP Port 53 if you will return
replies to queries or if you need to enable ZONE transfers.&nbsp;In the latter long replies to queries or if you need to enable ZONE transfers. In the
case, be sure that your server is properly configured.</p> latter case, be sure that your server is properly configured.</p>
</blockquote> </blockquote>
<p>ICQ&nbsp;&nbsp;&nbsp;</p>
<p>ICQ   </p>
<blockquote> <blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which you <p>UDP Port 4000. You will also need to open a range of TCP ports which
can specify to your ICQ client. By default, clients use 4000-4100.</p> you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote> </blockquote>
<p>PPTP</p> <p>PPTP</p>
<blockquote> <blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a href="PPTP.htm">Lots more <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
information here</a>).</p> href="PPTP.htm">Lots more information here</a>).</p>
</blockquote> </blockquote>
<p>IPSEC</p> <p>IPSEC</p>
<blockquote> <blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port 500. <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
These should be opened in both directions.</p> 500. These should be opened in both directions.</p>
</blockquote> </blockquote>
<p>SMTP</p> <p>SMTP</p>
<blockquote> <blockquote>
<p>&nbsp;TCP Port 25.</p> <p> TCP Port 25.</p>
</blockquote> </blockquote>
<p>POP3</p> <p>POP3</p>
<blockquote> <blockquote>
<p>TCP Port 110.</p> <p>TCP Port 110.</p>
</blockquote> </blockquote>
<p>TELNET</p> <p>TELNET</p>
<blockquote> <blockquote>
<p>TCP Port 23.</p> <p>TCP Port 23.</p>
</blockquote> </blockquote>
<p>SSH</p> <p>SSH</p>
<blockquote> <blockquote>
<p>TCP Port 22.</p> <p>TCP Port 22.</p>
</blockquote> </blockquote>
<p>Auth (identd)</p> <p>Auth (identd)</p>
<blockquote> <blockquote>
<p>TCP Port 113</p> <p>TCP Port 113</p>
</blockquote> </blockquote>
<p>Web Access</p>
<p>Web Access</p>
<blockquote> <blockquote>
<p>TCP Ports 80 and 443.</p> <p>TCP Ports 80 and 443.</p>
</blockquote> </blockquote>
<p>FTP</p>
<blockquote> <p>FTP</p>
<p>Server configuration is covered on in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,</p> <blockquote>
<p>For a client, you must open outbound TCP port 21 and be sure that your <p>Server configuration is covered on in <a
kernel is compiled to support FTP connection tracking. If you build this href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.&nbsp;</p> <p>For a client, you must open outbound TCP port 21 and be sure that your
</blockquote> kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> <blockquote>
<p>TCP Ports 137, 139 and 445.<br> <p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br> UDP Ports 137-139.<br>
<br> <br>
Also, <a href="samba.htm">see this page</a>.</p> Also, <a href="samba.htm">see this page</a>.</p>
</blockquote> </blockquote>
<p>Traceroute</p>
<p>Traceroute</p>
<blockquote> <blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p> <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote> </blockquote>
<p>NFS</p>
<p>NFS</p>
<blockquote> <blockquote>
<p>There's some good information at&nbsp; <p>There's some good information at  <a
<a href="http://nfs.sourceforge.net/nfs-howto/security.html"> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
http://nfs.sourceforge.net/nfs-howto/security.html</a></p> </blockquote>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try <p>Didn't find what you are looking for -- have you looked in your own /etc/services
<a href="http://www.networkice.com/advice/Exploits/Ports"> file? </p>
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 8/21/2002 - </font><font size="2"> <p>Still looking? Try <a
<a href="support.htm">Tom href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</body>
</html>

