extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 03:31:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Documentation changes for 1.3.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@240 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-16 17:02:45 +00:00
parent da993d8c10
commit 342db2dd44
15 changed files with 6956 additions and 6220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5387
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

7
STABLE/documentation/Install.htm
View File

@ -11,11 +11,14 @@
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation</font></h1> <h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
</td> </td>
</tr> </tr>
</table> </table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install <a href="#Install_Tarball">Install
using tarball</a><br> using tarball</a><br>
@ -163,7 +166,7 @@ QuickStart Guides</a> contain all of the information you need.</p>
the firewall system.</li> the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul> </ul>
<p><font size="2">Updated 8/7/2002 - <a href="support.htm">Tom <p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p> Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>

2070
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

4
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -44,7 +44,9 @@
<li> <li>
<a href="troubleshoot.htm">Troubleshooting</a></li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <li>
<a href="errata.htm">Errata/Upgrade Issues</a></li> <a href="errata.htm">Errata</a></li>
<li>
<a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <li>
<a href="support.htm">Support</a></li> <a href="support.htm">Support</a></li>
<li> <li>

128
STABLE/documentation/blacklisting_support.htm
View File

@ -1,67 +1,95 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Blacklisting Support</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Blacklisting Support</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p> <p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2> <h2>Static Blacklisting</h2>
<p>Shorewall
static blacklisting support has the following configuration parameters:</p> <p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<ul> <ul>
<li>You specify whether you want packets from blacklisted hosts dropped or <li>You specify whether you want packets from blacklisted hosts dropped
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a> or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li> setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged and at <li>You specify whether you want packets from blacklisted hosts logged
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> and at what syslog level using the <a
setting in /etc/shorewall/shorewall.conf</li> href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li> /etc/shorewall/shorewall.conf</li>
<li>You specify the interfaces whose incoming packets you want checked against <li>You list the IP addresses/subnets that you wish to blacklist in <a
the blacklist using the &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot; href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
option in /etc/shorewall/interfaces.</li> with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
<li>The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall names in the blacklist file.<br>
refresh</a>&quot; command.</li> </li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul> </ul>
<h2>Dynamic Blacklisting</h2> <h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
/sbin/shorewall commands:</p> doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<ul> <ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP <li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
addresses to be silently dropped by the firewall.</li> IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
addresses to be rejected by the firewall.</li> IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li> from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will be <li>save - save the dynamic blacklisting configuration so that it will
automatically restored the next time that the firewall is restarted.</li> be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li> <li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul> </ul>
<p>Example 1:</p> <p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre> <pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p> <p>Example 2:</p>
<pre> shorewall allow 192.0.2.125</pre> <pre> shorewall allow 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom <p>    Reenables access from 192.0.2.125.</p>
Eastep</a></font></p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html>
</html>

