extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-13 13:16:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

1.3.10 Release Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@319 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-09 18:06:34 +00:00
parent c44cb44f7c
commit 3354d96ebb
44 changed files with 10071 additions and 9047 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

715
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

495
Shorewall-docs/FAQ.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
@ -29,89 +30,98 @@
</tbody>
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.</a></p>
but it doesn't work.<br>
</a></p>
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local
network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
clients can't</b>.</a></p>
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other using their DNS
names.</b></a></p>
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using their
external (non-RFC1918 addresses) so they <b>can't access each other using
their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
to check my firewall and it shows <b>some ports as 'closed' rather
than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
I <b> can't ping</b> through the firewall</a></p>
I <b> can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and  how do I <b>change the destination</b>?</a></p>
written and how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
my interfaces </b>properly?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p>
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor it
but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, <b>my DHCP client cannot renew its
lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot
renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
out to the net</b></a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!</a></p>
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why this
is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</a>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere and
can't find how to do it.</h4>
my my personal PC with IP address 192.168.1.5. I've looked everywhere
and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. Assuming that you have a dynamic external
IP address, the format of a port-forwarding rule to a local system is as follows:</p>
do port forwarding under Shorewall. The format of a port-forwarding
rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -132,8 +142,10 @@ IP address, the format of a port-forwarding rule to a local system is as follows
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -141,7 +153,7 @@ IP address, the format of a port-forwarding rule to a local system is as follows
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
the rule is:</p>
the rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -162,8 +174,10 @@ the rule is:</p>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -174,8 +188,8 @@ the rule is:</p>
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<p align="left">If you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -205,47 +219,83 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
</blockquote>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
but it doesn't work</h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
<li>You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such
as an incorrect default gateway configured (it should be set to the IP
address of your firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called <i>zone</i>_dnat
where <i>zone</i> is the zone that includes the server ('loc' in the above
examples).</li>
<li>Is the packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server. In
this case, the problem is usually a missing or incorrect default gateway setting
on the server (the server's default gateway should be the IP address of the
firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly it
is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such as tcpdump or
ethereal to further diagnose the problem.<br>
</li>
</ul>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
can browse http://www.mydomain.com but internal clients can't.</h4>
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External
clients can browse http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network is
like raising foxes in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal systems.
For the cost of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems - assuming
that the Server can be located near the Firewall, of course :-)</li>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server
is compromised, there's nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or
using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
what I do here at shorewall.net for my local systems that use static
NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is
eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, do the following:</p>
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1.</p>
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
<div align="left">
<p align="left">b) In /etc/shorewall/rules, add:</p>
@ -281,13 +331,13 @@ with subnet 192.168.1.0/24, do the following:</p>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall 1.3.4
or later then include this in /etc/shorewall/params:</p>
IP address. If you have a dynamic IP address and are running Shorewall
1.3.4 or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
@ -329,27 +379,30 @@ or later then include this in /etc/shorewall/params:</p>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a new IP
address.</p>
client to automatically restart Shorewall each time that you get a
new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
Hosts in Z cannot communicate with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS names.</h4>
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
and can be accessed externally and internally using the same address. </p>
and can be accessed externally and internally using the same address.
</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.<br>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
(If you are running a Shorewall version earlier than 1.3.9).<br>
b) Set the Z-&gt;Z policy to ACCEPT.<br>
c) Masquerade Z to itself.<br>
<br>
@ -398,7 +451,8 @@ traffic through your firewall then:</p>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td> </td>
<td> <br>
</td>
</tr>
</tbody>
@ -406,7 +460,7 @@ traffic through your firewall then:</p>
</blockquote>
<div align="left">
<pre align="left"> dmz    dmz    ACCEPT</pre>
<pre align="left"> dmz dmz ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
@ -423,7 +477,8 @@ traffic through your firewall then:</p>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120"> </td>
<td width="120"> <br>
</td>
</tr>
</tbody>
@ -431,46 +486,47 @@ traffic through your firewall then:</p>
</blockquote>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger
with Shorewall. What do I do?</h4>
with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter mailing list
archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
tracking/NAT module</a> that may help. Also check the Netfilter mailing
list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?</h4>
to check my firewall and it shows some ports as 'closed' rather than
'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. These
are ports that are used by Windows (Windows <u>can</u> be configured to
use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to
services that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
UDP ports 137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port 135).
Rejecting these connection requests rather than dropping them cuts
down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of your
Service Agreement.</p>
your ISP preventing you from running a web server in violation of
your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your firewall
then it reports the port as open. If you want to see which UDP ports are
really open, temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back from your
firewall then it reports the port as open. If you want to see which
UDP ports are really open, temporarily change your net-&gt;all policy
to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
can't ping through the firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open
for "ping": </p>
for "ping": </p>
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
@ -478,24 +534,24 @@ for "ping": </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT </p>
-j ACCEPT </p>
</blockquote>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and  how do I change the destination?</h4>
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged logged
by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
system, "service syslog restart"). </p>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
a RedHat system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
@ -505,34 +561,37 @@ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewal
with Shorewall?</h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful:
</p>
</p>
<blockquote>
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
href="http://www.logwatch.org"><br>
http://www.logwatch.org</a><br>
</p>
</blockquote>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like
this:</p>
this:</p>
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br> Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br> iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br> Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands:
</p>
</p>
<div align="left">
<pre align="left"> service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</pre>
@ -540,13 +599,15 @@ this:</p>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
for problems concerning the version of iptables (v1.2.3) shipped with
RH7.2.</p>
</div>
<h4 align="left">
<h4 align="left"> </h4>
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
properly?</h4>
</h4>
properly?</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
@ -559,9 +620,9 @@ properly?</h4>
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -573,33 +634,34 @@ properly?</h4>
<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
Feature List</a>.</p>
Feature List</a>.</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
myself doing other things. I guess I just don't care enough if Shorewall
has a GUI to invest the effort to create one myself. There are several
Shorewall GUI projects underway however and I will publish links to
them when the authors feel that they are ready. </p>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
find myself doing other things. I guess I just don't care enough if
Shorewall has a GUI to invest the effort to create one myself. There
are several Shorewall GUI projects underway however and I will publish
links to them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor it
but as expected if I enable rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor
it but as expected if I enable rfc1918 blocking for my eth0 interface
(the internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the modem
in/out but still block all other rfc1918 addresses.</p>
that will let all traffic to and from the 192.168.100.1 address of
the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -630,14 +692,48 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</p>
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.<br>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
<table cellpadding="2" border="1" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><u><b>SUBNET</b></u><br>
</td>
<td valign="top"><u><b>TARGET</b></u><br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.1<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.2<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
</div>
<div align="left">
@ -646,17 +742,17 @@ lease.</h4>
</div>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
the net</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and what those
computers will "see" when things are working properly. That aside, the most
common causes of this problem are:</p>
the net", I wonder where the poster bought computers with eyes and
what those computers will "see" when things are working properly. That
aside, the most common causes of this problem are:</p>
<ol>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
@ -664,30 +760,97 @@ the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and
TCP port 53 from the firewall to the internet.</p>
user is running a DNS server on the firewall and hasn't enabled UDP
and TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
all over my console making it unusable!</h4>
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under RedHat,
the max log level that is sent to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.</p>
to your startup scripts or place it in /etc/shorewall/start. Under
RedHat, the max log level that is sent to the console is specified
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
</p>
<div align="left">
<p align="left"></p>
</div>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains (as indicated
in the log message) in Shorewall:<br>
<p align="left"><font size="2">Last updated 9/23/2002 - <a
<ol>
<li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
a log level and this packet is being logged under that policy. If you intend
to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that include a log level.</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the source
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because it is a
TCP packet that is not part of any current connection yet it is not a syn
packet. Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination IP
isn't in any of your defined zones.</li>
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or if
you use NAT, use the local IP address in your rules). <b>Note:</b> The ":n"
notation (e.g., eth0:0) is deprecated and will disappear eventually. Neither
iproute (ip and tc) nor iptables supports that notation so neither does
Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span
class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span
class="moz-txt-citetags"></span></pre>
<span class="moz-txt-citetags"></span><b>Example 2 (NAT):</b><br>
<br>
<span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
<pre wrap=""><span class="moz-txt-citetags"></span><span
class="moz-txt-citetags"></span> 192.0.2.126 eth0 10.1.1.126</pre>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
class="moz-txt-citetags"></span><br> <span class="moz-txt-citetags"></span>ACCEPT net loc:10.1.1.126 tcp www<span
class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span></pre>
<div align="left"> </div>
<p align="left"><font size="2">Last updated 11/09/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
</body>
</html>