59
Shorewall-docs/quotes.htm
View File

@ -17,29 +17,31 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1> <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables <p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br> and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p> </p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was "My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br> 'months' for me, and I think I needed two minutes more:<br>
<ul> <ul>
<li>One to see that I had no Internet access from the firewall itself.</li> <li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough <li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br> to uncomment a line in /etc/shorewall/policy.<br>
</li> </li>
</ul> </ul>
Minutes instead of months! Congratulations and thanks for such a simple and Minutes instead of months! Congratulations and thanks for such a simple
well documented thing for something as huge as iptables." -- JV, Spain. and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your any problems. Your documentation is great and I really appreciate your
@ -48,28 +50,28 @@ network configuration info. That really helped me out alot. THANKS!!!"
<p>"[Shorewall is a] great, great project. I've used/tested may firewall <p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands scripts but this one is till now the best." -- B.R, Netherlands
</p> </p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone <p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p> involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest <p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
have 7 machines up and running with shorewall on several versions - 7 machines up and running with shorewall on several versions - starting
starting with 1.2.2 up to the new 1.2.9 and I never have encountered with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
any problems!" -- SM, Germany</p> -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used." <p>"You have the best support of any other package I've ever used."
-- SE, US </p> -- SE, US </p>
<p>"Because our company has information which has been classified by the <p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld by checkpoint, some of them are running....Shorewall." -- Name withheld by
by request, Europe</p> request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands <p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of out against a lot of commercial stuff i´ve been working with in terms of
@ -82,20 +84,21 @@ out against a lot of commercial stuff i
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it <p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30 is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br> people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall, scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes." with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br> -- RP, Guatamala<br>
<br> <br>
 </p>  </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font> - <a href="support.htm">Tom Eastep</a> </font>
</p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
</body> </body>
</html> </html>

444
Shorewall-docs/seattlefirewall_index.htm
View File

@ -3,11 +3,13 @@
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
@ -15,25 +17,32 @@
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 </a></i></font><font
- <font size="4">"<i>iptables made easy"</i></font></font></h1> color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font <div align="center"><a href="1.2" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -44,36 +53,49 @@
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope that This program is distributed
it will be useful, but WITHOUT ANY WARRANTY; without even the in the hope that it will be useful, but WITHOUT
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
PURPOSE. See the GNU General Public License for more details.<br> or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
<br> Public License for more details.<br>
You should have received a copy of the GNU General <br>
Public License along with this program; if not, write to the You should have received
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA a copy of the GNU General Public License along with
02139, USA</p> this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -81,160 +103,233 @@ PURPOSE. See the GNU General Public License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF </a>Jacques Nilo and
distribution called <i>Bering</i> that features Shorewall-1.3.3 Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD
and Kernel-2.4.18. You can find their work at: <a or compact flash) distribution called <i>Bering</i> that
features Shorewall-1.3.9b and Kernel-2.4.18. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You might want to reconsider -- this site is <u><b>213 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the whole
thing (my SDSL is only 384kbs so I'll have lots of time to catch you). Besides,
if you simply download the product and install it, you get the essential
parts of the site in a fraction of the time. And do you really want to download:<br>
<ul>
<li>Both text and HTML versions of every post ever made on three
different mailing lists (65 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall
and Seawall (92MB and 10MB respectively)?</li>
<li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
</li>
<li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this site.
Happy downloading!<br>
<h2>News</h2> <h2>News</h2>
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
<p>In this version:<br>
</p>
<h2></h2>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul> <ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> <li>You may now <a href="IPSEC.htm#Dynamic">define the contents
are now allowed in Shorewall config files (although I recommend against of a zone dynamically</a> with the <a
using them).</li> href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
<li>The connection SOURCE may now be qualified by both interface delete" commands</a>. These commands are expected to be used primarily within
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li> <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
<li>Shorewall startup is now disabled after initial installation scripts.</li>
until the file /etc/shorewall/startup_disabled is removed. This avoids <li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
nasty surprises at reboot for users who install Shorewall but don't configure on ethernet segments. You can specify the set of allowed MAC addresses on
it.</li> the segment and you can optionally tie each MAC address to one or more IP
<li>The 'functions' and 'version' files and the 'firewall' symbolic addresses.</li>
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease <li>PPTP Servers and Clients running on the firewall system may
the LFS police at Debian.<br> now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
</li> <li>A new 'ipsecnat' tunnel type is supported for use when the
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package is now a part
of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html">
MAC verification</a> on ethernet segments. You can specify the set of
allowed MAC addresses on the segment and you can optionally tie each
MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when
the <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul> </ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
<blockquote> <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
<ol> </b><br>
<li>Mailing List Archive Search was not available.</li> </p>
<li>The Site Search index was incomplete</li>
<li>Only one page of matches was presented.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
This release rolls up fixes to the installer and to the
firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now
running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br> <p>In this version:<br>
</p> </p>
<ul> <ul>
<li>A NEWNOTSYN option has been added to shorewall.conf. <li><a
This option determines whether Shorewall accepts TCP packets which href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
are not part of an established connection and that are not 'SYN' packets allowed in Shorewall config files (although I recommend against
(SYN flag on and ACK flag off).</li> using them).</li>
<li>The need for the 'multi' option to communicate <li>The connection SOURCE may now be
between zones za and zb on the same interface is removed in the case qualified by both interface and IP address in a <a
where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if: href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled
after initial installation until the file /etc/shorewall/startup_disabled
is removed. This avoids nasty surprises at reboot for users
<ul> who install Shorewall but don't configure it.</li>
<li>There is a policy for za to zb; or</li> <li>The 'functions' and 'version' files
<li>There is at least one rule for za to zb. and the 'firewall' symbolic link have been moved from /var/lib/shorewall
to /usr/lib/shorewall to appease the LFS police at Debian.<br>
</li> </li>
</ul>
</li>
</ul> </ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
@ -242,54 +337,61 @@ are not part of an established connection and that are not 'SYN' packets
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" </td>
valign="top" align="center"> <a <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p> color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br> <p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
</p>
<br> <br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