517
STABLE/documentation/download.htm
View File

@ -1,248 +1,305 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Download</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Download</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <p><b>I strongly urge you to read and print a copy of the <a
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
<b> TurboLinux</b> distribution Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
with a 2.4 kernel, you can use the RPM version (note: the you can use the RPM version (note: the RPM should also work
RPM should also work with other distributions that store with other distributions that store init scripts in /etc/init.d
init scripts in /etc/init.d and that include chkconfig or insserv). and that include chkconfig or insserv). If you find that it works
If you find that it works in other cases, let <a href="mailto:teastep@shorewall.net"> in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
me</a> know so that I can mention them here. See the <a
know so that I can mention them here. See the href="Install.htm">Installation Instructions</a> if you have problems
<a href="Install.htm">Installation Instructions</a> if you have problems installing the RPM.</li>
installing the RPM.</li> <li>If you are running LRP, download the .lrp file (you might also want
<li>If you are running LRP, download the .lrp file (you might also want to to download the .tgz so you will have a copy of the documentation).</li>
download the .tgz so you will have a copy of the documentation).</li> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would like a .deb package, Shorewall is in both the <a
like a .deb package, Shorewall is in both the href="http://packages.debian.org/testing/net/shorewall.html">Debian
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing Branch</a> and the <a
Testing Branch</a> and the href="http://packages.debian.org/unstable/net/shorewall.html">Debian
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable Branch</a>.</li>
Unstable Branch</a>.</li> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files and
there is an documentation .deb that also contains the documentation.</p> <p>The documentation in HTML format is included in the .tgz and .rpm files
<p>Please verify the version that you have and there is an documentation .deb that also contains the documentation.</p>
downloaded -- during the release of a new version of Shorewall, the links
below may point to a newer or an older version than is shown below.</p> <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - &quot;rpm -qip LATEST.rpm&quot;</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
name will contain the version)</li> the version)</li>
<li>LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; </li> .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the
version, check the </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font face="Arial"> <p><font face="Arial">Once you have verified the version, check the
to see if there are updates that apply to the version that you have </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
downloaded.</font></p> face="Arial"> to see if there are updates that apply to the version
<p><font color="#FF0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM that you have downloaded.</font></p>
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p> IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
<p>Download Latest Version (<b>1.3.7c</b>): <b>Remember that updates to the mirrors AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
occur 1-12 hours after an update to the primary site.</b></p> TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
<blockquote> CONNECTIVITY.</b></font></p>
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
<tr> <p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
<td><b>SERVER LOCATION</b></td> mirrors occur 1-12 hours after an update to the primary site.</b></p>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <blockquote>
<td><b>FTP</b></td> <table border="2" cellspacing="3" cellpadding="3"
</tr> style="border-collapse: collapse;">
<tr> <tbody>
<td>Washington State, USA</td> <tr>
<td>Shorewall.net</td> <td><b>SERVER LOCATION</b></td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><b>DOMAIN</b></td>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download <td><b>HTTP</b></td>
.tgz</a>&nbsp;<br> <td><b>FTP</b></td>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download </tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
Download .rpm</a>&nbsp;<br> target="_blank"> Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
.tgz</a>&nbsp;<br> target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
.lrp</a></td> target="_blank">Download .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><a
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
.tgz</a>&nbsp;<br> <a
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.lrp</a></td> .tgz</a> <br>
<td> <a
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download .lrp</a></td>
.tgz</a>&nbsp;<br> <td> <a target="_blank"
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td> .rpm</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br> <td><a
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.tgz</a>&nbsp;<br> .rpm</a><br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <td> <a target="_blank"
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download <a target="_blank"
.tgz</a>&nbsp;<br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> .tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td> Download .lrp</a></td>
</tr> <td> <a target="_blank"
<tr> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
<td>Hamburg, Germany</td> .rpm</a>  <br>
<td>Shorewall.net</td> <a target="_blank"
<td><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
Download .rpm</a><br> .tgz</a> <br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download <a target="_blank"
.tgz</a><br> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <td> <a target="_blank"
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
Download .rpm</a>&nbsp;&nbsp;<br> .rpm</a>  <br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download <a target="_blank"
.tgz</a>&nbsp;<br> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download .tgz</a> <br>
.lrp</a></td> <a target="_blank"
</tr> href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
<tr> .lrp</a></td>
<td>Martinez (Zona Norte - GBA), Argentina</td> </tr>
<td>Correofuego.com.ar</td>
<td> </tbody>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download .lrp</a></td>
</tr>
</table> </table>
</blockquote> </blockquote>
<p>Browse Download Sites:</p> <p>Browse Download Sites:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <blockquote>
<tr> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<td><b>SERVER LOCATION</b></td> <tbody>
<td><b>DOMAIN</b></td> <tr>
<td><b>HTTP</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>FTP</b></td> <td><b>DOMAIN</b></td>
</tr> <td><b>HTTP</b></td>
<tr> <td><b>FTP</b></td>
<td>Washington State, USA</td> </tr>
<td>Shorewall.net</td> <tr>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td>Washington State, USA</td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> <td>Shorewall.net</td>
</tr> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<tr> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
<td>Slovak Republic</td> target="_blank">Browse</a></td>
<td>Shorewall.net</td> </tr>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <tr>
<td> <td>Slovak Republic</td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> <td>Shorewall.net</td>
</tr> <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<tr> <td> <a target="_blank"
<td>Texas, USA</td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
<td>Infohiiway.com</td> </tr>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <tr>
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> <td>Texas, USA</td>
</tr> <td>Infohiiway.com</td>
<tr> <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td>Hamburg, Germany</td> <td><a target="_blank"
<td>Shorewall.net</td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> </tr>
<td><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> <tr>
</tr> <td>Hamburg, Germany</td>
<tr> <td>Shorewall.net</td>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td>Correofuego.com.ar</td> <td><a target="_blank"
<td><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
<td> </tr>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> <tr>
Browse</a></td> <td>Martinez (Zona Norte - GBA), Argentina</td>
</tr> <td>Correofuego.com.ar</td>
<tr> <td><a
<td>France</td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td>Shorewall.net</td> <td> <a target="_blank"
<td><a href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
<td> </tr>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> <tr>
</tr> <td>France</td>
<tr> <td>Shorewall.net</td>
<td>California, USA (Incomplete)</td> <td><a
<td>Sourceforge.net</td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td> <td> <a target="_blank"
<td>N/A</td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">CVS:</p> <p align="left">CVS:</p>
<blockquote> <blockquote>
<p align="left">The <p align="left">The <a target="_top"
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
repository at cvs.shorewall.net</a> contains the latest snapshots of the each cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
Shorewall component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at all.</p>
all.</p> </blockquote>
</blockquote> <p align="left"><font size="2">Last Updated 9/2/2002 - <a
<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom href="support.htm">Tom Eastep</a></font></p>
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br>
</body> </body>
</html>
</html>