407
Shorewall-docs/IPSEC.htm
View File

@ -2,128 +2,129 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
</td>
</tr>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
(ipsecX) rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the following (I
haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2>
<font color="#660066">IPSec Gateway
on the Firewall System
</font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="Left">We want systems
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
<p align="Left">To make this work, we need to do two things:</p>
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="Left">b) Allow traffic through the tunnel.</p>
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by
adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="Left">In /etc/shorewall/tunnels
on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>     qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>    qt service ipsec start</p>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p>
<p align="left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table></blockquote>
</table>
</blockquote>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table></blockquote>
</table>
</blockquote>
<p align="Left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created a
zone called &quot;vpn&quot; to represent the remote subnet.</p>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
@ -135,43 +136,40 @@ on system B, we would have:</p>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>
ZONE</strong></td>
<td><strong>
INTERFACE</strong></td>
<td><strong>
BROADCAST</strong></td>
<td><strong>
OPTIONS</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table></blockquote>
</table>
</blockquote>
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
@ -182,43 +180,41 @@ interface:</p>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="Left"> Once
you have these entries in place, restart Shorewall (type shorewall restart);
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
FreeS/WAN</a>
.</p>
<p align="left"> Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
Warrior)</font></h2>
<h2><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font></h2>
<p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
local network.</p>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="Left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created a zone
called &quot;vpn&quot; to represent the remote host.</p>
<p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
@ -230,26 +226,22 @@ be able to establish a secure connection back to your local network.</p>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
@ -259,26 +251,117 @@ the following entry should be made:</p>
</tr>
</tbody>
</table></blockquote>
</table>
</blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
<p><font size="2"> Last
updated 8/20/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
</p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>COMMENTS<br>
</b></td>
</tr>
<tr>
<td valign="top">vpn1<br>
</td>
<td valign="top">VPN-1<br>
</td>
<td valign="top">First VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN-2<br>
</td>
<td valign="top">Second VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn3<br>
</td>
<td valign="top">VPN-3<br>
</td>
<td valign="top">Third VPN Zone<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/tunnels:<br>
<blockquote>
<table cellpadding="2" cellspacing="" border="2"
style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">vpn1,vpn2,vpn3<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>
</html>

273
Shorewall-docs/Install.htm
View File

@ -1,147 +1,173 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file. Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
You can check your rules and host file for 1.3 compatibility using the "shorewall
check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -149,6 +175,8 @@ QuickStart Guides</a> contain all of the information you need.</p>
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
@ -156,19 +184,24 @@ QuickStart Guides</a> contain all of the information you need.</p>
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>
</ul>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

853
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

843
Shorewall-docs/PPTP.htm
View File

File diff suppressed because it is too large Load Diff

69
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -11,7 +11,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -22,21 +23,28 @@
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a></li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -48,21 +56,28 @@
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak
Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas,
USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
@ -70,6 +85,7 @@
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
@ -78,16 +94,19 @@
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://www.shorewall.net/pipermail/*]"> </font> </form>
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form>
<p><b><a href="htdig/search.html">Extended Search</a></b></p>
@ -96,11 +115,7 @@
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a></p>
<br>
<br>
<br>
<br>
<br>
</a><br>
</p>
</body>
</html>