111
Shorewall-docs/shoreline.htm
View File

@ -17,72 +17,74 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/Hiking1.jpg" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="374" height="365"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass, <p align="center">Tarry &amp; Tom -- August 2002<br>
Washington  -- Sept 1991.<br> <br>
<font size="2">Photo by Ken Mazawa</font></p> </p>
<ul> <ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li> State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University <li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li> of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li> (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated ipchains in 1999 and had DSL service installed in our home. I investigated
and developed the scripts which are now collectively known as <a ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p> Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
and LNE100TX (Tulip) NIC - My personal Windows system.</li> HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - RedHat 8.0 installed.</li>
My personal Linux System which runs Samba configured as a WINS server. <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
This system also has <a href="http://www.vmware.com/">VMware</a> installed - My personal Linux System which runs Samba configured as a WINS server.
and can run both <a href="http://www.debian.org">Debian</a> and This system also has <a href="http://www.vmware.com/">VMware</a> installed
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li> and can run both <a href="http://www.debian.org">Debian Woody</a>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li> <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall (Bind).</li>
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
runs PoPToP for road warrior access.</li> (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's server.  Also runs PoPToP for road warrior access.</li>
personal system.</li> <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 personal system.</li>
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li> <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul> </ul>
@ -95,17 +97,22 @@ and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0" </a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20"> src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p> </a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a <p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

26
Shorewall-docs/shorewall_ca_certificate.htm
View File

@ -1,26 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall CA Certificate</title>
</head>
<body>
<h1 align="center">Shorewall CA Certificate</h1>
<p align="center">Load <a href="ca.crt">this certificate</a> into your browser
to use SSL to the Shorewall Site</p>
<p align="left"><font size="2">Last updated
8/10/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

180
Shorewall-docs/shorewall_features.htm
View File

@ -1,91 +1,111 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Shorewall Features</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
</td>
</tr>
</table> </table>
<ul> <ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet <li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li> filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>. <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li> <ul>
<li>No limit on the number of network interfaces.</li> <li>Completely customizable using configuration files.</li>
<li>Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i> <li>No limit on the number of network interfaces.</li>
and gives you complete control over the connections permitted between <li>Allows you to partitions the network into <i><a
each pair of zones.</li> href="Documentation.htm#Zones">zones</a></i> and gives you complete
<li>Multiple interfaces per zone and multiple zones per interface control over the connections permitted between each pair of zones.</li>
permitted.</li> <li>Multiple interfaces per zone and multiple zones per interface
<li>Supports nested and overlapping zones.</li> permitted.</li>
</ul> <li>Supports nested and overlapping zones.</li>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help </ul>
get your first firewall up and running quickly</li> </li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b> <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to
included in the .tgz and .rpm downloads.</li> help get your first firewall up and running quickly</li>
<li><b>Flexible address management/routing support</b> (and you can use all <li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a>
types in the same firewall): </b> included in the .tgz and .rpm downloads.</li>
<ul> <li><b>Flexible address management/routing support</b> (and you can use
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li> all types in the same firewall):
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li> <ul>
<li><a href="Documentation.htm#NAT"> <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
Static NAT</a>.</li> <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> <li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
Proxy ARP</a>.</li> <li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li> <li>Simple host/subnet Routing</li>
</ul>
</li> </ul>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual </li>
IP addresses and subnetworks is supported.</li> <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: IP addresses and subnetworks is supported.</li>
<ul> <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring <ul>
with an audible alarm when an "interesting" packet is detected.</li> <li>Commands to start, stop and clear the firewall</li>
<li>Wide variety of informational commands.</li> <li>Supports status monitoring with an audible alarm
</ul> when an "interesting" packet is detected.</li>
</li> <li>Wide variety of informational commands.</li>
<li><b>VPN Support</b>
<ul> </ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP </li>
Tunnels</a>.</li> <li><b>VPN Support</b>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li> <ul>
</ul> <li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP Tunnels</a>.</li>
</li> <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li> </ul>
<li>Wide support for different <b>GNU/Linux Distributions</b>. </li>
<ul> <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a> integration.</li>
packages available.</li> <li>Wide support for different <b>GNU/Linux Distributions</b>.
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
and uninstall facilities</b></a> for users who can't use or choose not <ul>
to use the RPM or Debian packages.</li> <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
<li>Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net"> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
LEAF</a> packages available.</li>
</b> <li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
.</li> and uninstall facilities</b></a> for users who can't use or choose
</ul> not to use the RPM or Debian packages.</li>
</li> <li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
</ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li>
</ul> </ul>
<p><font size="2">Last updated 7/14/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font></p>
<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body> </body>
</html> </html>