113
STABLE/documentation/errata.htm
View File

@ -63,7 +63,7 @@ dos2unix</a></u>
</ol> </ol>
<ul> <ul>
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <li>
<b><a href="#V1.3">Problems in Version 1.3</a></b></li> <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
@ -310,115 +310,8 @@ dos2unix</a></u>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<h3>Version &gt;= 1.3.7</h3> <p align="Left">The upgrade issues have moved to
<a href="upgrade_issues.htm">a separate page</a>.</p>
<p>Users specifying ALLOWRELATED=No in
/etc/shorewall.conf will need to include the
following rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now
empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will need
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
setting up a two-interface firewall</a> plus you also need to add the following
two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="Left">Version &gt;= 1.3.6</h3>
<p align="Left">If you have a pair of firewall systems configured for
failover, you will need to modify your firewall setup slightly under
Shorewall versions &gt;= 1.3.6. </p>
<ol>
<li>
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font></li>
<li>
<p align="Left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
</ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="Left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="Left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h3 align="Left">Version &gt;= 1.3.2</h3>
<p align="Left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<hr> <hr>

126
STABLE/documentation/gnu_mailman.htm
View File

@ -1,62 +1,76 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>GNU Mailman</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">GNU Mailman/Postfix <tr>
the Easy Way</font></h1> <td width="100%">
</td> <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
</tr> Way</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h1 align="center">&nbsp;</h1> <h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4> <h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br> <p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br> <br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run with aliases file so that rest of mailman's mail handling processes will run
proper uid/gid. Postfix has an ability to run a command specified in an alias as with proper uid/gid. Postfix has an ability to run a command specified in
owner of that alias, thus mailman's wrapper is not needed here. The best method an alias as owner of that alias, thus mailman's wrapper is not needed here.
to invoke mailman's mail handling via aliases is to use separate alias file The best method to invoke mailman's mail handling via aliases is to use
especially for mailman, and made it owned by mailman and group mailman. Like:<br> separate alias file especially for mailman, and made it owned by mailman
<br> and group mailman. Like:<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br> <br>
<br> alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may be <br>
done by executing postalias as mailman userid).<br> Make sure that /var/mailman/aliases.db is owned by mailman user (this may
<br> be done by executing postalias as mailman userid).<br>
Next, instead of using mailman-suggested aliases entries with wrapper, use the <br>
following:<br> Next, instead of using mailman-suggested aliases entries with wrapper, use
<br> the following:<br>
instead of<br> <br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br> instead of<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br> mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br> mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
...<br> mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
<br> ...<br>
use<br> <br>
mailinglist: /var/mailman/scripts/post mailinglist<br> use<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br> mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br> mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
...</p> mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.7 together ...</p>
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.</h4>
<p align="left"><font size="2">Last updated 5/4/2002 - <a href="support.htm">Tom <h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together
Eastep</a></font></p> with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <p align="left"><font size="2">Last updated 9/14/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html>
</html>