16
Shorewall-docs/blacklisting_support.htm
View File

@ -31,8 +31,7 @@
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
@ -50,8 +49,8 @@ names in the blacklist file.<br>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
@ -59,10 +58,10 @@ against the blacklist using the "<a
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
/sbin/shorewall commands:</p>
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be rejected by the firewall.</li>
@ -76,7 +75,7 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

161
Shorewall-docs/configuration_file_basics.htm
View File

@ -31,7 +31,7 @@
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
before you use them with Shorewall.</b></p>
<h2>Files</h2>
@ -41,33 +41,34 @@ before you use them with Shorewall.</b></p>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the
world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).</li>
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of
the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level
policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to
the overall policies established in /etc/shorewall/policy.</li>
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later
use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field
in packet headers.</li>
in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
addresses.</li>
</ul>
@ -75,8 +76,8 @@ addresses.</li>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the line
with a pound sign.</p>
of any line, again by delimiting the comment from the rest of the
line with a pound sign.</p>
<p>Examples:</p>
@ -87,7 +88,7 @@ with a pound sign.</p>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
("\") followed immediately by a new line character.</p>
<p>Example:</p>
@ -99,42 +100,46 @@ with a pound sign.</p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a result
of DNS problems then don't say that you were not forewarned. <br>
you are called out of bed at 2:00AM because Shorewall won't start as a
result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule. So
change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't start.</li>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your firewall.<br>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
@ -159,15 +164,16 @@ files.<br>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your inconvenience
by Shorewall. <br>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4".</p>
example, !192.168.1.4 means "any host but 192.168.1.4". There must
be no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
@ -178,9 +184,9 @@ by Shorewall. <br>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated list,
the continuation line(s) must begin in column 1 (or there would be
embedded white space)</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
@ -193,16 +199,21 @@ embedded white space)</li>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
within the Shorewall programs</p>
<p>Example:</p>
@ -228,20 +239,20 @@ within the Shorewall programs</p>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6
hex numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -250,42 +261,47 @@ hex numbers separated by colons. Example:<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".</p>
the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p>
Shorewall will use the files in the alternate directory rather than the
corresponding files in /etc/shorewall. The alternate directory need not
contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li>
<li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol>
<p><font size="2"> Updated 9/24/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 10/24/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -294,6 +310,9 @@ shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart<
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>

90
Shorewall-docs/dhcp.htm
View File

@ -1,60 +1,82 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">DHCP Server on your firewall</h2>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
file. This will generate rules that will allow DHCP to and from your
firewall system. </p>
</li>
<li>
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.</li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
</li>
</ul>
<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option for this interface in
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
<p align="left">If you know that the dynamic address is always going
to be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file and start Shorewall after the interface has started.</li>
<p align="left">If you don't know the subnet address in advance, you
should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall
refresh&quot; command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation.</li>
Shorewall is started, you need to arrange for a "shorewall refresh"
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

97
Shorewall-docs/download.htm
View File

@ -35,54 +35,54 @@
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
you can use the RPM version (note: the RPM should also work with
other distributions that store init scripts in /etc/init.d and
that include chkconfig or insserv). If you find that it works
in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
know so that I can mention them here. See the <a
href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want
to download the .tgz so you will have a copy of the documentation).</li>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4
kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts in
/etc/init.d and that include chkconfig or insserv). If you find
that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p>
and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point to
a newer or an older version than is shown below.</p>
release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li>
the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
<p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p>
that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -97,14 +97,15 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<td><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
target="_blank"> Download .rpm</a> <br>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
@ -123,7 +124,7 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
.lrp</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
@ -136,7 +137,7 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
@ -150,21 +151,23 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
@ -177,7 +180,7 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
@ -186,7 +189,7 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
Download .lrp</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
@ -198,20 +201,20 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a></td>
</tr>
</tbody>
@ -289,16 +292,20 @@ mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p>
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/26/2002 - <a
<p align="left"><font size="2">Last Updated 11/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

158
Shorewall-docs/errata.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -46,45 +47,87 @@ untar the archive, replace the 'firewall' script in the untarred director
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels
&gt;= 2.4.18 and RedHat iptables</a></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.8</h3>
<h3>Version 1.3.9a</h3>
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with different
port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
</li>
</ul>
@ -125,12 +168,12 @@ port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<b
<ol>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the "dhcp"
option cannot be used as a noise-reduction
measure where there are both dynamic and
static clients on a LAN segment.</li>
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic
and static clients on a LAN segment.</li>
</ol>
@ -159,9 +202,10 @@ an IP address lease from that server.</li>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT
alias. </p>
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
@ -242,8 +286,8 @@ so it's a good idea to run that command after you have made configura
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
@ -256,8 +300,8 @@ version has a size of 38126 bytes.</p>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -268,6 +312,7 @@ version has a size of 38126 bytes.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
@ -280,27 +325,28 @@ version has a size of 38126 bytes.</p>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For
example:<br>
<li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option.
For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
</ul>
@ -349,7 +395,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
@ -391,6 +437,7 @@ from<font color="#ff6633"> <a
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
@ -416,7 +463,7 @@ from<font color="#ff6633"> <a
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6
you may install
you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
@ -424,7 +471,22 @@ you may install
</ul>
<p><font size="2"> Last updated 9/28/2002 -
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -432,5 +494,9 @@ you may install
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/DMZ.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
Shorewall-docs/images/DMZ2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
Shorewall-docs/images/DMZ3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
Shorewall-docs/images/basics1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
Shorewall-docs/images/network.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 72 KiB