246
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -19,13 +19,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -36,174 +36,186 @@ must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting <li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li> as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting <li><a href="three-interface.htm">Three-interface</a> Linux System
as a firewall/router for a small local network and a DMZ.</li> acting as a firewall/router for a small local network and a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is IP addresses involved or if you want to learn more about Shorewall than
explained in the single-address guides above.</p> is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li> <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li> <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <li><br>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> </li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
Protocol</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a> <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li> <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li> ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li> and Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Additional Documentation</h2> <h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p> above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="configuration_file_basics.htm">Common configuration
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension file features</a>
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Comments in configuration files</li>
<li>Ports used by Trojans</li> <li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="Documentation.htm">Configuration File Reference Manual</a>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
to a remote network.</li> firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a <p><font size="2">Last modified 11/3/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p> href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

178
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -20,17 +20,17 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -40,13 +40,13 @@ the Firewall</font></h1>
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once you I recommend that you start the firewall automatically at boot. Once
have installed "firewall" in your init.d directory, simply type you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels "chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your firewall 2-5 and stop it in run levels 1 and 6. If you want to configure your
differently from this default, you can use the "--level" option in firewall differently from this default, you can use the "--level" option
chkconfig (see "man chkconfig") or using your favorite graphical run-level in chkconfig (see "man chkconfig") or using your favorite graphical
editor.</p> run-level editor.</p>
@ -55,22 +55,22 @@ editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have configured <li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br> 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall in your <li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" /etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li> in that script.</li>
</ol> </ol>
<p> <p>
</p> </p>
@ -80,16 +80,16 @@ in that script.</li>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) <li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li> and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains installed <li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li> by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
@ -100,45 +100,60 @@ by Shoreline Firewall</li>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain <li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li> </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table <li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li> (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table <li>shorewall show tos - produce a verbose report about the mangle
(iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li> being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays information
about the traffic control/shaping configuration.</li> about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li> changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet <li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li> log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the <li>shorewall check - Performs a <u>cursory</u> validation of
zones, interfaces, hosts, rules and policy files. <font size="4" the zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li> way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error - Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the has been up for that many seconds then shorewall is restarted using
standard configuration.</li> the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a <li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li> messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
@ -149,8 +164,8 @@ save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.<
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
@ -162,32 +177,32 @@ save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.<
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li>mkdir /etc/test</li> <li>mkdir /etc/test</li>
<li>cd /etc/test</li> <li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li>shorewall -c . check</li> <li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li> <li>/sbin/shorewall try .</li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start, to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p> the "try" command will automatically start the old one for you.</p>
@ -199,27 +214,28 @@ the "try" command will automatically start the old one for you.</p>
<ul> <ul>
<li>cp * /etc/shorewall</li> <li>cp * /etc/shorewall</li>
<li>cd</li> <li>cd</li>
<li>rm -rf /etc/test</li> <li>rm -rf /etc/test</li>
</ul> </ul>
<p><font size="2"> Updated 9/26/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

92
Shorewall-docs/support.htm
View File

@ -19,40 +19,40 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is <h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
easier to post a problem than to use your own brain" </font>-- </i> <font is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3> size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just <p align="left"> <i>"Any sane computer will tell you how it works -- you
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that <p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i> free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p> - <font size="2"> Wietse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<p>There are a number of sources for problem solution information.</p> <p>There are a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li> contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated <li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li> components.</li>
<li>The Mailing List Archives search facility can locate posts about <li>The Mailing List Archives search facility can locate posts about
similar problems:</li> similar problems:</li>
</ul> </ul>
@ -60,18 +60,19 @@ contains a number of tips to help you solve common problems.</li>
<h4>Mailing List Archive Search</h4> <h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -80,53 +81,53 @@ contains a number of tips to help you solve common problems.</li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h3 align="left">Problem Reporting Guidelines</h3> <h3 align="left">Problem Reporting Guidelines</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. <li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li> Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send <li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li> but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when <li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li> you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump <li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li> to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application <li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li> the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially <li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start", think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li> section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your <li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li> network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<b></b>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p> to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount <p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p> of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
@ -134,11 +135,12 @@ you custom configuration files. We're here to answer your questions
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