434
STABLE/documentation/myfiles.htm
View File

@ -1,297 +1,165 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title> <title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <table border="0" cellpadding="0" cellspacing="0"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<h1 align="center"><font color="#FFFFFF">About My Network</font></h1> bgcolor="#400169" height="90">
</td> <tbody>
</tr> <tr>
</table> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
<blockquote> </blockquote> </td>
</tr>
<h1>My Current Network </h1>
</tbody>
<blockquote> </table>
<p>
I have DSL service and have 5 static IP addresses (206.124.146.176-180). <blockquote> </blockquote>
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) is connected to eth0. I have
a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected <h1>My Current Network </h1>
to eth1 (192.168.2.0/24). </p>
<p> <blockquote>
I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry) <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
and the Wireless Access Point (wap) which are My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
masqueraded through the primary gateway address (206.124.146.176).</p> is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
<p> and a DMZ connected to eth1 (192.168.2.0/24). </p>
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
<p> <p> I use:<br>
My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa) </p>
is 192.168.1.5. Wookie <ul>
runs Samba and acts as the a WINS server.&nbsp; Wookie is in its own 'whitelist' zone <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
called 'me'.</p> and external address 206.124.146.178.</li>
<p> <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own <a href="http://www.sygate.com"> 192.168.1.3/24 and 206.124.146.179/24.</li>
Sygate</a> firewall software and is managed by Proxy ARP. It connects to the <li>SNAT through the primary gateway address (206.124.146.176) for  my
local network through the PopTop server running on my firewall. </p> Wife's system (tarry) and the Wireless Access Point (wap)</li>
<p> </ul>
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier
IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p> old and current ISPs. That server is managed through Proxy ARP.</p>
<p>
The firewall system itself runs a DHCP server that serves the local network.</p> <p> The firewall system itself runs a DHCP server that serves the local
<p> network.</p>
All administration and publishing is done using ssh/scp.</p>
<p> <p> All administration and publishing is done using ssh/scp.</p>
I run an SNMP server on my firewall to serve <a href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/">
MRTG</a> running in the DMZ.</p> <p> I run an SNMP server on my firewall to serve <a
<p align="center"> href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
<img border="0" src="images/network.png" width="764" height="846"></p> in the DMZ.</p>
<p>&nbsp;</p>
<p>The ethernet interface in the Server is configured <p align="center"> <img border="0"
with IP address 206.124.146.177, netmask src="images/network.png" width="764" height="846">
255.255.255.0. The server's default gateway is </p>
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall, <p> </p>
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because of <p>The ethernet interface in the Server is configured
the entry in /etc/shorewall/proxyarp (see below).</p> with IP address 206.124.146.177, netmask
<p>A similar setup is used on eth3 (192.168.3.1) which 255.255.255.0. The server's default gateway is
interfaces to my laptop (206.124.146.180).</p> 206.124.146.254 (Router at my ISP. This is the same
<p><font color="#ff0000" size="5"> default gateway used by the firewall itself). On the firewall,
Note: My files use features not available before Shorewall automatically adds a host route to
Shorewall version 1.3.4.</font></p> 206.124.146.177 through eth1 (192.168.2.1) because
</blockquote> of the entry in /etc/shorewall/proxyarp (see below).</p>
<h3>Shorewall.conf</h3>
<p>A similar setup is used on eth3 (192.168.3.1) which
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall interfaces to my laptop (206.124.146.180).</p>
STATEDIR=/var/state/shorewall
<p><font color="#ff0000" size="5"> Note: My files
LOGRATE= use features not available before Shorewall version
LOGBURST= 1.3.4.</font></p>
</blockquote>
ADD_IP_ALIASES=&quot;Yes&quot;
<h3>Shorewall.conf</h3>
CLAMPMSS=Yes
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
MULTIPORT=Yes</pre>
<h3>Zones File:</h3> <h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS
net Internet Internet <pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
me Eastep My Workstation
loc Local Local networks <h3>Interfaces File: </h3>
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas <blockquote>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre> <p> This is set up so that I can start the firewall before bringing up
<h3>Interfaces File: </h3> my Ethernet interfaces. </p>
</blockquote>
<blockquote>
<p> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
This is set up so that I can start the firewall before bringing up my Ethernet
interfaces. </p> <h3>Hosts File: </h3>
</blockquote> <pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS <h3>Routestopped File:</h3>
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp <pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
dmz eth1 206.124.146.255 -
net eth3 206.124.146.255 norfc1918 <h3>Common File: </h3>
- texas -
loc ppp+ <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3> <h3>Policy File:</h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS <pre><font size="2" face="Courier">
me eth2:192.168.1.3
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3>
<pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT me all ACCEPT
tx me ACCEPT #Give Texas access to my personal system tx me ACCEPT #Give Texas access to my personal system
all me CONTINUE #<font color="#FF0000">WARNING: You must be running Shorewall 1.3.1 or later for all me CONTINUE #<font
</font>#<font color="#FF0000"> this policy to work as expected!!!</font> color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
loc loc ACCEPT color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
loc net ACCEPT
$FW loc ACCEPT <h3>Masq File: </h3>
$FW tx ACCEPT
loc tx ACCEPT <blockquote>
loc fw REJECT <p> Although most of our internal systems use static NAT, my wife's system
net net ACCEPT (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
net all DROP info 10/sec:40 </blockquote>
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Masq File: </h3>
<h3>NAT File: </h3>
<blockquote>
<p> <pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p> <h3>Proxy ARP File:</h3>
</blockquote>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176 <h3>Rules File (The shell variables
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> are set in /etc/shorewall/params):</h3>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No <p><font size="2"> Last updated 9/14/2002 - </font><font size="2">
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <a href="support.htm">Tom Eastep</a></font>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
ACCEPT net fw tcp 1723
ACCEPT net fw gre
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2">
Last updated 8/9/2002
- </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