BIN
Shorewall-docs/images/proxyarp.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
Shorewall-docs/images/proxyarp.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/proxyarp.vsd
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

72
Shorewall-docs/mailing_list_problems.htm
View File

@ -1,59 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
</blockquote>
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
<a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm">
<font face="Trebuchet MS">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left">&nbsp;</p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

51
Shorewall-docs/myfiles.htm
View File

@ -34,34 +34,34 @@
<blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24). </p>
is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br>
</p>
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through
the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p>
@ -72,7 +72,7 @@ Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
<p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p>
in the DMZ.</p>
<p align="center"> <img border="0"
src="images/network.png" width="764" height="846">
@ -87,14 +87,15 @@ in the DMZ.</p>
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
of the entry in /etc/shorewall/proxyarp (see
below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
use features not available before Shorewall
version 1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
@ -108,11 +109,11 @@ of the entry in /etc/shorewall/proxyarp (see below).</
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3>
@ -140,10 +141,11 @@ Ethernet interfaces. </p>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
@ -151,18 +153,23 @@ Ethernet interfaces. </p>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<p><font size="2"> Last updated 10/14/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
</body>
</html>

200
Shorewall-docs/ports.htm
View File

@ -1,122 +1,192 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1>
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</table>
<p>In addition to those applications described in <a href="Documentation.htm">the
/etc/shorewall/rules documentation</a>, here are some other
services/applications that you may need to configure your firewall to accommodate.</p>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your firewall
to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
<blockquote>
<p>UDP Port 123</p>
</blockquote>
<p>rdate</p>
</blockquote>
<p>rdate</p>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
<p>UseNet (NNTP)</p>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
<p>TCP Port 119</p>
</blockquote>
</blockquote>
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want to
open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return long
replies to queries or if you need to enable ZONE transfers.&nbsp;In the latter
case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ&nbsp;&nbsp;&nbsp;</p>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return
long replies to queries or if you need to enable ZONE transfers. In the
latter case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ   </p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which you
can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>PPTP</p>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a href="PPTP.htm">Lots more
information here</a>).</p>
</blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port 500.
These should be opened in both directions.</p>
</blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions.</p>
</blockquote>
<p>SMTP</p>
<blockquote>
<p>&nbsp;TCP Port 25.</p>
</blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
</blockquote>
<p>Web Access</p>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP</p>
</blockquote>
<p>FTP</p>
<blockquote>
<p>Server configuration is covered on in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,</p>
<p>Server configuration is covered on in <a
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.&nbsp;</p>
</blockquote>
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
</blockquote>
<p>Traceroute</p>
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS</p>
</blockquote>
<p>NFS</p>
<blockquote>
<p>There's some good information at&nbsp;
<a href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>There's some good information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Still looking? Try
<a href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p><font size="2">Last updated 8/21/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</body>
</html>

31
Shorewall-docs/quotes.htm
View File

@ -29,17 +29,19 @@
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
@ -51,25 +53,25 @@ scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
7 machines up and running with shorewall on several versions - starting
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
-- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
by checkpoint, some of them are running....Shorewall." -- Name withheld by
request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
@ -90,12 +92,13 @@ people recommending it. :-)<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

382
Shorewall-docs/seattlefirewall_index.htm
View File

@ -3,10 +3,12 @@
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
@ -17,15 +19,21 @@
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
@ -36,6 +44,7 @@
</tr>
</tbody>
</table>
@ -49,31 +58,44 @@
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.<br>
This program is distributed
in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of the GNU General
Public License along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
You should have received
a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -81,160 +103,233 @@ PURPOSE. See the GNU General Public License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF
distribution called <i>Bering</i> that features Shorewall-1.3.3
and Kernel-2.4.18. You can find their work at: <a
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD
or compact flash) distribution called <i>Bering</i> that
features Shorewall-1.3.9b and Kernel-2.4.18. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You might want to reconsider -- this site is <u><b>213 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the whole
thing (my SDSL is only 384kbs so I'll have lots of time to catch you). Besides,
if you simply download the product and install it, you get the essential
parts of the site in a fraction of the time. And do you really want to download:<br>
<ul>
<li>Both text and HTML versions of every post ever made on three
different mailing lists (65 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall
and Seawall (92MB and 10MB respectively)?</li>
<li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
</li>
<li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this site.
Happy downloading!<br>
<h2>News</h2>
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
<p>In this version:<br>
</p>
<h2></h2>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents
of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily within
<a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
on ethernet segments. You can specify the set of allowed MAC addresses on
the segment and you can optionally tie each MAC address to one or more IP
addresses.</li>
<li>PPTP Servers and Clients running on the firewall system may
now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when the
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package is now a part
of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html">
MAC verification</a> on ethernet segments. You can specify the set of
allowed MAC addresses on the segment and you can optionally tie each
MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when
the <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
<li>Only one page of matches was presented.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to the
firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now
running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
</p>
<ul>
<li>A NEWNOTSYN option has been added to shorewall.conf.
This option determines whether Shorewall accepts TCP packets which
are not part of an established connection and that are not 'SYN' packets
(SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the case
where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be
qualified by both interface and IP address in a <a
href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled
after initial installation until the file /etc/shorewall/startup_disabled
is removed. This avoids nasty surprises at reboot for users
who install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version' files
and the 'firewall' symbolic link have been moved from /var/lib/shorewall
to /usr/lib/shorewall to appease the LFS police at Debian.<br>
</li>
</ul>
</li>
</ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
@ -242,25 +337,34 @@ are not part of an established connection and that are not 'SYN' packets
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
@ -269,27 +373,25 @@ are not part of an established connection and that are not 'SYN' packets
  </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