1556
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

413
Shorewall-docs/traffic_shaping.htm
View File

@ -1,214 +1,257 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Traffic Shaping</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
</td>
</tr>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is <p align="left">Beginning with version 1.2.0, Shorewall has limited support
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing for traffic shaping/control. In order to use traffic shaping under Shorewall,
and Shaping HOWTO</a>, version 0.3.0 or later. You must also install it is essential that you get a copy of the <a
the iproute (iproute2) package to provide the &quot;ip&quot; and &quot;tc&quot; href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
utilities.</p> version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
Shaping also requires that you enable packet mangling.<br> also requires that you enable packet mangling.<br>
</li> </li>
<li>/etc/shorewall/tcrules - A file where you can specify <li>/etc/shorewall/tcrules - A file where you can specify firewall
firewall marking of packets. The firewall mark value may be used to classify marking of packets. The firewall mark value may be used to classify packets
packets for traffic shaping/control.<br> for traffic shaping/control.<br>
</li> </li>
<li>/etc/shorewall/tcstart - A user-supplied file that is <li>/etc/shorewall/tcstart - A user-supplied file that is sourced
sourced by Shorewall during &quot;shorewall start&quot; and which you can by Shorewall during "shorewall start" and which you can use to define
use to define your traffic shaping disciplines and classes. I have provided your traffic shaping disciplines and classes. I have provided a <a
a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of the table-driven CBQ shaping but if you read the traffic shaping sections of
HOWTO mentioned above, you can probably code your own faster than you can the HOWTO mentioned above, you can probably code your own faster than
learn how to use my sample. I personally use <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB</a> you can learn how to use my sample. I personally use <a
(see below). HTB href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB is a support may eventually become an integral part of Shorewall since HTB
lot simpler and better-documented than CBQ. HTB is currently not a standard is a lot simpler and better-documented than CBQ. HTB is currently not
part of either the kernel or iproute2 so both must be patched in order to a standard part of either the kernel or iproute2 so both must be patched
use it.<br> in order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br> supplied by shorewall. <br>
</li> </li>
<li>/etc/shorewall/tcclear - A user-supplied file that is <li>/etc/shorewall/tcclear - A user-supplied file that is sourced
sourced by Shorewall when it is clearing traffic shaping. This file is by Shorewall when it is clearing traffic shaping. This file is normally
normally not required as Shorewall's method of clearing qdisc and filter not required as Shorewall's method of clearing qdisc and filter definitions
definitions is pretty general.</li> is pretty general.</li>
</ul> </ul>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p> <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means packets for traffic shaping. The /etc/shorewall/tcrules file provides a
for specifying these marks in a tabular fashion.</p> means for specifying these marks in a tabular fashion.</p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case of <li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br> a match. This is an integer in the range 1-255.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates on
on the firewall, place &quot;fw&quot; in this column. Otherwise, this is a the firewall, place "fw" in this column. Otherwise, this is a comma-separated
comma-separated list of interface names, IP addresses, MAC addresses in list of interface names, IP addresses, MAC addresses in <a
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
&nbsp;&nbsp;&nbsp; eth0<br>     eth0<br>
&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list of <li>DEST -- Destination of the packet. Comma-separated list of IP
IP addresses and/or subnets.<br> addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
/etc/protocol, a number or &quot;all&quot;<br> a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port <li>PORT(S) - Destination Ports. A comma-separated list of Port names
names (from /etc/services), port numbers or port ranges (e.g., 21:22); if (from /etc/services), port numbers or port ranges (e.g., 21:22); if the
the protocol is &quot;icmp&quot;, this column is interpreted as the protocol is "icmp", this column is interpreted as the destination icmp
destination icmp type(s).<br> type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
omitted, any source port is acceptable. Specified as a comma-separate list any source port is acceptable. Specified as a comma-separate list of port
of port names, port numbers or port ranges.</li> names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked with
1. All packets arriving on eth2 should be marked with 2. All packets originating <p align="left">Example 1 - All packets arriving on eth1 should be marked