427
STABLE/documentation/seattlefirewall_index.htm
View File

@ -1,199 +1,256 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<base target="_self">
<base target="_self">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" style="border-collapse: collapse" width="100%" id="AutoNumber3" bgcolor="#4B017C">
<tr> <table border="0" cellpadding="0" cellspacing="4"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber3"
<h1 align="center"> <font size="4"><i> bgcolor="#4b017c">
<a href="http://www.cityofshoreline.com"> <tbody>
<img border="0" src="images/washington.jpg" align="right" width="100" height="82"><img border="0" src="images/washington.jpg" align="left" width="100" height="82"></a></i></font><font color="#FFFFFF">Shorewall 1.3 - <font size="4">&quot;<i>iptables made easy&quot;</i></font></font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"> <font size="4"><i> <a
</table> href="http://www.cityofshoreline.com"> <img border="0"
src="images/washington.jpg" align="right" width="100" height="82">
<div align="center"> <img border="0" src="images/washington.jpg" align="left"
<center> width="100" height="82">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4"> </a></i></font><font color="#ffffff">Shorewall 1.3 - <font
<tr> size="4">"<i>iptables made easy"</i></font></font></h1>
<td width="90%"> </td>
</tr>
<h2 align="Left">What is it?</h2>
</tbody>
<p>The Shoreline Firewall, more commonly known as &quot;Shorewall&quot;,&nbsp; is a </table>
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function <div align="center">
gateway/router/server or on a standalone GNU/Linux system.</p> <center>
<table border="0" cellpadding="0" cellspacing="0"
<p>This program is free software; you can redistribute it and/or modify it style="border-collapse: collapse;" width="100%" id="AutoNumber4">
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version <tbody>
2 of the GNU General Public License</a> as published by the Free Software <tr>
Foundation.<br> <td width="90%">
<br>
This program is distributed in the hope that it will be useful, but <h2 align="left">What is it?</h2>
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
for more details.<br> a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
<br> firewall that can be used on a dedicated firewall system, a multi-function
You should have received a copy of the GNU General Public License gateway/router/server or on a standalone GNU/Linux system.</p>
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
<p>&nbsp;<a href="http://leaf.sourceforge.net" target="_top"><img border="0" src="images/leaflogo.gif" width="49" height="36"></a>Jacques border="0" src="images/leaflogo.gif" width="49" height="36">
Nilo and Eric Wolzak have a LEAF distribution called <i>Bering</i> that </a>Jacques Nilo and Eric Wolzak have a LEAF distribution called
features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: <i>Bering</i> that features Shorewall-1.3.3 and Kernel-2.4.18.
<a href="http://leaf.sourceforge.net/devel/jnilo"> You can find their work at: <a
http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>News</h2> <h2>News</h2>
<p><b>9/2/2002 - Shorewall 1.3.7c <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p> src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
height="12">
<p>This is a role up of a fix for &quot;DNAT&quot; rules where the source zone is $FW </b></p>
(fw).</p>
<p>In this version:<br>
<p><b>8/31/2002 - I'm not available </p>
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
<p>I'm currently on vacation&nbsp; -- please respect my need for a couple of
weeks free of Shorewall problem reports.</p>
<p>-Tom</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the &quot;shorewall refresh&quot; bug fix and the change which
reverses the order of &quot;dhcp&quot; and &quot;norfc1918&quot; checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
-- Shorewall 1.3.7a released
<img border="0" src="images/j0233056.gif" width="50" height="80" align="middle"></b></p>
<p>1.3.7a corrects problems occurring in rules file processing when starting Shorewall
1.3.7.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
<p>Features in this release include:</p>
<ul> <ul>
<li>The 'icmp.def' file is now empty! The rules in that file were <li>A NEWNOTSYN option has been added to shorewall.conf. This option
required in ipchains firewalls but are not required in Shorewall. Users determines whether Shorewall accepts TCP packets which are not part of an
who have ALLOWRELATED=No in <a href="Documentation.htm#Conf"> established connection and that are not 'SYN' packets (SYN flag on and ACK
shorewall.conf</a> should see the <a href="errata.htm#Upgrade">Upgrade flag off).</li>
Issues</a>.</li> <li>The need for the 'multi' option to communicate between zones
<li>A 'FORWARDPING' option has been added to za and zb on the same interface is removed in the case where the chain 'za2zb'
<a href="Documentation.htm#Conf">shorewall.conf</a>. The effect of and/or 'zb2za' exists. 'za2zb' will exist if:</li>
setting this variable to Yes is the same as the effect of adding an <ul>
ACCEPT rule for ICMP echo-request in <li>
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>. <blockquote>There is a policy for za to zb; or</blockquote>
Users who have such a rule in icmpdef are encouraged to switch to </li>