73
Shorewall-docs/shoreline.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
@ -27,23 +28,23 @@
</tbody>
</table>
<p align="center"> <img border="3" src="images/Hiking1.jpg"
alt="Tom on the PCT - 1991" width="374" height="365">
</p>
<p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392">
</p>
<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington  -- Sept 1991.<br>
<font size="2">Photo by Ken Mazawa</font></p>
<p align="center">Tarry &amp; Tom -- August 2002<br>
<br>
</p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a> 1967</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -54,11 +55,11 @@ of Washington</a> 1969</li>
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated ipchains
and developed the scripts which are now collectively known as <a
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
@ -66,23 +67,24 @@ Shorewall. </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
runs PoPToP for road warrior access.</li>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian Woody</a>
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
@ -95,17 +97,22 @@ and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
</a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

26
Shorewall-docs/shorewall_ca_certificate.htm
View File

@ -1,26 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall CA Certificate</title>
</head>
<body>
<h1 align="center">Shorewall CA Certificate</h1>
<p align="center">Load <a href="ca.crt">this certificate</a> into your browser
to use SSL to the Shorewall Site</p>
<p align="left"><font size="2">Last updated
8/10/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

98
Shorewall-docs/shorewall_features.htm
View File

@ -1,91 +1,111 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
</tbody>
</table>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i>
and gives you complete control over the connections permitted between
each pair of zones.</li>
<li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help
get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b>
included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can use all
types in the same firewall):
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to
help get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a>
</b> included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can use
all types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT">
Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp">
Proxy ARP</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring
with an audible alarm when an "interesting" packet is detected.</li>
<li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP
Tunnels</a>.</li>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
and uninstall facilities</b></a> for users who can't use or choose not
to use the RPM or Debian packages.</li>
<li>Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net">
LEAF</a>
</b>
.</li>
and uninstall facilities</b></a> for users who can't use or choose
not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
</ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li>
</ul>
<p><font size="2">Last updated 7/14/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font></p>
<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

70
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -36,16 +36,16 @@ must all first walk before we can run.</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting
as a firewall/router for a small local network and a DMZ.</li>
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
</ul>
@ -53,22 +53,24 @@ as a firewall/router for a small local network and a DMZ.</li>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
Protocol</a></li>
</ul>
@ -77,8 +79,8 @@ Protocol</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -90,38 +92,42 @@ Protocol</a></li>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
@ -141,7 +147,8 @@ features</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
@ -161,15 +168,16 @@ features</a>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
@ -187,8 +195,8 @@ use Shorewall)</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
</ul>
</li>
@ -199,11 +207,15 @@ to a remote network.</li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a
<p><font size="2">Last modified 11/3/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

76
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -26,7 +26,7 @@
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
the Firewall</font></h1>
</td>
@ -40,13 +40,13 @@ the Firewall</font></h1>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your firewall
differently from this default, you can use the "--level" option in
chkconfig (see "man chkconfig") or using your favorite graphical run-level
editor.</p>
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can use the "--level" option
in chkconfig (see "man chkconfig") or using your favorite graphical
run-level editor.</p>
@ -59,8 +59,8 @@ editor.</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
@ -83,11 +83,11 @@ in that script.</li>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
@ -106,39 +106,54 @@ by Shoreline Firewall</li>
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li>
being tracked by the firewall.</li>
<li>shorewall
show
tc - displays information
about the traffic control/shaping configuration.</li>
about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files. <font size="4"
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the
standard configuration.</li>
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using
the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
@ -162,7 +177,7 @@ save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.<
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
the following:</p>
@ -174,7 +189,7 @@ the following:</p>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li>
to . and change them here&gt;</li>
<li>shorewall -c . check</li>
@ -186,8 +201,8 @@ to . and change them here&gt;</li>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
@ -210,7 +225,7 @@ the "try" command will automatically start the old one for you.</p>
<p><font size="2"> Updated 9/26/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -219,6 +234,7 @@ the "try" command will automatically start the old one for you.</p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>

16
Shorewall-docs/support.htm
View File

@ -29,18 +29,18 @@
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p>
- <font size="2"> Wietse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3>
@ -60,6 +60,7 @@ contains a number of tips to help you solve common problems.</li>
<h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
@ -114,7 +115,7 @@ you custom configuration files. We're here to answer your questions
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b></b>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
@ -134,7 +135,7 @@ you custom configuration files. We're here to answer your questions
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
@ -142,5 +143,6 @@ you custom configuration files. We're here to answer your questions
<br>
<br>
<br>
<br>
</body>
</html>