on the firewall itself should be marked with 3.</p> with 1. All packets arriving on eth2 should be marked with 2. All packets
<table border="2" cellpadding="2" style="border-collapse: collapse"> originating on the firewall itself should be marked with 3.</p>
<tr>
<td><b>MARK</b></td> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<td><b>SOURCE</b></td> <tbody>
<td><b>DEST</b></td> <tr>
<td><b>PROTO</b></td> <td><b>MARK</b></td>
<td><b>PORT(S)</b></td> <td><b>SOURCE</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>DEST</b></td>
</tr> <td><b>PROTO</b></td>
<tr> <td><b>PORT(S)</b></td>
<td>1</td> <td><b>CLIENT PORT(S)</b></td>
<td>eth1</td> </tr>
<td>0.0.0.0/0</td> <tr>
<td>all</td> <td>1</td>
<td>&nbsp;</td> <td>eth1</td>
<td>&nbsp;</td> <td>0.0.0.0/0</td>
</tr> <td>all</td>
<tr> <td> </td>
<td>2</td> <td> </td>
<td>eth2</td> </tr>
<td>0.0.0.0/0</td> <tr>
<td>all</td> <td>2</td>
<td>&nbsp;</td> <td>eth2</td>
<td>&nbsp;</td> <td>0.0.0.0/0</td>
</tr> <td>all</td>
<tr> <td> </td>
<td>3</td> <td> </td>
<td>fw</td> </tr>
<td>0.0.0.0/0</td> <tr>
<td>all</td> <td>3</td>
<td>&nbsp;</td> <td>fw</td>
<td>&nbsp;</td> <td>0.0.0.0/0</td>
</tr> <td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating on the
firewall and destined for 155.186.235.151 should be marked with 12.</p> <p align="left">Example 2 - All GRE (protocol 47) packets not originating
<table border="2" cellpadding="2" style="border-collapse: collapse"> on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
<tr>
<td><b>MARK</b></td> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<td><b>SOURCE</b></td> <tbody>
<td><b>DEST</b></td> <tr>
<td><b>PROTO</b></td> <td><b>MARK</b></td>
<td><b>PORT(S)</b></td> <td><b>SOURCE</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>DEST</b></td>
</tr> <td><b>PROTO</b></td>
<tr> <td><b>PORT(S)</b></td>
<td>12</td> <td><b>CLIENT PORT(S)</b></td>
<td>0.0.0.0/0</td> </tr>
<td>155.186.235.151</td> <tr>
<td>47</td> <td>12</td>
<td>&nbsp;</td> <td>0.0.0.0/0</td>
<td>&nbsp;</td> <td>155.186.235.151</td>
</tr> <td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</p> <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
<table border="2" cellpadding="2" style="border-collapse: collapse"> and destined for 155.186.235.151 should be marked with 22.</p>
<tr>
<td><b>MARK</b></td> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<td><b>SOURCE</b></td> <tbody>
<td><b>DEST</b></td> <tr>
<td><b>PROTO</b></td> <td><b>MARK</b></td>
<td><b>PORT(S)</b></td> <td><b>SOURCE</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>DEST</b></td>
</tr> <td><b>PROTO</b></td>
<tr> <td><b>PORT(S)</b></td>
<td>22</td> <td><b>CLIENT PORT(S)</b></td>
<td>192.168.1.0/24</td> </tr>
<td>155.186.235.151</td> <tr>
<td>tcp</td> <td>22</td>
<td>22</td> <td>192.168.1.0/24</td>
<td>&nbsp;</td> <td>155.186.235.151</td>
</tr> <td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody>
</table> </table>
<h3>Hierarchical Token Bucket</h3> <h3>Hierarchical Token Bucket</h3>
<p>I personally use HTB. I have found a couple of things that may be of
use to others.</p> <p>I personally use HTB. I have found a couple of things that may be of use
to others.</p>
<ul> <ul>
<li>The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB <li>The gzipped tc binary at the <a
website</a> didn't work for me -- I had to download the lastest version of href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
the <a href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch for me -- I had to download the lastest version of the <a
them for HTB.</li> href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
<li>The HTB example in the HOWTO seems to be full of errors. I'm currently them for HTB.</li>
running with this set of shaping rules in my tcstart file so I know that it works.</li> <li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul> </ul>
<blockquote> <blockquote>
<p><font face="Courier" size="2">run_tc qdisc add dev eth0 root handle 1: htb default 30<br> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<br>
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k<br> <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
<br>
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k<br> <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k<br>
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil&nbsp;&nbsp; <pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
10mbit burst 15k<br>
<br> <pre>echo "   Enabled SFQ on Second Level Classes"</pre>
run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>
run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10<br>
<br> <pre>echo "   Defined fwmark filters"<br></pre>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br> <p>My tcrules file is shown in Example 1 above. You can look at my <a
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30 href="myfiles.htm">network configuration</a> to get an idea of why I want
</font></p> these particular rules.<font face="Courier" size="2"><br>
<p>My tcrules file is shown in Example 1 above. You can look at my <a href="myfiles.htm">network </font></p>
configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br> </blockquote>
</font></p>
</blockquote> <p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body> </body>
</html> </html>