FORWARDPING=Yes.</li> <li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to the <blockquote>There is at least one rule for za to zb.</blockquote>
rfc1918 file.</li> </li>
<li>Shorewall now works with iptables 1.2.7.</li> </ul>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul> </ul>
<p>I would like to thank John Distler for his valuable input regarding TCP SYN <ul>
and ICMP treatment in Shorewall. That input has led to marked improvement in <li>The /etc/shorewall/blacklist file now contains three columns.
Shorewall in the last two releases.</p> In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
PORT columns to block only certain applications from the blacklisted addresses.<br>
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> </li>
CVS Repository</a></b></p> </ul>
<p>The Shorewall-docs project now contains just the HTML and image files - the <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
Frontpage files have been removed.</p>
<p>Apt-get sources listed at <a
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
CVS Repository</a></b></p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p> <p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p> <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>Now there is one place to go to look for issues involved with upgrading to <p>This is a role up of the "shorewall refresh" bug fix and the change
recent versions of Shorewall.</p> which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p> <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p> <p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
<ul> is now available.</p>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li> <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<li>Shorewall will now DROP TCP packets that are not part of or related to an
existing connection and that are not SYN packets. These &quot;New not SYN&quot; packets <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
may be optionally logged by setting the LOGNEWNOTSYN option in <a href="Documentation.htm#Conf"> mirrored at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of &quot;New not SYN&quot; packets may be extended by commands in <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
the new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul> <p>Lorenzo Martignoni reports that the packages for version 1.3.7a
are available at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
its Author -- Shorewall 1.3.7a released <img border="0"
src="images/j0233056.gif" width="50" height="80" align="middle">
</b></p>
<p>1.3.7a corrects problems occurring in rules file processing when
starting Shorewall 1.3.7.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf"> shorewall.conf</a> should see the
<a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a
href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to
the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding
TCP SYN and ICMP treatment in Shorewall. That input has led to marked improvement
in Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image
files - the Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS
Repository</a></b></p>
<p>This branch will only be updated after I release a new version of
Shorewall so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
</a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or related
to an existing connection and that are not SYN packets. These "New not
SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended by commands
in the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
script</a>.</li>
</ul>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
</td> <td width="88" bgcolor="#4b017c" valign="top"
<td width="88" bgcolor="#4B017C" valign="top" align="center"> align="center"> <a href="http://sourceforge.net">M</a></td>
<a href="http://sourceforge.net">M</a></td> </tr>
</tr>
</table> </tbody>
</center> </table>
</div> </center>
</div>
<table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber2" bgcolor="#4B017C">
<tr> <table border="0" cellpadding="5" cellspacing="0"
<td width="100%" style="margin-top: 1"> style="border-collapse: collapse;" width="100%" id="AutoNumber2"
<p align="center"><a href="http://www.starlight.org"> bgcolor="#4b017c">
<img border="4" src="images/newlog.gif" width="57" height="100" align="left" hspace="10"><img border="4" src="images/newlog.gif" width="57" height="100" align="right" hspace="10"></a></p> <tbody>
<p align="center"><font size="4" color="#FFFFFF">Shorewall is free but if <tr>
you try it and find it useful, please consider making a donation to <td width="100%" style="margin-top: 1px;">
<a href="http://www.starlight.org"><font color="#FFFFFF">Starlight Children's Foundation.</font></a> Thanks!</font></td> <p align="center"><a href="http://www.starlight.org"> <img
</tr> border="4" src="images/newlog.gif" width="57" height="100" align="left"
</table> hspace="10">
<img border="4" src="images/newlog.gif" width="57" height="100"
<p><font size="2">Updated align="right" hspace="10">
8/31/2002 - <a href="support.htm">Tom Eastep</a> </a></p>
</font>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
</p> to <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</body> </tr>
</html>
</tbody>
</table>
<p><font size="2">Updated 9/16/2002 - <a href="support.htm">Tom Eastep</a>
</font>
</p>
<br>
</body>
</html>