204
Shorewall-docs/three-interface.htm
View File

@ -35,7 +35,7 @@
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its more popular configurations:</p>
in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
@ -53,10 +53,10 @@ in one of its more popular configurations:</p>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -69,15 +69,15 @@ this program:</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
run them through dos2unix before trying to use them. Similarly, if you
copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
Version of dos2unix</a></li>
</ul>
@ -89,8 +89,8 @@ of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
files to /etc/shorewall (the files will replace files with the same names
that were placed in /etc/shorewall when Shorewall was installed).</p>
files to /etc/shorewall (the files will replace files with the same names
that were placed in /etc/shorewall when Shorewall was installed).</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -132,8 +132,8 @@ that were placed in /etc/shorewall when Shorewall was installed).</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -141,10 +141,10 @@ that were placed in /etc/shorewall when Shorewall was installed).</p>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
@ -190,7 +190,7 @@ samples provide that file for you).</p>
<blockquote>
<p>In the three-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -217,18 +217,19 @@ the internet, uncomment that line.</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and make any
changes that you wish.</p>
changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -248,33 +249,34 @@ your External Interface will also be <b>ppp0</b>. If you connect using ISDN,
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single local
system, you can connect the firewall directly to the computer using a <i>cross-over
</i> cable).</p>
system, you can connect the firewall directly to the computer using a
<i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only a
single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
computers will be connected to the same switch (note: If you have only a
single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub or switch
(even for testing). It won't work the way that you expect it to and you
will end up confused and believing that Shorewall doesn't work at all.</p>
will end up confused and believing that Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration assumes that the
external interface is <b>eth0, </b>the local interface is <b>eth1 </b>and
the DMZ interface is <b> eth2</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
    The Shorewall three-interface sample configuration assumes that
the external interface is <b>eth0, </b>the local interface is <b>eth1
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interfaces. Some hints:</p>
@ -296,14 +298,14 @@ you will have to modify the sample /etc/shorewall/interfaces file accordingly.
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>Regardless of how the address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses for your internal network (the local and DMZ
Interfaces on your firewall plus your other computers). RFC 1918 reserves
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>Regardless of how the address is assigned, it
will be shared by all of your systems when you access the Internet. You will
have to assign your own addresses for your internal network (the local and
DMZ Interfaces on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
@ -313,10 +315,10 @@ several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's entry
in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -325,11 +327,11 @@ remove the 'norfc1918' option from the external interface's entry in
subnet. For our purposes, we can consider a subnet to consists of a range
of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i> <i>Address</i>.
In Shorewall, a subnet is described using <a href="subnet_masks.htm"><i>Classless
InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet address
followed by "/24". The "24" refers to the number of consecutive "1"
bits from the left of the subnet mask. </p>
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i> <i>Address</i>.
In Shorewall, a subnet is described using <a href="subnet_masks.htm"><i>Classless
InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet
address followed by "/24". The "24" refers to the number of consecutive
"1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -372,8 +374,8 @@ bits from the left of the subnet mask. </p>
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
@ -381,16 +383,16 @@ send packets through a<i>
height="13">
    Your local computers (Local Computers 1 &amp; 2) should be configured
with their<i> default gateway</i> set to the IP address of the firewall's
internal interface and your DMZ computers ( DMZ Computers 1 &amp; 2) should
be configured with their default gateway set to the IP address of the
firewall's DMZ interface.   </p>
internal interface and your DMZ computers ( DMZ Computers 1 &amp; 2)
should be configured with their default gateway set to the IP address
of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -399,7 +401,7 @@ A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
height="635">
</p>
<p align="left">The default gateway for the DMZ computers would be 10.10.10.254
<p align="left">The default gateway for the DMZ computers would be 10.10.11.254
and the default gateway for the Local computers would be 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
@ -409,14 +411,14 @@ A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
packets which have an RFC-1918 destination address. When one of your local
systems (let's assume local computer 1) sends a connection request to an
internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to be the
address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address is
reserved by RFC 1918 can't be routed accross the internet). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
</i>(NAT). The firewall rewrites the source address in the packet to be
the address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed accross the internet). When the
firewall receives a return packet, it rewrites the destination address
back to 10.10.10.1 and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
@ -442,10 +444,10 @@ is necessary so that the destination host will be able to route return packets
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your local interface
<b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do not need to
modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
and change it to match your configuration.</p>
    If your external firewall interface is <b>eth0</b>, your local
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
not need to modify the file provided with the sample. Otherwise, edit
/etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
@ -459,11 +461,11 @@ is necessary so that the destination host will be able to route return packets
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is
rather necessary for those clients to address their connection requests to
your firewall who rewrites the destination address to the address of your
rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
@ -489,7 +491,7 @@ the response.</p>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
@ -546,10 +548,10 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your local systems,
you must use the server's internal IP address (10.10.11.2).</li>
you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000 (e.g., connect to <a
have problems connecting to your web server, try the following rule and
try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -641,7 +643,8 @@ try connecting to port 5000 (e.g., connect to <a
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc<br>
</td>
<td>dmz:10.10.11.2:80</td>
<td>tcp</td>
<td>80</td>
@ -657,17 +660,19 @@ try connecting to port 5000 (e.g., connect to <a
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your servers. </p>
    At this point, add the DNAT and ACCEPT rules for your servers.
</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of a
pair of DNS <i> name servers</i> for you to manually configure as your primary
and secondary name servers. It is <u>your</u> responsibility to configure
the resolver in your internal systems. You can take one of two approaches:</p>
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. It is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of two
approaches:</p>
<ul>
<li>
@ -675,18 +680,18 @@ the resolver in your internal systems. You can take one of two approaches:</p>
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers are
given in "nameserver" records in that file. </p>
look in /etc/resolv.conf on your firewall system -- the name servers
are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your firewall
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use the
caching name server as their primary (and only) name server. You use the
internal IP address of the firewall (10.10.10.254 in the example above)
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on your
firewall. To allow your local systems to talk to your caching name server,
you must open port 53 (both UDP and TCP) from the local network to the
@ -697,6 +702,7 @@ internal IP address of the firewall (10.10.10.254 in the example above)
<blockquote>
<p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -1046,15 +1052,15 @@ uses, look <a href="ports.htm">here</a>.</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
and set 'startup=1'.</font><br>
and set 'startup=1'.</font><br>
</p>
</div>
@ -1081,15 +1087,15 @@ and set 'startup=1'.</font><br>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
<p align="left"><font size="2">Last updated 10/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -1098,5 +1104,7 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