308
Shorewall-docs/troubleshoot.htm
View File

@ -2,204 +2,198 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
</head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</tbody>
</table>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <h3 align="left">Check the Errata</h3>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</table>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version of
the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<h3 align="Left">Check the Errata</h3> <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
<p align="Left">Check the <a href="errata.htm">Shorewall Errata</a> <h3 align="left">If the firewall fails to start</h3>
to be sure that there isn't an update that you are missing for your version If you receive an error message when starting or restarting the firewall
of the firewall.</p> and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
<h3 align="Left">Check the FAQs</h3> </ul>
<p align="Left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common problems.</p> <h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the
way that the Linux kernel respond to ARP "who-has" requests, this type
of setup does NOT work the way that you expect it to.</li>
<h3 align="Left">If the firewall fails to start</h3> </ul>
If you <h3 align="left">If you are having connection problems:</h3>
receive an error message when starting or restarting the firewall and you
can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine what
the problem is.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<ul>
<li>Port
Forwarding where client and server are in the same subnet. See <a href="FAQ.htm">FAQ
2.</a></li>
<li>Changing the IP address of a local system to be in the external subnet,
thinking that Shorewall will suddenly believe that the system is in the
'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the way
that the Linux kernel respond to ARP &quot;who-has&quot; requests, this type of setup
does NOT work the way that you expect it to.</li>
</ul>
<h3 align="Left">If you are having <p align="left">If the appropriate policy for the connection that you are
connection problems:</h3> trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
to your rule set and they represent a big security hole in the event that
you forget to remove them later.</p>
<p align="Left">If the appropriate policy for the connection that you <p align="left">I also recommend against setting all of your policies to
are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING ACCEPT in an effort to make something work. That robs you of one of
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add your best diagnostic tools - the "Shorewall" messages that Netfilter
clutter to your rule set and they represent a big security hole in the event will generate when you try to connect in a way that isn't permitted
that you forget to remove them later.</p> by your rule set.</p>
<p align="Left">I also recommend against setting all of your policies to <p align="left">Check your log. If you don't see Shorewall messages, then
ACCEPT in an effort to make something work. That robs you of one of your your problem is probably NOT a Shorewall problem. If you DO see packet messages,
best diagnostic tools - the &quot;Shorewall&quot; messages that Netfilter will it may be an indication that you are missing one or more rules -- see <a
generate when you try to connect in a way that isn't permitted by your href="FAQ.htm#faq17">FAQ 17</a>.</p>
rule set.</p>
<p align="Left">Check your log. If you don't see Shorewall messages, <p align="left">While you are troubleshooting, it is a good idea to clear
then your problem is probably NOT a Shorewall problem. If you DO see packet
messages, it is an indication that you are missing one or more rules.</p>
<p align="Left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="Left">LOGRATE=&quot;&quot;<br> <p align="left">LOGRATE=""<br>
LOGBURST=&quot;&quot;</p> LOGBURST=""</p>
<p align="Left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="Left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<font face="Century Gothic, Arial, Helvetica"> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
<p align="Left"><font face="Courier">Jun 27 15:37:56 gateway kernel: </ul>
Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font> <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="Left">Let's look at the important parts of this message:</p> <p align="left">ACCEPT    dmz    loc    udp    53</p>
<ul> <h3 align="left">Other Gotchas</h3>
<li>all2all:REJECT - the packet was rejected under the "all"-&gt;"all" REJECT
policy</li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="Left">In this case, 192.168.2.2 was in the "dmz" zone and <ul>
192.168.1.3 is in the "loc" zone. I was missing the rule:</p> <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<p align="Left">ACCEPT    dmz    loc    udp    53</p>
<h3 align="Left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:<ol>
<li>your zone definitions are screwed up and the host that is sending the
packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping") <li>Remember that Shorewall doesn't automatically allow ICMP type
requests to be sent between zones. If you want pings to be allowed between 8 ("ping") requests to be sent between zones. If you want pings to be
zones, you need a rule of the form:<br> allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you have the The ramifications of this can be subtle. For example, if you have the
following in /etc/shorewall/nat:<br> following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 between and you ping 130.252.100.18, unless you have allowed icmp type 8 between
the zone containing the system you are pinging from and the zone containing the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you 10.1.1.2, the ping requests will be dropped. This is true even if you
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface must be <li>If you specify "routefilter" for an interface, that interface
up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need to <li>Is your routing correct? For example, internal systems usually need
be configured with their default gateway set to the IP address of their to be configured with their default gateway set to the IP address of
nearest firewall interface. One often overlooked aspect of routing is that their nearest firewall interface. One often overlooked aspect of routing
in order for two hosts to communicate, the routing between them must be set is that in order for two hosts to communicate, the routing between them
up <u>in both directions.</u> So when setting up routing between <b>A</b> must be set up <u>in both directions.</u> So when setting up routing
and<b> B</b>, be sure to verify that the route from <b>B</b> back to <b>A</b> between <b>A</b> and<b> B</b>, be sure to verify that the route from
is defined.</li> <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell with <li>Some versions of LRP (EigerStein2Beta for example) have a shell
broken variable expansion. <a href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> with broken variable expansion. <a
You can get a corrected shell from the Shorewall Errata download site.</a> href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
</li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a href="kernel.htm">Click <li>Do you have your kernel properly configured? <a
here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally included <li>Some features require the "ip" program. That program is generally
in the "iproute" package which should be included with your distribution included in the "iproute" package which should be included with your
(though many distributions don't install iproute by default). You distribution (though many distributions don't install iproute by
may also download the latest source tarball from <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> default). You may also download the latest source tarball from <a
ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts then the <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
zone must be entirely defined in /etc/shorewall/hosts unless you have then the zone must be entirely defined in /etc/shorewall/hosts unless you
specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts For example, if a zone has two interfaces but only one interface has an
then hosts attached to the other interface will <u>not</u> be considered entry in /etc/shorewall/hosts then hosts attached to the other interface
part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external addresses <li>Problems with NAT? Be sure that you let Shorewall add all external
to be use with NAT unless you have set <a href="Documentation.htm#Aliases"> addresses to be use with NAT unless you have set <a
ADD_IP_ALIASES</a> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
=No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica"> </ul>
<blockquote> </blockquote> <h3>Still Having Problems?</h3>
</font> <p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
<p><font size="2">Last updated 9/13/2002 - <blockquote> </blockquote>
Tom Eastep</font> </font>
</p> <p><font size="2">Last updated 10/17/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html> </html>