327
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,155 +1,202 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<tr> bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall QuickStart Guides<br> <tr>
Version 3.0</font></h1> <td width="100%">
</td> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
</tr> Version 3.1</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we must <p align="center">With thanks to Richard who reminded me once again that
all first walk before we can run.</p> we must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall in
common firewall setups.</p> <p>These guides provide step-by-step instructions for configuring Shorewall
<p>The following guides are for firewalls with a single external IP address:</p> in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting as a <li><a href="two-interface.htm">Two-interface</a> Linux System acting
firewall/router for a small local network</li> as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting as a <li><a href="three-interface.htm">Three-interface</a> Linux System acting
firewall/router for a small local network and a DMZ.</li> as a firewall/router for a small local network and a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> <p>The above guides are designed to get your first firewall up and running
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines quickly in the three most common Shorewall configurations.</p>
the steps necessary to set up a firewall where there are multiple public IP
addresses involved or if you want to learn more about Shorewall than is <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
explained in the single-address guides above.</p> the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li> <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li> <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets and Routing</a><ul> <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> and Routing</a>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
</ul> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<ul> <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a><ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a><ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li> </ul>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> </li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
Stopping the Firewall</a></li> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Additional Documentation</h2> <h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements the
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described above.</p> <p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a><ul> <li><a href="blacklisting_support.htm">Blacklisting</a>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <ul>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
</ul> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file features</a><ul> </ul>
<li>Comments in configuration files</li> </li>
<li>Line Continuation</li> <li><a href="configuration_file_basics.htm">Common configuration file
<li>Port Numbers/Service Names</li> features</a>
<li>Port Ranges</li> <ul>
<li>Using Shell Variables</li> <li>Comments in configuration files</li>
<li>Complementing an IP address or Subnet</li> <li>Line Continuation</li>
<li>Shorewall Configurations (making a test configuration)</li> <li>Port Numbers/Service Names</li>
<li>Using MAC Addresses in Shorewall</li> <li>Port Ranges</li>
</ul> <li>Using Shell Variables</li>
</li> <li>Complementing an IP address or Subnet</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a><ul> <li>Shorewall Configurations (making a test configuration)</li>
<li> <li>Using MAC Addresses in Shorewall</li>
<a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> </ul>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li> </li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><a href="Documentation.htm">Configuration File Reference Manual</a>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li> <ul>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
</ul> <li><a href="Documentation.htm#modules">modules</a></li>
</li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension Scripts</a></font> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
(How to extend Shorewall without modifying Shorewall code)</li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> </ul>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> </li>
<li><a href="myfiles.htm">My <li><a href="dhcp.htm">DHCP</a></li>
Configuration Files</a> (How I personally use Shorewall)</li> <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
<li><a href="ports.htm">Port Information</a><ul> Scripts</a></font> (How to extend Shorewall without modifying Shorewall
<li>Which applications use which ports</li> code)</li>
<li>Ports used by Trojans</li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
</ul> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
</li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="myfiles.htm">My Configuration Files</a> (How I personally
<li><a href="samba.htm">Samba</a></li> use Shorewall)</li>
<li><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> <li><a href="ports.htm">Port Information</a>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <ul>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li>Which applications use which ports</li>
<li>VPN<ul> <li>Ports used by Trojans</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> </ul>
<li><a href="PPTP.htm">PPTP</a></li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall to a <li><a href="ProxyARP.htm">Proxy ARP</a></li>
remote network.</li> <li><a href="samba.htm">Samba</a></li>
</ul> <li><font color="#000099"><a
</li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p> <p>If you use one of these guides and have a suggestion for improvement <a
<p><font size="2">Last modified 8/29/2002 - href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<a href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 9/16/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
</body> </body>
</html>
</html>