263
Shorewall-docs/traffic_shaping.htm
View File

@ -1,102 +1,126 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later. You must also install
the iproute (iproute2) package to provide the &quot;ip&quot; and &quot;tc&quot;
utilities.</p>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling.<br>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
also requires that you enable packet mangling.<br>
</li>
<li>/etc/shorewall/tcrules - A file where you can specify
firewall marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control.<br>
<li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets
for traffic shaping/control.<br>
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is
sourced by Shorewall during &quot;shorewall start&quot; and which you can
use to define your traffic shaping disciplines and classes. I have provided
a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of the
HOWTO mentioned above, you can probably code your own faster than you can
learn how to use my sample. I personally use <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB</a>
(see below). HTB
support may eventually become an integral part of Shorewall since HTB is a
lot simpler and better-documented than CBQ. HTB is currently not a standard
part of either the kernel or iproute2 so both must be patched in order to
use it.<br>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define
your traffic shaping disciplines and classes. I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of
the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB
is a lot simpler and better-documented than CBQ. HTB is currently not
a standard part of either the kernel or iproute2 so both must be patched
in order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is
sourced by Shorewall when it is clearing traffic shaping. This file is
normally not required as Shorewall's method of clearing qdisc and filter
definitions is pretty general.</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally
not required as Shorewall's method of clearing qdisc and filter definitions
is pretty general.</li>
</ul>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
for specifying these marks in a tabular fashion.</p>
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
means for specifying these marks in a tabular fashion.</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br>
a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place &quot;fw&quot; in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<li>SOURCE - The source of the packet. If the packet originates on
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
list of interface names, IP addresses, MAC addresses in <a
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
&nbsp;&nbsp;&nbsp; eth0<br>
&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br>
<li>DEST -- Destination of the packet. Comma-separated list of IP
addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or &quot;all&quot;<br>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); if
the protocol is &quot;icmp&quot;, this column is interpreted as the
destination icmp type(s).<br>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
protocol is "icmp", this column is interpreted as the destination icmp
type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate list
of port names, port numbers or port ranges.</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
any source port is acceptable. Specified as a comma-separate list of port
names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked with
1. All packets arriving on eth2 should be marked with 2. All packets originating
on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
@ -110,29 +134,34 @@ on the firewall itself should be marked with 3.</p>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating on the
firewall and destined for 155.186.235.151 should be marked with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
@ -146,13 +175,18 @@ firewall and destined for 155.186.235.151 should be marked with 12.</p>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
@ -167,48 +201,57 @@ destined for 155.186.235.151 should be marked with 22.</p>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table>
<h3>Hierarchical Token Bucket</h3>
<p>I personally use HTB. I have found a couple of things that may be of
use to others.</p>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p>
<ul>
<li>The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB
website</a> didn't work for me -- I had to download the lastest version of
the <a href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>The HTB example in the HOWTO seems to be full of errors. I'm currently
running with this set of shaping rules in my tcstart file so I know that it works.</li>
<li>The gzipped tc binary at the <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
for me -- I had to download the lastest version of the <a
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<blockquote>
<p><font face="Courier" size="2">run_tc qdisc add dev eth0 root handle 1: htb default 30<br>
<br>
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k<br>
<br>
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k<br>
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k<br>
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil&nbsp;&nbsp;
10mbit burst 15k<br>
<br>
run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>
run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>
run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10<br>
<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want
these particular rules.<font face="Courier" size="2"><br>
</font></p>
<p>My tcrules file is shown in Example 1 above. You can look at my <a href="myfiles.htm">network
configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
</font></p>
</blockquote>
<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
</blockquote>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

258
Shorewall-docs/troubleshoot.htm
View File

@ -2,144 +2,142 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</table>
</tbody>
</table>
<h3 align="left">Check the Errata</h3>
<h3 align="Left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version of
the firewall.</p>
<p align="Left">Check the <a href="errata.htm">Shorewall Errata</a>
to be sure that there isn't an update that you are missing for your version
of the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<h3 align="Left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
<p align="Left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common problems.</p>
<h3 align="Left">If the firewall fails to start</h3>
If you
receive an error message when starting or restarting the firewall and you
can't determine the cause, then do the following:
<ul>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine what
the problem is.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<ul>
<li>Port
Forwarding where client and server are in the same subnet. See <a href="FAQ.htm">FAQ
2.</a></li>
<li>Changing the IP address of a local system to be in the external subnet,
thinking that Shorewall will suddenly believe that the system is in the
'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the way
that the Linux kernel respond to ARP &quot;who-has&quot; requests, this type of setup
does NOT work the way that you expect it to.</li>
</ul>
<h3 align="Left">If you are having
connection problems:</h3>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the
way that the Linux kernel respond to ARP "who-has" requests, this type
of setup does NOT work the way that you expect it to.</li>
<p align="Left">If the appropriate policy for the connection that you
are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
</ul>
<p align="Left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of your
best diagnostic tools - the &quot;Shorewall&quot; messages that Netfilter will
generate when you try to connect in a way that isn't permitted by your
rule set.</p>
<h3 align="left">If you are having connection problems:</h3>
<p align="Left">Check your log. If you don't see Shorewall messages,
then your problem is probably NOT a Shorewall problem. If you DO see packet
messages, it is an indication that you are missing one or more rules.</p>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
to your rule set and they represent a big security hole in the event that
you forget to remove them later.</p>
<p align="Left">While you are troubleshooting, it is a good idea to clear
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="Left">LOGRATE=&quot;&quot;<br>
LOGBURST=&quot;&quot;</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="Left">This way, you will see all of the log messages being
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="Left">Example:</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="Left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<p align="Left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - the packet was rejected under the "all"-&gt;"all" REJECT
policy</li>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="Left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
</ul>
<p align="Left">ACCEPT    dmz    loc    udp    53</p>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53</p>
<h3 align="left">Other Gotchas</h3>
<h3 align="Left">Other Gotchas</h3>
<ul>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:<ol>
<li>your zone definitions are screwed up and the host that is sending the
packets or the destination host isn't in any zone (using an
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
requests to be sent between zones. If you want pings to be allowed between
zones, you need a rule of the form:<br>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
@ -153,53 +151,49 @@ icmp
the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface must be
up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need to
be configured with their default gateway set to the IP address of their
nearest firewall interface. One often overlooked aspect of routing is that
in order for two hosts to communicate, the routing between them must be set
up <u>in both directions.</u> So when setting up routing between <b>A</b>
and<b> B</b>, be sure to verify that the route from <b>B</b> back to <b>A</b>
is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell with
broken variable expansion. <a href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz">
You can get a corrected shell from the Shorewall Errata download site.</a>
</li>
<li>Do you have your kernel properly configured? <a href="kernel.htm">Click
here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally included
in the "iproute" package which should be included with your distribution
(though many distributions don't install iproute by default). You
may also download the latest source tarball from <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need
to be configured with their default gateway set to the IP address of
their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell
with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts then the
zone must be entirely defined in /etc/shorewall/hosts unless you have
specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if
a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts
then hosts attached to the other interface will <u>not</u> be considered
part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external addresses
to be use with NAT unless you have set <a href="Documentation.htm#Aliases">
ADD_IP_ALIASES</a>
=No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless you
have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external
addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 9/13/2002 -
Tom Eastep</font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>
</html>

223
Shorewall-docs/two-interface.htm
View File

@ -35,7 +35,7 @@
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p>
in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
@ -52,10 +52,10 @@ in its most common configuration:</p>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -69,23 +69,23 @@ this program:</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
Version of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
@ -127,8 +127,8 @@ of these as described in this guide. After you have <a
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -136,14 +136,14 @@ of these as described in this guide. After you have <a
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -185,7 +185,7 @@ the following policies:</p>
<blockquote>
<p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -214,7 +214,7 @@ the internet, uncomment that line.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
@ -231,9 +231,9 @@ the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
@ -243,14 +243,15 @@ your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
will be connected to the same hub/switch (note: If you have only a single
internal system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
internal system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -262,11 +263,11 @@ your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes that the
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -286,15 +287,15 @@ that are specified for the interfaces. Some hints:</p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>However your external address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses in your internal network (the Internal Interface
on your firewall plus your other computers). RFC 1918 reserves several
<i>Private </i>IP address ranges for this purpose:</p>
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You
will have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -304,8 +305,8 @@ on your firewall plus your other computers). RFC 1918 reserves several
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
</div>
@ -313,13 +314,13 @@ remove the 'norfc1918' option from the external interface's entry in
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as the
<i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -362,23 +363,23 @@ remove the 'norfc1918' option from the external interface's entry in
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above diagram)
should be configured with their<i> default gateway</i> to be the IP address
of the firewall's internal interface.<i>      </i> </p>
should be configured with their<i> default gateway</i> to be the IP
address of the firewall's internal interface.<i>      </i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -398,18 +399,18 @@ A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address is
reserved by RFC 1918 can't be routed across the internet so the remote host
can't address its response to computer 1). When the firewall receives a
return packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to computer 1. </p>
it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -433,8 +434,8 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
height="13">
    If your external firewall interface is <b>eth0</b>, you do not need
to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
and change the first column to the name of your external interface and the
second column to the name of your internal interface.</p>
and change the first column to the name of your external interface and
the second column to the name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -447,16 +448,16 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -523,13 +524,13 @@ port&gt;</i>]</td>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
network (i.e., don't test from a browser running on computers 1 or 2 or
on the firewall). If you want to be able to access your web server using
the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
have problems connecting to your web server, try the following rule
and try connecting to port 5000.</li>
</ul>
@ -568,35 +569,35 @@ that you require.</p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of a
pair of DNS <i> name servers</i> for you to manually configure as your primary
and secondary name servers. Regardless of how DNS gets configured on your
firewall, it is <u>your</u> responsibility to configure the resolver in your
internal systems. You can take one of two approaches:</p>
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers are
given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
take this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
@ -685,7 +686,7 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
</div>
@ -806,12 +807,13 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your firewall"</p>
listed above under "You can configure a Caching Name Server on your
firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -865,9 +867,9 @@ connections as required.</p>
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
version 1.3.9 startup is disabled so that your system won't try to start Shorewall
before configuration is complete. Once you have completed configuration of
your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,22 +893,22 @@ and set 'startup=1'.</font><br>
height="13">
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
<p align="left"><font size="2">Last updated 10/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -915,5 +917,6 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
</body>
</html>

67
Shorewall-docs/upgrade_issues.htm
View File

@ -30,26 +30,38 @@
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.7,
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules in
their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
will need to include the following rules
in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
@ -58,26 +70,26 @@ command from that file since the icmp.def file is now empty.</p>
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will
need to transcribe any Shorewall configuration
<li>Be sure you have a backup -- you
will need to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided
on the Bering floppy with the later one.
If you did not obtain the later version from
Jacques's site, see additional instructions
below.</li>
<li>Replace the shorwall.lrp package
provided on the Bering floppy with the later
one. If you did not obtain the later version
from Jacques's site, see additional instructions
below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry
if present. Then do not forget to backup
root.lrp !</li>
file and remove the /var/lib/shorewall
entry if present. Then do not forget to
backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add the
following two Bering-specific rules to /etc/shorewall/rules:</p>
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -87,18 +99,18 @@ following two Bering-specific rules to /etc/shorewall/rules:</p>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 and
1.3.7</p>
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So
that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets after
takeover.<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN #
So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets
after takeover.<br>
 </font> </p>
</li>
<li>
@ -154,12 +166,11 @@ takeover.<br>
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 9/28/2002 -
<p><font size="2"> Last updated 11/09/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

7
Shorewall/changelog.txt
View File

@ -35,3 +35,10 @@ Changes since 1.3.9
17. Add MAC verificaiton
18. Conserve space by removing comment decorations.
19. Improve comments in interfaces file re: use of aliases
20. Clear nat and mangle counters during 'shorewall reset'
21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.10b1
%define version 1.3.10
%define release 1
%define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10b1
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.10b1
VERSION=1.3.10
usage() # $1 = exit status
{