1071
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

149
Shorewall-docs/upgrade_issues.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,136 +30,147 @@
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p> href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.7, versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules in will need to include the following rules
their /etc/shorewall/icmpdef file (creating in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p> this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3> Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version
1.3.3 and later:</p> 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup -- you will <li>Be sure you have a backup -- you
need to transcribe any Shorewall configuration will need to transcribe any Shorewall configuration
changes that you have made to the new changes that you have made to the new
configuration.</li> configuration.</li>
<li>Replace the shorwall.lrp package provided <li>Replace the shorwall.lrp package
on the Bering floppy with the later one. provided on the Bering floppy with the later
If you did not obtain the later version from one. If you did not obtain the later version
Jacques's site, see additional instructions from Jacques's site, see additional instructions
below.</li> below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry file and remove the /var/lib/shorewall
if present. Then do not forget to backup entry if present. Then do not forget to
root.lrp !</li> backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add the for setting up a two-interface firewall</a> plus you also need to add
following two Bering-specific rules to /etc/shorewall/rules:</p> the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 and your firewall setup slightly under Shorewall versions 1.3.6
1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So <font face="Courier">run_iptables -A newnotsyn -j RETURN #
that the connection tracking table can be rebuilt<br> So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets after                                     # from non-SYN packets
takeover.<br> after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags <font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br> ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p> longer supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 9/28/2002 - <p><font size="2"> Last updated 11/09/2002 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
</body> </body>
</html> </html>

7
Shorewall/changelog.txt
View File

@ -35,3 +35,10 @@ Changes since 1.3.9
17. Add MAC verificaiton 17. Add MAC verificaiton
18. Conserve space by removing comment decorations. 18. Conserve space by removing comment decorations.
19. Improve comments in interfaces file re: use of aliases
20. Clear nat and mangle counters during 'shorewall reset'
21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.10b1 VERSION=1.3.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.10b1 VERSION=1.3.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.10b1 %define version 1.3.10
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net> * Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10b1 - Changes version to 1.3.10b1
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net> * Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.10b1 VERSION=1.3.10
usage() # $1 = exit status usage() # $1 = exit status
{ {