258
STABLE/documentation/support.htm
View File

@ -1,135 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Support</title> content="text/html; charset=windows-1252">
<meta name="Microsoft Theme" content="none">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<tr> bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Support</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400"><i> <h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
&quot;<font size="3">It is easier to post a problem than to use your own brain&quot; is easier to post a problem than to use your own brain" </font>-- </i> <font
</font>-- </i> size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<font size="2">Weitse Venema (creator of Postfix)</font></span></h3>
<p align="left"> <i>"Any sane computer with tell you how it works -- you
<p align="left"> <i>&quot;Any sane computer with tell you how it works -- you just just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
have to ask it the right questions&quot; </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Weitse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<p>There are a number of sources for problem solution information.</p> <p>There are a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains
number of tips to help you solve common problems.</li> a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated <li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li> components.</li>
<li>The Mailing List Archives are a useful source of problem solving <li>The Mailing List Archives are a useful source of problem solving
information.</li> information.</li>
</ul> </ul>
<blockquote>
<p>The archives from the mailing List are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> <blockquote>
<p>The archives from the mailing List are at <a
<h3>Search the Mailing List Archives at Shorewall.net</h3> href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch"> <h3>Search the Mailing List Archives at Shorewall.net</h3>
<p>
<font size="-1"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
Match: <select name="method"> <p> <font size="-1"> Match:
<option value="and">All <select name="method">
<option value="or">Any <option value="and">All </option>
<option value="boolean">Boolean <option value="or">Any </option>
</select> <option value="boolean">Boolean </option>
Format: <select name="format"> </select>
<option value="builtin-long">Long Format:
<option value="builtin-short">Short <select name="format">
</select> <option value="builtin-long">Long </option>
Sort by: <select name="sort"> <option value="builtin-short">Short </option>
<option value="score">Score </select>
<option value="time">Time Sort by:
<option value="title">Title <select name="sort">
<option value="revscore">Reverse Score <option value="score">Score </option>
<option value="revtime">Reverse Time <option value="time">Time </option>
<option value="revtitle">Reverse Title <option value="title">Title </option>
</select> <option value="revscore">Reverse Score </option>
</font> <option value="revtime">Reverse Time </option>
<input type="hidden" name="config" value="htdig"> <option value="revtitle">Reverse Title </option>
<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]"> </select>
<input type="hidden" name="exclude" value=""> </font> <input type="hidden" name="config" value="htdig"> <input
<br> type="hidden" name="restrict"
Search: value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
<input type="text" size="30" name="words" value=""> name="exclude" value=""> <br>
<input type="submit" value="Search"> </p> Search: <input type="text" size="30" name="words" value=""> <input
</form> type="submit" value="Search"> </p>
</form>
</blockquote> </blockquote>
<h3 align="Left">Problem Reporting Guidelines</h3> <h3 align="left">Problem Reporting Guidelines</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. Reports <li>When reporting a problem, give as much information as you can. Reports
that say "I tried XYZ and it didn't work&quot; are not at all helpful.</li> that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send you <li>Please don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your questions but we custom configuration files. We're here to answer your questions
can't do your job for you.</li> but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when you exercise <li>Do you see any "Shorewall" messages in /var/log/messages when
the function that is giving you problems?</li> you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump to try to <li>Have you looked at the packet flow with a tool like tcpdump to
understand what is going on?</li> try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application that <li>Have you tried using the diagnostic capabilities of the application
isn't working? For example, if "ssh" isn't able to connect, using the that isn't working? For example, if "ssh" isn't able to connect, using
"-v" option gives you a lot of valuable diagnostic information.</li> the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially the <li>Please include any of the Shorewall configuration files (especially
/etc/shorewall/hosts file if you have modified that file) that you think are the /etc/shorewall/hosts file if you have modified that file) that you
relevant. If an error occurs when you try to &quot;shorewall start&quot;, include a think are relevant. If an error occurs when you try to "shorewall start",
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section for include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
instructions).</li> section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your <li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li> network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem
Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400">please
post your question or problem to the <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
<a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> post your question or problem to the <a
<p>Otherwise, please post your question or problem to the href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<a href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem <p>Otherwise, please post your question or problem to the <a
description and their responses will be placed in the mailing list archives to href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
help people who have a similar question or problem in the future.</p> there are lots of folks there who are willing to help you. Your question/problem
<blockquote> description and their responses will be placed in the mailing list archives
<h3><span style="font-weight: 400"><i>&quot;It irks me when people believe that free software to help people who have a similar question or problem in the future.</p>
comes at no cost. The cost is incredibly high.&quot;</i> - <font size="2">
Weitse Venema</font></span></h3> <p>I don't look at problems sent to me directly but I try to spend some amount
</blockquote> of time each day responding to problems posted on the mailing list.</p>
<p><b>I'm not available</b></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>I'm currently on vacation&nbsp; -- please respect my need for a couple of <p>To Subscribe to the mailing list go to <a
weeks free of Shorewall problem reports.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
<p>-Tom</p>
<p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 9/1/2002 - Tom <p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p>
Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br>
</body> </body>
</html>
</html>

1836
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

15
STABLE/documentation/troubleshoot.htm
View File

@ -127,9 +127,16 @@ policy</li>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that your zone definitions are screwed up and the host chains? This means that:<ol>
that is sending the packets isn't in any zone (using a /etc/shorewall/hosts <li>your zone definitions are screwed up and the host that is sending the
file are you?).</li> packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping") <li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
requests to be sent between zones. If you want pings to be allowed between requests to be sent between zones. If you want pings to be allowed between
zones, you need a rule of the form:<br> zones, you need a rule of the form:<br>
@ -187,7 +194,7 @@ ADD_IP_ALIASES</a>
</font> </font>
<p><font size="2">Last updated 8/29/2002 - <p><font size="2">Last updated 9/13/2002 -
Tom Eastep</font> Tom Eastep</font>
</p> </p>

1527
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff