extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 10:18:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Release changes for 1.3.12

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-28 15:38:03 +00:00
parent 89efe0c6f6
commit 36aa2c8e88
100 changed files with 26957 additions and 22978 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

853
Lrp/etc/init.d/shorewall
View File

File diff suppressed because it is too large Load Diff

6
Lrp/etc/shorewall/init Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#

10
Lrp/etc/shorewall/interfaces
View File

@ -20,6 +20,8 @@
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple # column is left black.If the interface has multiple
@ -89,6 +91,14 @@
# is specified, the interface must be # is specified, the interface must be
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp - # proxyarp -
# Sets # Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

10
Lrp/etc/shorewall/policy
View File

@ -17,6 +17,10 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
# #
@ -25,6 +29,12 @@
# log message is generated. See syslog.conf(5) for a # log message is generated. See syslog.conf(5) for a
# description of log levels. # description of log levels.
# #
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "_" here.
# #

2
Lrp/etc/shorewall/rfc1918
View File

@ -47,7 +47,7 @@
60.0.0.0/8 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
82.0.0.0/7 logdrop # Reserved 83.0.0.0/8 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved 84.0.0.0/6 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved 88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved

41
Lrp/etc/shorewall/rules
View File

@ -31,18 +31,26 @@
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# SOURCE Source hosts to which the rule applies. May be a zone # Beginning with Shorewall version 1.3.12, you may
# defined in /etc/shorewall/zones or $FW to indicate the # also specify ULOG (must be in upper case) as a log level.\
# firewall itself. If the ACTION is DNAT or REDIRECT, # This will log to the ULOG target and sent to a separate log
# sub-zones of the specified zone may be excluded from # through use of ulogd
# the rule by following the zone name with "!' and a # (http://www.gnumonks.org/projects/ulogd).
# comma-separated list of sub-zone names.
# #
# Clients may be further restricted to a list of subnets #
# and/or hosts by appending ":" and a comma-separated # SOURCE Source hosts to which the rule applies. May be a zone
# list of subnets and/or hosts. Hosts may be specified # defined in /etc/shorewall/zones, $FW to indicate the
# by IP or MAC address; mac addresses must begin with # firewall itself, or "all" If the ACTION is DNAT or
# "~" and must use "-" as a separator. # REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# #
@ -64,12 +72,13 @@
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., loc:eth1:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself. # itself or "all"
# #
# The server may be further restricted to a particular # Except when "all" is specified, the server may be
# subnet, host or interface by appending ":" and the # further restricted to a particular subnet, host or
# subnet, host or interface. See above. # interface by appending ":" and the subnet, host or
# interface. See above.
# #
# Restrictions: # Restrictions:
# #

91
Lrp/etc/shorewall/shorewall.conf
View File

@ -9,6 +9,35 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall # PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files. # searches directories for executable files.
# #
@ -97,6 +126,8 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable # packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level. # is empty, these packets will still be logged at the 'info' level.
# #
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info LOGUNCLEAN=info
@ -192,6 +223,8 @@ BLACKLIST_DISPOSITION=DROP
# (beward of DOS attacks resulting from such logging). If not set, no logging # (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs. # of blacklist packets occurs.
# #
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
# #
@ -354,6 +387,8 @@ MUTEX_TIMEOUT=60
# it will be rejected by the firewall. If you want these rejects logged, # it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
# #
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug # Example: LOGNEWNOTSYN=debug
@ -401,8 +436,64 @@ MACLIST_DISPOSITION=REJECT
# Specifies the logging level for connection requests that fail MAC # Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged. # such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
# #
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

6
Lrp/etc/shorewall/start Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

6
Lrp/etc/shorewall/stop Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#

6
Lrp/etc/shorewall/stopped Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#

5
Lrp/etc/shorewall/tcrules
View File

@ -6,6 +6,11 @@
# Entries in this file cause packets to be marked as a means of # Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing. # classifying them for traffic control or policy routing.
# #
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Columns are: # Columns are:
# #
# #

181
Lrp/sbin/shorewall
View File

@ -58,6 +58,7 @@
# shorewall show nat Display the rules in the nat table # shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used # shorewall check Verify the more heavily-used
# configuration files. # configuration files.
@ -150,8 +151,10 @@ display_chains()
iptables -L -n -v > /tmp/chains-$$ iptables -L -n -v > /tmp/chains-$$
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "Standard Chains\\n" echo
echo "Standard Chains"
echo
firstchain="Yes" firstchain="Yes"
showchain INPUT showchain INPUT
showchain OUTPUT showchain OUTPUT
@ -160,9 +163,11 @@ display_chains()
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Input Chains\\n" echo "Input Chains"
echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -176,10 +181,12 @@ display_chains()
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
eval display=\$${zone}_display eval display=\$${zone}_display
echo -e "$display Chains\\n" echo "$display Chains"
echo
for zone1 in $FW $zones; do for zone1 in $FW $zones; do
showchain ${zone}2$zone1 showchain ${zone}2$zone1
showchain @${zone}2$zone1 showchain @${zone}2$zone1
@ -193,9 +200,11 @@ display_chains()
done done
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Policy Chains\\n" echo "Policy Chains"
echo
showchain common showchain common
showchain badpkt showchain badpkt
showchain icmpdef showchain icmpdef
@ -212,9 +221,11 @@ display_chains()
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Dynamic Chain\\n" echo "Dynamic Chain"
echo
showchain dynamic showchain dynamic
timed_read timed_read
@ -248,7 +259,8 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1" [ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \ grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \ sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \ sed 's/MAC=.*SRC=/SRC=/' | \
tail $options tail $options
@ -284,6 +296,34 @@ show_tc() {
} }
#
# Show classifier information
#
show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s filter ls dev $device
echo
fi
}
ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
show_one_classifier ${interface%:}
;;
*)
;;
esac
done
}
# #
# Monitor the Firewall # Monitor the Firewall
# #
@ -309,9 +349,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
display_chains display_chains
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n" echo "Dropped/Rejected Packet Log"
echo
show_reset show_reset
@ -319,11 +361,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 20 packet_log 20
if [ "$pause" = "Yes" ]; then if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: ' echo
echo $ECHO_N 'Enter any character to continue: '
read foo read foo
else else
timed_read timed_read
@ -335,28 +380,48 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
fi fi
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "NAT Status\\n" echo
echo "NAT Status"
echo
iptables -t nat -L -n -v iptables -t nat -L -n -v
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTOS/MARK Status\\n" echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTracked Connections\\n" echo
echo
echo "Tracked Connections"
echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTraffic Shaping/Control\\n" echo
echo
echo "Traffic Shaping/Control"
echo
show_tc show_tc
timed_read timed_read
clear
echo "$banner `date`"
echo
echo
echo "Packet Classifiers"
echo
show_classifiers
timed_read
done done
} }
@ -383,9 +448,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n" echo "Dropped/Rejected Packet Log"
echo
show_reset show_reset
@ -393,11 +460,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 40 packet_log 40
if [ "$pause" = "Yes" ]; then if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: ' echo
echo $ECHO_N 'Enter any character to continue: '
read foo read foo
else else
timed_read timed_read
@ -419,7 +489,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]" echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
echo " stop" echo " stop"
echo " reset" echo " reset"
@ -445,7 +515,8 @@ usage() # $1 = exit status
# #
show_reset() { show_reset() {
[ -f $STATEDIR/restarted ] && \ [ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n" echo "Counters reset `cat $STATEDIR/restarted`" && \
echo
} }
# #
@ -537,6 +608,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir get_statedir
case `echo -e` in
-e*)
RING_BELL="echo \'\a\'"
;;
*)
RING_BELL="echo -e \'\a\'"
;;
esac
case `echo -n "Testing"` in
-n*)
ECHO_N=
;;
*)
ECHO_N=-n
;;
esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
@ -550,32 +639,43 @@ case "$1" in
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
connections) connections)
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n" echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
nat) nat)
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n" echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
get_config get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo
show_reset show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20 packet_log 20
;; ;;
tc) tc)
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n" echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo
show_tc show_tc
;; ;;
classifiers)
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*) *)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -L $2 -n -v iptables -L $2 -n -v
;; ;;
@ -594,15 +694,20 @@ case "$1" in
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo
show_reset show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v iptables -L -n -v
echo echo
packet_log 20 packet_log 20
echo echo
echo "NAT Table"
echo
iptables -t nat -L -n -v iptables -t nat -L -n -v
echo echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
@ -611,7 +716,9 @@ case "$1" in
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n" echo "Shorewall-$version Hits at $HOSTNAME - `date`"
echo
timeout=30 timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then

19
Lrp/usr/lib/shorewall/functions
View File

@ -25,9 +25,22 @@ find_file()
# #
# Replace commas with spaces and echo the result # Replace commas with spaces and echo the result
# #
separate_list() separate_list() {
{ local list
echo $1 | sed 's/,/ /g' local part
local newlist
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
} }
# #

4
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -16,3 +16,7 @@
/etc/shorewall/tos TOS Type of Service policy /etc/shorewall/tos TOS Type of Service policy
/etc/shorewall/blacklist Blacklist Blacklisted hosts /etc/shorewall/blacklist Blacklist Blacklisted hosts
/etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option /etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option
/etc/shorewall/init Init Commands executed before [re]start
/etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.3.10 1.3.12

44
STABLE/changelog.txt
View File

@ -1,17 +1,43 @@
Changes since 1.3.10 Changes since 1.3.11
1. Added TCP flags checking. 1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
2. Accomodate bash clones like dash and ash 2. "shorewall refresh" now refreshes the traffic shaping rules
3. Added some comments in the policy chain creation/population logic. 3. Turned off debugging after error.
4. Check for fw->fw rules. 4. Removed drop of INVALID state output ICMP packets.
5. Allow 'all' in rules. 5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
6. Add reverse GRE rules for PPTP server and clients. 6. Replaced 'wc' invocation in list_count() by shell code (speedup)
7. Add warning to tcrules file. 7. Replaced 'sed' invocation in run_iptables() by shell code and
optomized (speedup)
8. Add warning to policy file that fw->fw policies aren't allowed. 8. Only read the interfaces file once (speedup)
9. Only read the policy file once (speedup)
10. Removed redundant function input_chains() (duplicate of first_chains())
11. Generated an error if 'lo' is defined in the interfaces file.
12. Clarified error message where ORIGINAL DEST is specified on an
ACCEPT, DROP or REJECT rule.
13. Added "shorewall show classifiers" command and added packet
classification filter display to "shorewall monitor"
14. Added an error message when the destination in a rule contained a
MAC address.
15. Added ULOG target support.
16. Add MARK_IN_FORWARD option.
17. General Cleanup for Release
18. Release changes and add init, start, stop and stopped files.
19. Add headings to NAT and Mangle tables in "shorewall status" output

4831
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1724
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

152
STABLE/documentation/MAC_Validation.html
View File

@ -2,103 +2,109 @@
<html> <html>
<head> <head>
<title>MAC Verification</title> <title>MAC Verification</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses. There are four components to this facility.<br> with one or more IP addresses. <br>
<br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
<br>
There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
option is specified, all traffic arriving on the interface is subjet to MAC this option is specified, all traffic arriving on the interface is subjet
verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that subnet When this option is specified for a subnet, all traffic from that subnet
is subject to MAC verification.</li> is subject to MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li> MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL determines the disposition of connection requests that fail MAC verification.
variable gives the syslogd level at which connection requests that fail verification The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") requests that fail verification are to be logged. If set the the empty value
then failing connection requests are not logged.<br> (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
</li> </li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li> <li>INTERFACE - The name of an ethernet interface on the Shorewall
<li>MAC - The MAC address of a device on the ethernet segment connected system.</li>
by INTERFACE. It is not necessary to use the Shorewall MAC format in this <li>MAC - The MAC address of a device on the ethernet segment connected
column although you may use that format if you so choose.</li> by INTERFACE. It is not necessary to use the Shorewall MAC format in this
<li>IP Address - An optional comma-separated list of IP addresses for column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li> the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my local As shown above, I use MAC Verification on <a href="myfiles.htm">my local
zone</a>.<br> zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses IP address 192.168.1.253. Hosts in the second segment have IP addresses in
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic. and not that of the host sending the traffic.
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

2786
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

92
STABLE/documentation/Shorewall_CA_html.html Normal file
View File

@ -0,0 +1,92 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA)
and sign my own X.509 certificates. I use these certificates on my web server
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
as on my mail server (mail.shorewall.net).<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
of establishing an SSL session (URL https://...), your browser verifies the
X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose identities
are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
you are REALLY connecting to www.foo.bar, means that the CAs literally have
a license to print money -- they are selling a string of bits (an X.509 certificate)
for $200US+ per year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the www.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://www.shorewall.net,
the server you are connecting to might not be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

153
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -2,140 +2,141 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li> </li>
<li> <a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li> <a href="Install.htm">Configuration</a><br>
<li> <a href="Documentation.htm">Reference Manual</a></li> </li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="shorewall_quickstart_guide.htm">QuickStart
<li><a href="useful_links.html">Useful Links</a><br> Guides (HOWTOs)</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <b><a
<li> <a href="errata.htm">Errata</a></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li><a href="useful_links.html">Useful Links</a><br>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br> State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br> GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
<br> <br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

145
STABLE/documentation/Shorewall_sfindex_frame.htm Normal file
View File

@ -0,0 +1,145 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

171
STABLE/documentation/VPN.htm
View File

@ -1,81 +1,104 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>VPN</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">VPN</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>It is often the case that a system behind the firewall needs to be able to
access a remote network through Virtual Private Networking (VPN). The two most <p>It is often the case that a system behind the firewall needs to be able
common means for doing this are IPSEC and PPTP. The basic setup is shown in the to access a remote network through Virtual Private Networking (VPN). The
following diagram:</p> two most common means for doing this are IPSEC and PPTP. The basic setup
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p> is shown in the following diagram:</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the <p align="center"><img border="0" src="images/VPN.png" width="568"
local system has IP address 192.168.1.12 and that the remote gateway has IP height="796">
address 192.0.2.224.</p> </p>
<p align="left">If PPTP is being used, there are no firewall requirements beyond
the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one <p align="left">A system with an RFC 1918 address needs to access a remote
local system at a time can be connected to a single remote gateway unless you network through a remote gateway. For this example, we will assume that
patch your kernel from the 'Patch-o-matic' patches available at the local system has IP address 192.168.1.12 and that the remote gateway
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p> has IP address 192.0.2.224.</p>
<p align="left">If IPSEC is being used then there are firewall configuration
requirements as follows:</p> <p align="left">If PPTP is being used, there are no firewall requirements
<blockquote> beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98"> Only one local system at a time can be connected to a single remote gateway
<tr> unless you patch your kernel from the 'Patch-o-matic' patches available
<td height="38"><u><b>ACTION</b></u></td> at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<td height="38"><u><b>SOURCE</b></u></td>
<td height="38"><u><b>DESTINATION</b></u></td> <p align="left">If IPSEC is being used then only one system may connect to
<td height="38"><u><b>PROTOCOL</b></u></td> the remote gateway and there are firewall configuration requirements as
<td height="38"><u><b>PORT</b></u></td> follows:</p>
<td height="38"><u><b>CLIENT<br>
PORT</b></u></td> <blockquote>
<td height="38"><u><b>ORIGINAL<br> <table border="1" cellpadding="2" style="border-collapse: collapse;"
DEST</b></u></td> bordercolor="#111111" id="AutoNumber2" height="98">
</tr> <tbody>
<tr> <tr>
<td height="19">DNAT</td> <td height="38"><u><b>ACTION</b></u></td>
<td height="19">net:192.0.2.224</td> <td height="38"><u><b>SOURCE</b></u></td>
<td height="19">loc:192.168.1.12</td> <td height="38"><u><b>DESTINATION</b></u></td>
<td height="19">50</td> <td height="38"><u><b>PROTOCOL</b></u></td>
<td height="19">&nbsp;</td> <td height="38"><u><b>PORT</b></u></td>
<td height="19">&nbsp;</td> <td height="38"><u><b>CLIENT<br>
<td height="19">&nbsp;</td> PORT</b></u></td>
</tr> <td height="38"><u><b>ORIGINAL<br>
<tr> DEST</b></u></td>
<td height="19">DNAT</td> </tr>
<td height="19">net:192.0.2.224</td> <tr>
<td height="19">loc:192.168.1.12</td> <td height="19">DNAT</td>
<td height="19">udp</td> <td height="19">net:192.0.2.224</td>
<td height="19">500</td> <td height="19">loc:192.168.1.12</td>
<td height="19">&nbsp;</td> <td height="19">50</td>
<td height="19">&nbsp;</td> <td height="19"> </td>
</tr> <td height="19"> </td>
<td height="19"> </td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall. As <p>If you want to be able to give access to all of your local systems to
starting points, see the remote network, you should consider running a VPN client on your firewall.
<a href="http://www.shorewall.net/Documentation.htm#Tunnels"> As starting points, see <a
http://www.shorewall.net/Documentation.htm#Tunnels</a> or href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p> or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm"> <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
</body> </body>
</html> </html>

613
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,320 +1,435 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall <li>/etc/shorewall/shorewall.conf - used to set several
parameters.</li> firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables <li>/etc/shorewall/params - use this file to set shell
that you will expand in other files.</li> variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of <li>/etc/shorewall/zones - partition the firewall's
the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall high-level
policy.</li> policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on <li>/etc/shorewall/interfaces - describes the interfaces
the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of <li>/etc/shorewall/hosts - allows defining zones in
individual hosts and subnetworks.</li> terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use <li>/etc/shorewall/masq - directs the firewall where
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) to use many-to-one (dynamic) Network Address Translation (a.k.a.
and Source Network Address Translation (SNAT).</li> Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel <li>/etc/shorewall/modules - directs the firewall to
modules.</li> load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions <li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li> to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/proxyarp - defines use of Proxy
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) ARP.</li>
- defines hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
<li>/etc/shorewall/tcrules - defines marking of packets for later) - defines hosts accessible when Shorewall is stopped.</li>
later use by traffic control/shaping or policy routing.</li> <li>/etc/shorewall/tcrules - defines marking of packets
<li>/etc/shorewall/tos - defines rules for setting the TOS for later use by traffic control/shaping or policy routing.</li>
field in packet headers.</li> <li>/etc/shorewall/tos - defines rules for setting
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels the TOS field in packet headers.</li>
with end-points on the firewall system.</li> <li>/etc/shorewall/tunnels - defines IPSEC, GRE and
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC IPIP tunnels with end-points on the firewall system.</li>
addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br>
</li>
</ul> </ul>
<h2>Comments</h2> <h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the character a pound sign ("#"). You may also place comments at
end of any line, again by delimiting the comment from the rest of the end of any line, again by delimiting the comment from the rest
the line with a pound sign.</p> of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
<h2>Complementing an Address or Subnet</h2>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting
your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p> no white space following the "!".</p>
<h2>Comma-separated Lists</h2> <h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li> would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li> <li>Entries in a comma-separated list may appear in
any order.</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2> <h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote>
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote>
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2>Using MAC Addresses</h2> <h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as a series of In GNU/Linux, MAC addresses are usually written as a
6 hex numbers separated by colons. Example:<br> series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>      inet addr:206.124.146.176 Bcast:206.124.146.255
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Mask:255.255.255.0<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>      RX packets:2398102 errors:0 dropped:0 overruns:0
     collisions:30394 txqueuelen:100<br> frame:0<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8      TX packets:3044698 errors:0 dropped:0 overruns:0
Mb)<br> carrier:0<br>
     Interrupt:11 Base address:0x1800<br>      collisions:30394 txqueuelen:100<br>
<br>      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
Because Shorewall uses colons as a separator for address fields, (1582.8 Mb)<br>
Shorewall requires MAC addresses to be written in another way. In      Interrupt:11 Base address:0x1800<br>
Shorewall, MAC addresses begin with a tilde ("~") and consist of <br>
6 hex numbers separated by hyphens. In Shorewall, the MAC address Because Shorewall uses colons as a separator for address
in the example above would be written "~02-00-08-E3-FA-55".<br> fields, Shorewall requires MAC addresses to be written in another
</p> way. In Shorewall, MAC addresses begin with a tilde ("~") and
consist of 6 hex numbers separated by hyphens. In Shorewall, the
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Configs"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Logging</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. classifies log messages by a <i>facility</i> and a <i>priority</i> (using
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a> the notation <i>facility.priority</i>). <br>
commands allow you to specify an alternate configuration directory <br>
and Shorewall will use the files in the alternate directory rather than The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
the corresponding files in /etc/shorewall. The alternate directory need kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
not contain a complete configuration; those files not in the alternate directory <i>local7</i>.<br>
will be read from /etc/shorewall.</p> <br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
<p> This facility permits you to easily create a test or temporary configuration rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
by:</p> The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol> <ol>
<li> copying the files that need modification from /etc/shorewall <li>If you give, for example, kern.info it's own log destination then
to a separate directory;</li> that destination will also receive all kernel messages of levels 5 (notice)
<li> modify those files in the separate directory; and</li> through 0 (emerg).</li>
<li> specifying the separate directory in a shorewall start <li>All kernel.info messages will go to that destination and not just
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig those from NetFilter.<br>
restart</b></i> ).</li> </li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory
need not contain a complete configuration; those files not in the alternate
directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from
/etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

551
STABLE/documentation/download.htm
View File

@ -1,408 +1,387 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is also available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
<br> </p>
Once you've done that, download <u> one</u> of the modules:</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM a 2.4 kernel, you can use the RPM version (note: the RPM
should also work with other distributions that store init scripts should also work with other distributions that store init
in /etc/init.d and that include chkconfig or insserv). If you scripts in /etc/init.d and that include chkconfig or insserv).
find that it works in other cases, let <a If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might <li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li> also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a and would like a .deb package, Shorewall is included in both the
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module <li>Otherwise, download the <i>shorewall</i>
(.tgz)</li> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p> file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p> to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">SourceForge<br> <td valign="top">SourceForge<br>
</td> </td>
<td valign="top">sf.net<br> <td valign="top">sf.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td> <a target="_blank" <td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Paris, France</td> <td>Paris, France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br> href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download <a
.tgz</a> <br> href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download <a
.lrp</a><br> href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a <a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td valign="middle">Washington State, USA<br> <td valign="middle">Washington State, USA<br>
</td> </td>
<td valign="middle">Shorewall.net<br> <td valign="middle">Shorewall.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br> Download .rpm</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td> target="_blank">Browse</a></td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at
all.<br> all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 12/3/2002 - <a <p align="left"><font size="2">Last Updated 12/12/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

959
STABLE/documentation/errata.htm
View File

File diff suppressed because it is too large Load Diff

BIN
STABLE/documentation/images/MDKlinux.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
STABLE/documentation/images/Vexira_Antivirus_Logo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
STABLE/documentation/images/courier-imap.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/debian.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.2 KiB

BIN
STABLE/documentation/images/logo2.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/medbutton.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/obrasinf.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

253
STABLE/documentation/mailing_list.htm
View File

@ -1,99 +1,124 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a><a href="http://www.gnu.org/software/mailman/mailman.html"> </a><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" <img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35"> width="110" height="35">
</a><a href="http://www.postfix.org/"> <img </a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45"> height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1> </a><font color="#ffffff">Shorewall Mailing Lists<a
href="http://www.inter7.com/courierimap/"><img
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<p align="right"><font color="#ffffff"><b><br> <p align="right"><font color="#ffffff"><b><br>
Powered by Postfix      </b></font> </p> </b></font></p>
</td>
</tr> <p align="right"><font color="#ffffff"><b><br>
Powered by Postfix     </b></font> </p>
</tbody> </td>
</tr>
</tbody>
</table> </table>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a <h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0" <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
src="images/but3.png" hspace="3" width="88" height="31"> src="images/but3.png" hspace="3" width="88" height="31">
 </a><a href="http://osirusoft.com/"> </a></h2>  </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against the open relay databases at <a <li>against the open relay databases at <a
href="http://ordb.org">ordb.org.</a></li> href="http://ordb.org">ordb.org.</a></li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li> <li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid <li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br> fully-qualified DNS name.</li>
</li>
</ol> </ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2> <h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -102,120 +127,120 @@ fully-qualified DNS name.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you'll be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can in your browser. If you don't wish to trust my certificates then you
either use unencrypted access when subscribing to Shorewall mailing lists can either use unencrypted access when subscribing to Shorewall mailing
or you can use secure access (SSL) and accept the server's certificate when lists or you can use secure access (SSL) and accept the server's certificate
prompted by your browser.<br> when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p> interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users" href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce" href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br> </a><br>
The list archives are at <a The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel" href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes, "To change your subscription (set options like digest and delivery
get a reminder of your password, <b>or unsubscribe</b> from &lt;name modes, get a reminder of your password, <b>or unsubscribe</b> from
of list&gt;), enter your subscription email address:". Enter your email &lt;name of list&gt;), enter your subscription email address:". Enter
address in the box and click on the "Edit Options" button.</p> your email address in the box and click on the "Edit Options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there and click on "Unsubscribe"; if you have forgotten your password, there
is another button that will cause your password to be emailed to you.</p> is another button that will cause your password to be emailed to you.</p>
</li> </li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 11/22/2002 - <a <p align="left"><font size="2">Last updated 12/27/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

55
STABLE/documentation/mailing_list_problems.htm
View File

@ -1,50 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title> <title>Mailing List Problems</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1> <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2> to at least one address in each of the following domains:</h2>
<blockquote> <blockquote>
<div align="left"> <div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre> <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div> </div>
</blockquote> </blockquote>
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a <p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p> <p align="left"> </p>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

90
STABLE/documentation/ping.html Normal file
View File

@ -0,0 +1,90 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.<br>
<br>
There are several aspects to Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li>
</ol>
These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping
request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h2>Policy Evaluation</h2>
If no applicable rule is found, then the policy for the source to the destination
is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

663
STABLE/documentation/seattlefirewall_index.htm
View File

@ -4,75 +4,86 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr> <tbody>
<td <tr>
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables </a></i></font><font color="#ffffff">Shorewall 1.3 -
made easy"</i></font></font></h1> <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a <div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td>
</tr> </td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr> <tbody>
<td <tr>
width="90%">
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -80,7 +91,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
@ -91,30 +104,37 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program <br>
is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty This program is distributed in the hope that it
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. will be useful, but WITHOUT ANY WARRANTY; without
See the GNU General Public License for more details.<br> even the implied warranty of MERCHANTABILITY or FITNESS
<br> FOR A PARTICULAR PURPOSE. See the GNU General Public
You should License for more details.<br>
have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software <br>
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p> You should have received a copy of the GNU General
Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
@ -123,21 +143,24 @@ General Public License</a> as published by the Free Software Foundation.<
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway </a>Jacques Nilo and Eric Wolzak have a LEAF
on a floppy, CD or compact flash) distribution called (router/firewall/gateway on a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18. called <i>Bering</i> that features Shorewall-1.3.10
You can find their work at: <a and Kernel-2.4.18. You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -149,7 +172,8 @@ Bering 1.0 Final!!! </b><br>
<h2>News</h2> <h2>News</h2>
@ -157,363 +181,276 @@ Bering 1.0 Final!!! </b><br>
<h2></h2> <h2></h2>
<p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an
error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level
and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the mangle table),
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with one
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.<br>
</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall
refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in
the mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when
you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in
a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
don't need rules of this type need not upgrade to 1.3.11.</p> who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a
</p> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p> </b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option causes Shorewall to make a set of sanity check on TCP packet header
flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column
in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
appear by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw
rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p>
<p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p> <p>In this version:</p>
<ul> <ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define <li>A 'tcpflags' option has been added to entries
the contents of a zone dynamically</a> with the <a in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall This option causes Shorewall to make a set of sanity check on TCP packet
delete" commands</a>. These commands are expected to be used primarily header flags.</li>
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> <li>It is now allowed to use 'all' in the SOURCE or
updown scripts.</li> DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
<li>Shorewall can now do<a used, 'all' must appear by itself (in may not be qualified) and it does
href="MAC_Validation.html"> MAC verification</a> on ethernet segments. not enable intra-zone traffic. For example, the rule <br>
You can specify the set of allowed MAC addresses on the segment and <br>
you can optionally tie each MAC address to one or more IP addresses.</li>     ACCEPT loc all tcp 80<br>
<li>PPTP Servers and Clients running on the firewall <br>
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> does not enable http traffic from 'loc' to 'loc'.</li>
file.</li> <li>Shorewall's use of the 'echo' command is now compatible
<li>A new 'ipsecnat' tunnel type is supported for with bash clones such as ash and dash.</li>
use when the <a href="IPSEC.htm">remote IPSEC endpoint is <li>fw-&gt;fw policies now generate a startup error.
behind a NAT gateway</a>.</li> fw-&gt;fw rules generate a warning and are ignored</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul> </ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
"shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be
specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul> <p><b></b><a href="News.htm">More News</a></p>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul>
<h2><a name="Donations"></a>Donations</h2>
</td>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br> <td width="88" bgcolor="#4b017c" valign="top"
</p> align="center"> <a href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address
in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions' and
'version' files and the 'firewall' symbolic link have been
moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
</ul>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>  
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font to <a
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p> href="http://www.starlight.org"><font color="#ffffff">Starlight
</td> Children's Foundation.</font></a> Thanks!</font></p>
</tr>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

22
STABLE/documentation/sfindex.htm Normal file
View File

@ -0,0 +1,22 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
<frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
</frameset>
</html>

168
STABLE/documentation/shoreline.htm
View File

@ -1,120 +1,124 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University <li>MA Mathematics from <a
of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li> (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
<li>Married 1969 - no children.</li> present</li>
<li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p> Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
RedHat 8.0 installed.</li> has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a> server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li> machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
(Bind).</li> server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li> server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
personal system.</li> wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100 <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li> EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a <p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p> href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0" </a><font size="4"><a href="http://www.apache.org"><img
src="images/apache_pb1.gif" hspace="2" width="170" height="20"> border="0" src="images/apache_pb1.gif" hspace="2" width="170"
</a> </font></p> height="20">
</a><a href="http://www.mandrakelinux.com"><img
<p><font size="2">Last updated 11/24/2002 - </font><font size="2"> src="images/medbutton.png" alt="Powered by Mandrake" width="90"
<a href="support.htm">Tom Eastep</a></font> </p> height="32">
<font face="Trebuchet MS"><a href="copyright.htm"><font </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> <br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

202
STABLE/documentation/shorewall_extension_scripts.htm
View File

@ -1,113 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Shorewall Extension Scripts</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
<tr> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<td width="100%"> id="AutoNumber1" bgcolor="#400169" height="90">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
</td> <tbody>
</tr> <tr>
</table>
<td width="100%">
<p>
Extension scripts are user-provided <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
scripts that are invoked at various points during firewall start, restart,
stop and clear. The scripts are placed in /etc/shorewall and are processed </td>
using the Bourne shell "source" mechanism. The following scripts can be
supplied:</p> </tr>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li> </tbody>
<li>stop -- invoked as a first step when the firewall is being stopped.</li> </table>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before the <p> Extension scripts are user-provided scripts that are invoked at various
common and/or blacklst chains have been rebuilt.</li> points during firewall start, restart, stop and clear. The scripts are
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain placed in /etc/shorewall and are processed using the Bourne shell "source"
has been created but before any rules have been added to it.</li> mechanism. The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul> </ul>
<p>
You can also supply a script with the same name as any of the filter <p><u><b>If your version of Shorewall doesn't have the file that you want
chains in the firewall and the script will be invoked after the /etc/shorewall/rules to use from the above list, you can simply create the file yourself.</b></u></p>
file has been processed but before the /etc/shorewall/policy file has <p> You can also supply a script with the same name as any of the filter
been processed.</p> chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has been
processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These <p>The /etc/shorewall/common file receives special treatment. If this file
default rules are contained in the file /etc/shorewall/common.def which is present, the rules that it defines will totally replace the default
may be used as a starting point for making your own customized file.</p> rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p>
Rather than running iptables directly, you should run it using the function <p> Rather than running iptables directly, you should run it using the
run_iptables. Similarly, rather than running "ip" directly, you should function run_iptables. Similarly, rather than running "ip" directly,
use run_ip. These functions accept the same arguments as the underlying you should use run_ip. These functions accept the same arguments as the
command but cause the firewall to be stopped if an error occurs during underlying command but cause the firewall to be stopped if an error occurs
processing of the command.</p> during processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<p> <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
If you decide to create /etc/shorewall/common it is a good idea to use the </blockquote>
following technique</p>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p> <p>Remember that /etc/shorewall/common defines rules that are only applied
/etc/shorewall/common:</p> if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<blockquote> <p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
<pre>. /etc/shorewall/common.def be rejected by the firewall. It is recommended with this setting that you
&lt;add your rules here&gt;</pre> create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be <p align="left"><font size="2">Last updated 12/22/2002 - <a
rejected by the firewall. It is recommended with this setting that you create href="support.htm">Tom Eastep</a></font></p>
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
</body> </body>
</html>
</html>

374
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,231 +1,269 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p> we must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System <li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li> acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System <li><a href="three-interface.htm">Three-interface</a> Linux
acting as a firewall/router for a small local network and a DMZ.</li> System acting as a firewall/router for a small local network and
a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
<li><br> Addresses</a></li>
</li> <li><a
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Protocol</a></li> Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> </ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 <li><a
Starting and Stopping the Firewall</a></li> href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
above</b>. Please review the appropriate guide before trying to use this described above</b>. Please review the appropriate guide before trying
documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common configuration
file features</a> file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li>Comments in configuration files</li>
<li>Line Continuation</li> <li>Line Continuation</li>
<li>Port Numbers/Service Names</li> <li>Port Numbers/Service Names</li>
<li>Port Ranges</li> <li>Port Ranges</li>
<li>Using Shell Variables</li> <li>Using Shell Variables</li>
<li>Using DNS Names<br> <li>Using DNS Names<br>
</li> </li>
<li>Complementing an IP address or Subnet</li> <li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li> <li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li> <li>Using MAC Addresses in Shorewall</li>
<li>Logging<br>
</li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a> <li><a href="Documentation.htm">Configuration File Reference
Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> <li><font color="#000099"><a
<li><a href="Documentation.htm#Common">common</a></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> <li><font color="#000099"><a
<li><a href="Documentation.htm#modules">modules</a></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code)</li> to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally <li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
use Shorewall)</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="myfiles.htm">My Configuration Files</a> (How
I personally use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
firewall to a remote network.</li> your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

4028
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

454
STABLE/documentation/sourceforge_index.htm Normal file
View File

@ -0,0 +1,454 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 -
<font size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of the GNU
General Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy, CD or compact
flash) distribution called <i>Bering</i> that
features Shorewall-1.3.10 and Kernel-2.4.18. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.0 Final!!! <br>
</b>
<h2>News</h2>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall
refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available only to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the
mangle table ("shorewall show mangle" will show you the chains in the mangle
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows
for marking input packets based on their destination even when you are using
Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file with
one of these names, don't worry -- the upgrade process won't overwrite your
file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in a
position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b></b></p>
<ul>
</ul>
<p><b></b><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

701
STABLE/documentation/standalone.htm
View File

@ -1,427 +1,430 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very <p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p> easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
this package is installed by the presence of an <b>ip</b> program on your if this package is installed by the presence of an <b>ip</b> program on
firewall system. As root, you can use the 'which' command to check for your firewall system. As root, you can use the 'which' command to check
this program:</p> for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you a configuration file from your Windows hard drive to a floppy disk, you must
must run dos2unix against the copy before using it with Shorewall.</p> run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Shorewall Concepts</h2> <h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
/etc/shorewall -- for simple setups, you only need to deal with a few of alt="">
these as described in this guide. After you have <a href="Install.htm">installed     The configuration files for Shorewall are contained in the directory
Shorewall</a>, download the <a /etc/shorewall -- for simple setups, you only need to deal with a few of
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, these as described in this guide. After you have <a href="Install.htm">installed
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall Shorewall</a>, <b>download the <a
(they will replace files with the same names that were placed in /etc/shorewall href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
during Shorewall installation).</p> un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
<p>As each file is introduced, I suggest that you look through the actual during Shorewall installation)</b>.</p>
file on your system -- each file contains detailed configuration instructions
and default entries.</p> <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
<p>Shorewall views the network where it is running as being composed of a and default entries.</p>
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p> <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td> </tbody>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table> </table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> <p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default, <p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p> the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed <p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone to <li>You express your default policy for connections from one zone
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches checked against the /etc/shorewall/rules file. If no rule in that file
the connection request then the first policy in /etc/shorewall/policy that matches the connection request then the first policy in /etc/shorewall/policy
matches the request is applied. If that policy is REJECT or DROP  the that matches the request is applied. If that policy is REJECT or DROP 
request is first checked against the rules in /etc/shorewall/common (the the request is first checked against the rules in /etc/shorewall/common
samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has <p>The /etc/shorewall/policy file included with the one-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>DROP</td>
<td> </td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>net</td> <td>all</td>
<td>net</td> <td>all</td>
<td>DROP</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>all</td> </tbody>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre> <pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to your
firewall</li> firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall <li>reject all other connection requests (Shorewall requires this
policy).</li> catchall policy).</li>
</ol> </ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that <p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p> you wish.</p>
<h2 align="left">External Interface</h2> <h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, you external interface is <b>eth0</b>. If your configuration is different,
will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the option
list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p> for use in private networks:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address of      Before starting Shorewall, you should look at the IP address
your external interface and if it is one of the above ranges, you should of your external interface and if it is one of the above ranges, you
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <h2 align="left">Enabling other Connections</h2>
firewall, the general format is:</p> </div>
</div>
<div align="left">
<div align="left"> <p align="left">If you wish to enable connections from the internet to your
<blockquote> firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <blockquote>
your firewall system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular application <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
uses, see <a href="ports.htm">here</a>.</p> the internet because it uses clear text (even for login!). If you want
</div> shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <div align="left">
the internet because it uses clear text (even for login!). If you want <blockquote>
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left"> <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
<p align="left">The firewall is started using the "shorewall start" command package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
and stopped using "shorewall stop". When the firewall is stopped, routing </p>
is enabled on those hosts that have an entry in <a </div>
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. <div align="left">
If you want to totally remove any trace of Shorewall from your Netfilter <p align="left">The firewall is started using the "shorewall start" command
configuration, use "shorewall clear".</p> and stopped using "shorewall stop". When the firewall is stopped, routing
</div> is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
<div align="left"> running firewall may be restarted using the "shorewall restart" command.
<p align="left"><b>WARNING: </b>If you are connected to your firewall from If you want to totally remove any trace of Shorewall from your Netfilter
the internet, do not issue a "shorewall stop" command unless you have configuration, use "shorewall clear".</p>
added an entry for the IP address that you are connected from to <a </div>
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create <div align="left">
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> <p align="left"><b>WARNING: </b>If you are connected to your firewall from
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall the internet, do not issue a "shorewall stop" command unless you have
try" command</a>.</p> added an entry for the IP address that you are connected from to <a
</div> href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
<p align="left"><font size="2">Last updated 11/21/2002 - <a an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p> M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

364
STABLE/documentation/support.htm
View File

@ -1,85 +1,122 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Support</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> <h1 align="center"><font color="#ffffff">Shorewall Support<img
</tr> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</tbody> </td>
</tr>
</tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It <p> <br>
is easier to post a problem than to use your own brain" </font>-- </i> <font <span style="font-weight: 400;"></span></p>
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
<p align="left"> <i>"Any sane computer will tell you how it works -- you but I try to spend some amount of time each day responding to problems
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> posted on the Shorewall mailing list.</b></font></big></h2>
<blockquote> </blockquote> <h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that <h2>Before Reporting a Problem</h2>
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venem<br> <h3>T<b>here are a number of sources for problem solution information. Please
</font></span></p> try these before you post.</b></h3>
<h3 align="left">Before Reporting a Problem</h3> <h3> </h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get <h3> </h3>
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being
spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are also a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information <h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
contains a number of tips to help you solve common problems.</li> problems.</b></h3>
<li>The <a href="errata.htm"> Errata</a> has links to download </li>
updated components.</li>
<li>The Mailing List Archives search facility can locate posts
about similar problems:</li>
</ul> </ul>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
updated components.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The Mailing List Archives search facility can locate posts
about similar problems:</b></h3>
</li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -88,82 +125,163 @@ about similar problems:</li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config"
type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h3 align="left">Problem Reporting Guideline</h3> <h2>Problem Reporting Guidelines</h2>
<i>"Let me see if I can translate your message into a real-world example. 
<ul> It would be like saying that you have three rooms at home, and when you
<li>When reporting a problem, give as much information as you walk into one of the rooms, you detect this strange smell.  Can anyone tell
can. Reports that say "I tried XYZ and it didn't work" are not at all you what that strange smell is?<br>
helpful.</li> <br>
<li>Please don't describe your environment and then ask us to Now, all of us could do some wonderful guessing as to the smell and even
send you custom configuration files. We're here to answer your what's causing it.  You would be absolutely amazed at the range and variety
questions but we can't do your job for you.</li> of smells we could come up with.  Even more amazing is that all of the explanations
<li>Do you see any "Shorewall" messages in /var/log/messages for the smells would be completely plausible."<br>
when you exercise the function that is giving you problems?</li> </i><br>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li> <div align="center">   - Russell Mosemann<br>
<li>Have you tried using the diagnostic capabilities of the </div>
application that isn't working? For example, if "ssh" isn't able <br>
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li> <h3> </h3>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that
you think are relevant. If an error occurs when you try to "shorewall
start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card on
October 4, 2002 (they are very effecient at that part of the order process)
and I haven't heard a word from them since (although their news letters
boast that 9.0 boxed sets have been shipping for the last two weeks). If
they can't fill my 9.0 order within <u>6 weeks after they have billed my
credit card</u> then I refuse to spend my free time supporting their product
for them.<br>
<br>
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
order is part of a batch of which was not correctly sent to our shipping
handler, and so unfortunately was not processed". They further assure me
that these mishandled orders will begin shipping on 12/2/2002.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please <ul>
post your question or problem to the <a <li>
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> <h3><b>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3>
</li>
<li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
for instructions).</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post
will be rejected.</b></h3>
</li>
</ul>
<h3> </h3>
<h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<p>Otherwise, please post your question or problem to the <a <h3></h3>
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem <blockquote>
description and their responses will be placed in the mailing list archives <h4>If you run Shorewall under Bering -- <span
to help people who have a similar question or problem in the future.</p> style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
<p>I don't look at problems sent to me directly but I try to spend some amount list</a>.</span></h4>
of time each day responding to problems posted on the mailing list.</p>
<p>Otherwise, please post your question or problem to the <a
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p> href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
</blockquote>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

2011
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

448
STABLE/documentation/traffic_shaping.htm
View File

@ -1,257 +1,293 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title> <title>Traffic Shaping</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support <p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall, for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p> to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
also requires that you enable packet mangling.<br> Shaping also requires that you enable packet mangling.<br>
</li> </li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall <li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets marking of packets. The firewall mark value may be used to classify
for traffic shaping/control.<br> packets for traffic shaping/control.<br>
</li> </li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced <li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define by Shorewall during "shorewall start" and which you can use to define
your traffic shaping disciplines and classes. I have provided a <a your traffic shaping disciplines and classes. I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of table-driven CBQ shaping but if you read the traffic shaping sections of
the HOWTO mentioned above, you can probably code your own faster than the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB support may eventually become an integral part of Shorewall since
is a lot simpler and better-documented than CBQ. HTB is currently not HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
a standard part of either the kernel or iproute2 so both must be patched HTB is a standard part of the kernel but iproute2 must be patched in
in order to use it.<br> order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc
function supplied by shorewall if you want tc errors to stop the firewall.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function You can generally use off-the-shelf traffic shaping scripts by simply copying
supplied by shorewall. <br> them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced <li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally by Shorewall when it is clearing traffic shaping. This file is normally
not required as Shorewall's method of clearing qdisc and filter definitions not required as Shorewall's method of clearing qdisc and filter definitions
is pretty general.</li> is pretty general.</li>
</ul> </ul>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p> <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a packets for traffic shaping. The /etc/shorewall/tcrules file provides
means for specifying these marks in a tabular fashion.</p> a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case of <li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br> a match. This is an integer in the range 1-255.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates on <li>SOURCE - The source of the packet. If the packet originates
the firewall, place "fw" in this column. Otherwise, this is a comma-separated on the firewall, place "fw" in this column. Otherwise, this is a
list of interface names, IP addresses, MAC addresses in <a comma-separated list of interface names, IP addresses, MAC addresses in
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list of IP <li>DEST -- Destination of the packet. Comma-separated list of
addresses and/or subnets.<br> IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol, <li>PROTO - Protocol - Must be the name of a protocol from
a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names <li>PORT(S) - Destination Ports. A comma-separated list of Port
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the names (from /etc/services), port numbers or port ranges (e.g., 21:22);
protocol is "icmp", this column is interpreted as the destination icmp if the protocol is "icmp", this column is interpreted as the destination
type(s).<br> icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
any source port is acceptable. Specified as a comma-separate list of port omitted, any source port is acceptable. Specified as a comma-separate
names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets with 1. All packets arriving on eth2 and eth3 should be marked with 2.
originating on the firewall itself should be marked with 3.</p> All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>1</td>
<td>eth1</td> <td>eth1</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td>2</td>
<td>eth2</td> <td>eth2</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>3</td> <td valign="top">2<br>
<td>fw</td> </td>
<td>0.0.0.0/0</td> <td valign="top">eth3<br>
<td>all</td> </td>
<td> </td> <td valign="top">0.0.0.0/0<br>
<td> </td> </td>
</tr> <td valign="top">all<br>
</td>
</tbody> <td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p> on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>47</td> <td>47</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>22</td> <td>22</td>
<td>192.168.1.0/24</td> <td>192.168.1.0/24</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3>Hierarchical Token Bucket</h3> <h3>My Setup<br>
</h3>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p> <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
<ul> wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
<li>The gzipped tc binary at the <a README), I have also run with the following set of hand-crafted rules in
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work my tcstart file:<br>
for me -- I had to download the lastest version of the <a </p>
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre> <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre> <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre> <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre> <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want <p>My tcrules file that went with this tcstart file is shown in Example 1
these particular rules.<font face="Courier" size="2"><br> above. You can look at my <a href="myfiles.htm">network configuration</a>
</font></p> to get an idea of why I wanted these particular rules.<br>
</blockquote> </p>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
</ol>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
</body> </body>
</html> </html>

310
STABLE/documentation/troubleshoot.htm
View File

@ -1,211 +1,233 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version sure that there isn't an update that you are missing for your version
of the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the If you receive an error message when starting or restarting the
firewall and you can't determine the cause, then do the following: firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>Make a note of the error message that you see.<br>
<li>Look at the /tmp/trace file and see if that helps you determine </li>
what the problem is.</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>If you still can't determine what's wrong then see the <a <li>Look at the /tmp/trace file and see if that helps you
href="support.htm">support page</a>.</li> determine what the problem is. Be sure you find the place in the log where
the error message you saw is generated -- in 99.9% of the cases, it will
not be near the end of the log because after startup errors, Shorewall goes
through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul> </ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus: actually an ill-conceived network setup. Here are several popular snafus:
</p> </p>
<ul> <ul>
<li>Port Forwarding where client and server are in the <li>Port Forwarding where client and server are in the
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li> is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given <li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li> type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p> that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted will generate when you try to connect in a way that isn't permitted
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem. see Shorewall messages, then your problem is probably NOT a Shorewall problem.
If you DO see packet messages, it may be an indication that you are missing If you DO see packet messages, it may be an indication that you are missing
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p> one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p> LEN=47</font></p>
</font> </font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all <li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li> (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p> is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br> <p align="left">ACCEPT    dmz    loc    udp    53<br>
</p> </p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br> about how to interpret the chain name appearing in a Shorewall log message.<br>
</p> </p>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD <li>Seeing rejected/dropped packets logged out of the INPUT or
chains? This means that: FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is <li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using sending the packets or the destination host isn't in any zone (using
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li> are you?); or</li>
<li>the source and destination hosts are both connected to the <li>the source and destination hosts are both connected to the
same interface and that interface doesn't have the 'multi' option same interface and that interface doesn't have the 'multi' option
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you have The ramifications of this can be subtle. For example, if you
the following in /etc/shorewall/nat:<br> have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and the 8 between the zone containing the system you are pinging from and
zone containing 10.1.1.2, the ping requests will be dropped. This is the zone containing 10.1.1.2, the ping requests will be dropped. This
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually <li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of of their nearest firewall interface. One often overlooked aspect of
routing is that in order for two hosts to communicate, the routing between routing is that in order for two hosts to communicate, the routing between
them must be set up <u>in both directions.</u> So when setting up routing them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li> <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a <li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is <li>Some features require the "ip" program. That program is
generally included in the "iproute" package which should be included generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an For example, if a zone has two interfaces but only one interface has
entry in /etc/shorewall/hosts then hosts attached to the other interface an entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all <li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

1535
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

10
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.11a VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -119,6 +119,14 @@ restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918 restore_file /etc/shorewall/rfc1918
restore_file /etc/shorewall/init
restore_file /etc/shorewall/start
restore_file /etc/shorewall/stop
restore_file /etc/shorewall/stopped
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`" oldversion="`cat /usr/lib/shorewall/version`"

642
STABLE/firewall
View File

File diff suppressed because it is too large Load Diff

19
STABLE/functions
View File

@ -25,9 +25,22 @@ find_file()
# #
# Replace commas with spaces and echo the result # Replace commas with spaces and echo the result
# #
separate_list() separate_list() {
{ local list
echo $1 | sed 's/,/ /g' local part
local newlist
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
} }
# #

6
STABLE/init Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#

42
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.11a VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -488,6 +488,46 @@ else
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi fi
# #
# Install the init file
#
if [ -f ${PREFIX}/etc/shorewall/init ]; then
backup_file /etc/shorewall/init
else
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
echo
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the start file
#
if [ -f ${PREFIX}/etc/shorewall/start ]; then
backup_file /etc/shorewall/start
else
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
echo
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
#
# Install the stop file
#
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
backup_file /etc/shorewall/stop
else
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
#
# Install the stopped file
#
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
backup_file /etc/shorewall/stopped
else
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
#
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then

6
STABLE/policy
View File

@ -29,6 +29,12 @@
# log message is generated. See syslog.conf(5) for a # log message is generated. See syslog.conf(5) for a
# description of log levels. # description of log levels.
# #
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "_" here.
# #

41
STABLE/releasenotes.txt
View File

@ -2,22 +2,39 @@ This is a minor release of Shorewall that has a couple of new features.
New features include: New features include:
1) A 'tcpflags' option has been added to entries in 1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
/etc/shorewall/interfaces. This option causes Shorewall to make a and tcstart).
set of sanity check on TCP packet header flags.
2) It is now allowed to use 'all' in the SOURCE or DEST column in a 2) "shorewall debug [re]start" now turns off debugging after an error
rule. When used, 'all' must appear by itself (in may not be occurs. This places the point of the failure near the end of the
qualified) and it does not enable intra-zone traffic (e.g., the rule trace rather than up in the middle of it.
"ACCEPT loc all tcp 80" does not enable http traffic from
'loc' to 'loc').
3) Shorewall's use of the 'echo' command is now compatible with bash 3) "shorewall [re]start" has been speeded up by more than 40% with
clones such as ash and dash. my configuration. Your milage may vary.
4) fw->fw policies now generate a startup error. fw->fw rules generate 4) A "shorewall show classifiers" command has been added which shows
a warning and are ignored. the current packet classification filters. The output from this
command is also added as a separate page in "shorewall monitor"
5) ULOG (must be all caps) is now accepted as a valid syslog level and
causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
6) If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD=Yes in
shorewall.conf. This allows for marking inbound packets based on
their destination even when you are using Masquerading or SNAT.
7) I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with
one of these names, don't worry -- the upgrade process won't
overwrite your file.
8) I have added a new RFC1918_LOG_LEVEL variable to
shorewall.conf. This variable specifies the syslog level at which
packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.

7
STABLE/rules
View File

@ -31,6 +31,13 @@
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or

52
STABLE/shorewall
View File

@ -58,6 +58,7 @@
# shorewall show nat Display the rules in the nat table # shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used # shorewall check Verify the more heavily-used
# configuration files. # configuration files.
@ -258,7 +259,8 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1" [ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \ grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \ sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \ sed 's/MAC=.*SRC=/SRC=/' | \
tail $options tail $options
@ -294,6 +296,34 @@ show_tc() {
} }
#
# Show classifier information
#
show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s filter ls dev $device
echo
fi
}
ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
show_one_classifier ${interface%:}
;;
*)
;;
esac
done
}
# #
# Monitor the Firewall # Monitor the Firewall
# #
@ -383,6 +413,15 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo echo
show_tc show_tc
timed_read timed_read
clear
echo "$banner `date`"
echo
echo
echo "Packet Classifiers"
echo
show_classifiers
timed_read
done done
} }
@ -450,7 +489,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]" echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
echo " stop" echo " stop"
echo " reset" echo " reset"
@ -629,6 +668,11 @@ case "$1" in
echo echo
show_tc show_tc
;; ;;
classifiers)
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*) *)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`" echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
echo echo
@ -658,8 +702,12 @@ case "$1" in
echo echo
packet_log 20 packet_log 20
echo echo
echo "NAT Table"
echo
iptables -t nat -L -n -v iptables -t nat -L -n -v
echo echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack

71
STABLE/shorewall.conf
View File

@ -9,6 +9,35 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall # PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files. # searches directories for executable files.
# #
@ -96,6 +125,8 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable # packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level. # is empty, these packets will still be logged at the 'info' level.
# #
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info LOGUNCLEAN=info
@ -191,6 +222,8 @@ BLACKLIST_DISPOSITION=DROP
# (beward of DOS attacks resulting from such logging). If not set, no logging # (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs. # of blacklist packets occurs.
# #
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
# #
@ -353,6 +386,8 @@ MUTEX_TIMEOUT=60
# it will be rejected by the firewall. If you want these rejects logged, # it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
# #
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug # Example: LOGNEWNOTSYN=debug
@ -400,6 +435,8 @@ MACLIST_DISPOSITION=REJECT
# Specifies the logging level for connection requests that fail MAC # Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged. # such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
# #
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -420,8 +457,42 @@ TCP_FLAGS_DISPOSITION=DROP
# Specifies the logging level for packets that fail TCP Flags # Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged. # such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
# #
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

15
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.11a %define version 1.3.12
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -94,6 +94,10 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/lib/shorewall/functions %attr(0444,root,root) /usr/lib/shorewall/functions
%attr(0544,root,root) /usr/lib/shorewall/firewall %attr(0544,root,root) /usr/lib/shorewall/firewall
@ -101,6 +105,15 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta3
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta2
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta1
- Add init, start, stop and stopped files.
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net> * Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a - Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net> * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>

6
STABLE/start Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

6
STABLE/stop Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#

6
STABLE/stopped Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.11a VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {

4831
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1679
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

152
Shorewall-docs/MAC_Validation.html
View File

@ -2,103 +2,109 @@
<html> <html>
<head> <head>
<title>MAC Verification</title> <title>MAC Verification</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses. There are four components to this facility.<br> with one or more IP addresses. <br>
<br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
<br>
There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
option is specified, all traffic arriving on the interface is subjet to MAC this option is specified, all traffic arriving on the interface is subjet
verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that subnet When this option is specified for a subnet, all traffic from that subnet
is subject to MAC verification.</li> is subject to MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li> MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL determines the disposition of connection requests that fail MAC verification.
variable gives the syslogd level at which connection requests that fail verification The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") requests that fail verification are to be logged. If set the the empty value
then failing connection requests are not logged.<br> (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
</li> </li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li> <li>INTERFACE - The name of an ethernet interface on the Shorewall
<li>MAC - The MAC address of a device on the ethernet segment connected system.</li>
by INTERFACE. It is not necessary to use the Shorewall MAC format in this <li>MAC - The MAC address of a device on the ethernet segment connected
column although you may use that format if you so choose.</li> by INTERFACE. It is not necessary to use the Shorewall MAC format in this
<li>IP Address - An optional comma-separated list of IP addresses for column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li> the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my local As shown above, I use MAC Verification on <a href="myfiles.htm">my local
zone</a>.<br> zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses IP address 192.168.1.253. Hosts in the second segment have IP addresses in
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic. and not that of the host sending the traffic.
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

2562
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

153
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -2,140 +2,141 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li> </li>
<li> <a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li> <a href="Install.htm">Configuration</a><br>
<li> <a href="Documentation.htm">Reference Manual</a></li> </li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="shorewall_quickstart_guide.htm">QuickStart
<li><a href="useful_links.html">Useful Links</a><br> Guides (HOWTOs)</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <b><a
<li> <a href="errata.htm">Errata</a></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li><a href="useful_links.html">Useful Links</a><br>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br> State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br> GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
<br> <br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

163
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -2,134 +2,143 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
</li> <li> <a href="download.htm">Download</a><br>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> </li>
<a href="Install.htm">Configuration</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
</li> <a href="Install.htm">Configuration</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart </li>
Guides (HOWTOs)</a><br> <li> <a href="shorewall_quickstart_guide.htm">QuickStart
</li> Guides (HOWTOs)</a><br>
<li> <a </li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li> <li> <b><a
<li> <a href="Documentation.htm">Reference Manual</a></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="Documentation.htm">Reference Manual</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li> <a href="FAQ.htm">FAQs</a></li>
</li> <li><a href="useful_links.html">Useful Links</a><br>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> </li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br> State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS
<li> <a href="quotes.htm">Quotes from Users</a></li> Repository</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a <li> <a href="shoreline.htm">About the Author</a></li>
href="seattlefirewall_index.htm#Donations">Donations</a></li> <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br> GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> </a><br>
src="images/shorewall.jpg" width="119" height="38" hspace="0"> </p>
</a><br> <br>
<br> <br>
</p> <br>
<br> <br>
<br> <br>
</body> </body>

171
Shorewall-docs/VPN.htm
View File

@ -1,81 +1,104 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>VPN</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">VPN</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>It is often the case that a system behind the firewall needs to be able to
access a remote network through Virtual Private Networking (VPN). The two most <p>It is often the case that a system behind the firewall needs to be able
common means for doing this are IPSEC and PPTP. The basic setup is shown in the to access a remote network through Virtual Private Networking (VPN). The
following diagram:</p> two most common means for doing this are IPSEC and PPTP. The basic setup
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p> is shown in the following diagram:</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the <p align="center"><img border="0" src="images/VPN.png" width="568"
local system has IP address 192.168.1.12 and that the remote gateway has IP height="796">
address 192.0.2.224.</p> </p>
<p align="left">If PPTP is being used, there are no firewall requirements beyond
the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one <p align="left">A system with an RFC 1918 address needs to access a remote
local system at a time can be connected to a single remote gateway unless you network through a remote gateway. For this example, we will assume that
patch your kernel from the 'Patch-o-matic' patches available at the local system has IP address 192.168.1.12 and that the remote gateway
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p> has IP address 192.0.2.224.</p>
<p align="left">If IPSEC is being used then there are firewall configuration
requirements as follows:</p> <p align="left">If PPTP is being used, there are no firewall requirements
<blockquote> beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98"> Only one local system at a time can be connected to a single remote gateway
<tr> unless you patch your kernel from the 'Patch-o-matic' patches available
<td height="38"><u><b>ACTION</b></u></td> at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<td height="38"><u><b>SOURCE</b></u></td>
<td height="38"><u><b>DESTINATION</b></u></td> <p align="left">If IPSEC is being used then only one system may connect to
<td height="38"><u><b>PROTOCOL</b></u></td> the remote gateway and there are firewall configuration requirements as
<td height="38"><u><b>PORT</b></u></td> follows:</p>
<td height="38"><u><b>CLIENT<br>
PORT</b></u></td> <blockquote>
<td height="38"><u><b>ORIGINAL<br> <table border="1" cellpadding="2" style="border-collapse: collapse;"
DEST</b></u></td> bordercolor="#111111" id="AutoNumber2" height="98">
</tr> <tbody>
<tr> <tr>
<td height="19">DNAT</td> <td height="38"><u><b>ACTION</b></u></td>
<td height="19">net:192.0.2.224</td> <td height="38"><u><b>SOURCE</b></u></td>
<td height="19">loc:192.168.1.12</td> <td height="38"><u><b>DESTINATION</b></u></td>
<td height="19">50</td> <td height="38"><u><b>PROTOCOL</b></u></td>
<td height="19">&nbsp;</td> <td height="38"><u><b>PORT</b></u></td>
<td height="19">&nbsp;</td> <td height="38"><u><b>CLIENT<br>
<td height="19">&nbsp;</td> PORT</b></u></td>
</tr> <td height="38"><u><b>ORIGINAL<br>
<tr> DEST</b></u></td>
<td height="19">DNAT</td> </tr>
<td height="19">net:192.0.2.224</td> <tr>
<td height="19">loc:192.168.1.12</td> <td height="19">DNAT</td>
<td height="19">udp</td> <td height="19">net:192.0.2.224</td>
<td height="19">500</td> <td height="19">loc:192.168.1.12</td>
<td height="19">&nbsp;</td> <td height="19">50</td>
<td height="19">&nbsp;</td> <td height="19"> </td>
</tr> <td height="19"> </td>
<td height="19"> </td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall. As <p>If you want to be able to give access to all of your local systems to
starting points, see the remote network, you should consider running a VPN client on your firewall.
<a href="http://www.shorewall.net/Documentation.htm#Tunnels"> As starting points, see <a
http://www.shorewall.net/Documentation.htm#Tunnels</a> or href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p> or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm"> <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
</body> </body>
</html> </html>

613
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,320 +1,435 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall <li>/etc/shorewall/shorewall.conf - used to set several
parameters.</li> firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables <li>/etc/shorewall/params - use this file to set shell
that you will expand in other files.</li> variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of <li>/etc/shorewall/zones - partition the firewall's
the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall high-level
policy.</li> policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on <li>/etc/shorewall/interfaces - describes the interfaces
the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of <li>/etc/shorewall/hosts - allows defining zones in
individual hosts and subnetworks.</li> terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use <li>/etc/shorewall/masq - directs the firewall where
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) to use many-to-one (dynamic) Network Address Translation (a.k.a.
and Source Network Address Translation (SNAT).</li> Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel <li>/etc/shorewall/modules - directs the firewall to
modules.</li> load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions <li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li> to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/proxyarp - defines use of Proxy
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) ARP.</li>
- defines hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
<li>/etc/shorewall/tcrules - defines marking of packets for later) - defines hosts accessible when Shorewall is stopped.</li>
later use by traffic control/shaping or policy routing.</li> <li>/etc/shorewall/tcrules - defines marking of packets
<li>/etc/shorewall/tos - defines rules for setting the TOS for later use by traffic control/shaping or policy routing.</li>
field in packet headers.</li> <li>/etc/shorewall/tos - defines rules for setting
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels the TOS field in packet headers.</li>
with end-points on the firewall system.</li> <li>/etc/shorewall/tunnels - defines IPSEC, GRE and
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC IPIP tunnels with end-points on the firewall system.</li>
addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br>
</li>
</ul> </ul>
<h2>Comments</h2> <h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the character a pound sign ("#"). You may also place comments at
end of any line, again by delimiting the comment from the rest of the end of any line, again by delimiting the comment from the rest
the line with a pound sign.</p> of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
<h2>Complementing an Address or Subnet</h2>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting
your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p> no white space following the "!".</p>
<h2>Comma-separated Lists</h2> <h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li> would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li> <li>Entries in a comma-separated list may appear in
any order.</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2> <h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote>
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote>
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2>Using MAC Addresses</h2> <h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as a series of In GNU/Linux, MAC addresses are usually written as a
6 hex numbers separated by colons. Example:<br> series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>      inet addr:206.124.146.176 Bcast:206.124.146.255
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Mask:255.255.255.0<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>      RX packets:2398102 errors:0 dropped:0 overruns:0
     collisions:30394 txqueuelen:100<br> frame:0<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8      TX packets:3044698 errors:0 dropped:0 overruns:0
Mb)<br> carrier:0<br>
     Interrupt:11 Base address:0x1800<br>      collisions:30394 txqueuelen:100<br>
<br>      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
Because Shorewall uses colons as a separator for address fields, (1582.8 Mb)<br>
Shorewall requires MAC addresses to be written in another way. In      Interrupt:11 Base address:0x1800<br>
Shorewall, MAC addresses begin with a tilde ("~") and consist of <br>
6 hex numbers separated by hyphens. In Shorewall, the MAC address Because Shorewall uses colons as a separator for address
in the example above would be written "~02-00-08-E3-FA-55".<br> fields, Shorewall requires MAC addresses to be written in another
</p> way. In Shorewall, MAC addresses begin with a tilde ("~") and
consist of 6 hex numbers separated by hyphens. In Shorewall, the
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Configs"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Logging</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. classifies log messages by a <i>facility</i> and a <i>priority</i> (using
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a> the notation <i>facility.priority</i>). <br>
commands allow you to specify an alternate configuration directory <br>
and Shorewall will use the files in the alternate directory rather than The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
the corresponding files in /etc/shorewall. The alternate directory need kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
not contain a complete configuration; those files not in the alternate directory <i>local7</i>.<br>
will be read from /etc/shorewall.</p> <br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
<p> This facility permits you to easily create a test or temporary configuration rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
by:</p> The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol> <ol>
<li> copying the files that need modification from /etc/shorewall <li>If you give, for example, kern.info it's own log destination then
to a separate directory;</li> that destination will also receive all kernel messages of levels 5 (notice)
<li> modify those files in the separate directory; and</li> through 0 (emerg).</li>
<li> specifying the separate directory in a shorewall start <li>All kernel.info messages will go to that destination and not just
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig those from NetFilter.<br>
restart</b></i> ).</li> </li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory
need not contain a complete configuration; those files not in the alternate
directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from
/etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

684
Shorewall-docs/download.htm
View File

@ -1,395 +1,387 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.<br>
</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a Linux PPC</b> or <b> TurboLinux</b> distribution with
2.4 kernel, you can use the RPM version (note: the RPM should a 2.4 kernel, you can use the RPM version (note: the RPM
also work with other distributions that store init scripts should also work with other distributions that store init
in /etc/init.d and that include chkconfig or insserv). If you scripts in /etc/init.d and that include chkconfig or insserv).
find that it works in other cases, let <a If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might <li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li> also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a and would like a .deb package, Shorewall is included in both the
href="http://packages.debian.org/testing/net/shorewall.html">Debian <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module <li>Otherwise, download the <i>shorewall</i>
(.tgz)</li> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p> file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p> to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">SourceForge<br> <td valign="top">SourceForge<br>
</td> </td>
<td valign="top">sf.net<br> <td valign="top">sf.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a target="_blank"
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a target="_blank"
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a></td>
</td> </tr>
<td valign="top"><a <tr>
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> <td>Martinez (Zona Norte - GBA), Argentina</td>
Download .rpm</a> <br> <td>Correofuego.com.ar</td>
<a <td> <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.tgz</a> <br> .rpm</a>  <br>
<a <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.lrp</a><br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
.md5sums</a><br> Download .lrp</a><br>
</td> <a target="_blank"
</tr> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tbody> <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a
<td><a target="_blank" href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td> target="_blank">Browse</a></td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at
all.<br> all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a <p align="left"><font size="2">Last Updated 12/12/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

687
Shorewall-docs/errata.htm
View File

@ -1,175 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall /etc/shorewall/firewall or /var/lib/shorewall/firewall before
and /var/lib/shorewall/firewall are symbolic links that point you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
to the 'shorewall' file used by your system initialization scripts are symbolic links that point to the 'shorewall' file used by your
to start Shorewall during boot. It is that file that must be overwritten system initialization scripts to start Shorewall during boot.
with the corrected script.</b></p> It is that file that must be overwritten with the corrected
</li> script.</b></p>
<li> </li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br> example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in <li> <b><a href="#V1.3">Problems
Version 1.3</a></b></li> in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems <li> <b><a
in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a <li> <b><font color="#660066">
href="errata_1.htm">Problems in Version 1.1</a></font></b></li> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a <li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li> href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li> <li><b><a href="#SuSE">Problems installing/upgrading RPM
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 on SuSE</a></b></li>
and MULTIPORT=Yes</a></b></li> <li><b><a href="#Multiport">Problems with iptables version
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br> 1.2.7 and MULTIPORT=Yes</a></b></li>
</li> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.10</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running on <li><a
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
<a copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this </li>
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
</li>
</ul> </ul>
<h3>Version 1.3.11</h3>
<h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then <li>When installing/upgrading using the .rpm, you may receive the following
the following message appears during "shorewall [re]start":</li> warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the
.rpm from shorewall.net or mirrors should no longer see these warnings as
the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul> </ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre> <pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
above.<br> described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common functions <li>The installer (install.sh) issues a misleading message "Common
installed in /var/lib/shorewall/functions" whereas the file is installed functions installed in /var/lib/shorewall/functions" whereas the file
in /usr/lib/shorewall/functions. The installer also performs incorrectly is installed in /usr/lib/shorewall/functions. The installer also performs
when updating old configurations that had the file /etc/shorewall/functions. incorrectly when updating old configurations that had the file /etc/shorewall/functions.
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li> of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but <li>A DNAT rule with the same original and new IP addresses
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
@ -177,353 +216,349 @@ tcp 25 - 10.1.1.1")<br>
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running a <li>If the firewall is running
DHCP server, the client won't be able a DHCP server, the client won't be able
to obtain an IP address lease from that to obtain an IP address lease from
server.</li> that server.</li>
<li>With this order of checking, <li>With this order of checking,
the "dhcp" option cannot be used as a the "dhcp" option cannot be used as
noise-reduction measure where there are a noise-reduction measure where there
both dynamic and static clients on a LAN are both dynamic and static clients on
segment.</li> a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an an error occurs when the firewall script attempts to add
SNAT alias. </p> an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This possible to  include a single host specification on each line.
problem is corrected by <a This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p> message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry in <li>The code to detect a duplicate interface entry
/etc/shorewall/interfaces contained a typo that prevented it in /etc/shorewall/interfaces contained a typo that prevented
from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just <li>"NAT_BEFORE_RULES=No" was broken; it behaved
like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
packet is sent through the limit chain twice).</li> each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li> generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface <li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option, in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the Shorewall may ignore all but the first appearence of the
option. For example:<br> option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior <li>Update 17 June 2002 - The bug described in the
bullet affects the following options: dhcp, dropunclean, logunclean, prior bullet affects the following options: dhcp, dropunclean,
norfc1918, routefilter, multi, filterping and noping. An logunclean, norfc1918, routefilter, multi, filterping and
additional bug has been found that affects only the 'routestopped' noping. An additional bug has been found that affects only
option.<br> the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior to 1850 Users who downloaded the corrected script prior
GMT today should download and install the corrected script to 1850 GMT today should download and install the corrected
again to ensure that this second problem is corrected.</li> script again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on the <li>Folks who downloaded 1.3.0 from the links on
download page before 23:40 GMT, 29 May 2002 may have downloaded the download page before 23:40 GMT, 29 May 2002 may have
1.2.13 rather than 1.3.0. The "shorewall version" command downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
will tell you which version that you have installed.</li> command will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a <p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released prevent it from working with Shorewall. Regrettably, RedHat
this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also corrected 1.2.3 rpm which you can download here</a>  and I have also
built an <a built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> running RedHat 7.1, you can install either of these RPMs
</b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p> </font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by installing
<a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of this iptables RPM</a>. If you are already running a 1.2.5 version
iptables, you will need to specify the --oldpackage option to rpm (e.g., of iptables, you will need to specify the --oldpackage option to rpm
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall <li>if you are running Shorewall
1.3.6 you may install 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in Shorewall /etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br> being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 11/24/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br>
<br> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<br> Error message is:<br>
<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 12/3/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br> <br>
<br> <br>
<br> <br>

BIN
Shorewall-docs/images/MDKlinux.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
Shorewall-docs/images/courier-imap.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/logo2.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/medbutton.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/obrasinf.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

253
Shorewall-docs/mailing_list.htm
View File

@ -1,99 +1,124 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a><a href="http://www.gnu.org/software/mailman/mailman.html"> </a><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" <img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35"> width="110" height="35">
</a><a href="http://www.postfix.org/"> <img </a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45"> height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1> </a><font color="#ffffff">Shorewall Mailing Lists<a
href="http://www.inter7.com/courierimap/"><img
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<p align="right"><font color="#ffffff"><b><br> <p align="right"><font color="#ffffff"><b><br>
Powered by Postfix      </b></font> </p> </b></font></p>
</td>
</tr> <p align="right"><font color="#ffffff"><b><br>
Powered by Postfix     </b></font> </p>
</tbody> </td>
</tr>
</tbody>
</table> </table>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a <h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0" <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
src="images/but3.png" hspace="3" width="88" height="31"> src="images/but3.png" hspace="3" width="88" height="31">
 </a><a href="http://osirusoft.com/"> </a></h2>  </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against the open relay databases at <a <li>against the open relay databases at <a
href="http://ordb.org">ordb.org.</a></li> href="http://ordb.org">ordb.org.</a></li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li> <li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid <li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br> fully-qualified DNS name.</li>
</li>
</ol> </ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2> <h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -102,120 +127,120 @@ fully-qualified DNS name.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you'll be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can in your browser. If you don't wish to trust my certificates then you
either use unencrypted access when subscribing to Shorewall mailing lists can either use unencrypted access when subscribing to Shorewall mailing
or you can use secure access (SSL) and accept the server's certificate when lists or you can use secure access (SSL) and accept the server's certificate
prompted by your browser.<br> when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p> interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users" href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce" href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br> </a><br>
The list archives are at <a The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel" href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br> target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes, "To change your subscription (set options like digest and delivery
get a reminder of your password, <b>or unsubscribe</b> from &lt;name modes, get a reminder of your password, <b>or unsubscribe</b> from
of list&gt;), enter your subscription email address:". Enter your email &lt;name of list&gt;), enter your subscription email address:". Enter
address in the box and click on the "Edit Options" button.</p> your email address in the box and click on the "Edit Options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there and click on "Unsubscribe"; if you have forgotten your password, there
is another button that will cause your password to be emailed to you.</p> is another button that will cause your password to be emailed to you.</p>
</li> </li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 11/22/2002 - <a <p align="left"><font size="2">Last updated 12/27/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

55
Shorewall-docs/mailing_list_problems.htm
View File

@ -1,50 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title> <title>Mailing List Problems</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1> <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2> to at least one address in each of the following domains:</h2>
<blockquote> <blockquote>
<div align="left"> <div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre> <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div> </div>
</blockquote> </blockquote>
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a <p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p> <p align="left"> </p>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

90
Shorewall-docs/ping.html Normal file
View File

@ -0,0 +1,90 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.<br>
<br>
There are several aspects to Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li>
</ol>
These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping
request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h2>Policy Evaluation</h2>
If no applicable rule is found, then the policy for the source to the destination
is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

708
Shorewall-docs/seattlefirewall_index.htm
View File

@ -4,73 +4,86 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr> <tbody>
<td <tr>
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 -
<font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
<div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -78,41 +91,50 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function <p>The Shoreline Firewall, more commonly known as "Shorewall", is
gateway/router/server or on a standalone GNU/Linux system.</p> a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General <p>This program is free software; you can redistribute it and/or modify
Public License</a> as published by the Free Software Foundation.<br> it under the terms of <a
<br> href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
This program General Public License</a> as published by the Free Software Foundation.<br>
is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty <br>
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br> This program is distributed in the hope that it
<br> will be useful, but WITHOUT ANY WARRANTY; without
You should even the implied warranty of MERCHANTABILITY or FITNESS
have received a copy of the GNU General Public License FOR A PARTICULAR PURPOSE. See the GNU General Public
along with this program; if not, write to the Free Software License for more details.<br>
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p> <br>
You should have received a copy of the GNU General
Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
@ -120,23 +142,27 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway </a>Jacques Nilo and Eric Wolzak have a LEAF
on a floppy, CD or compact flash) distribution called (router/firewall/gateway on a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18. called <i>Bering</i> that features Shorewall-1.3.10
You can find their work at: <a and Kernel-2.4.18. You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br> <p><b>Congratulations to Jacques and Eric on the recent release of
</p> Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -145,7 +171,9 @@ Public License</a> as published by the Free Software Foundation.<br>
<h2>News</h2> <h2>News</h2>
@ -153,334 +181,276 @@ Public License</a> as published by the Free Software Foundation.<br>
<h2></h2> <h2></h2>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p> <p> Features include:<br>
</p>
<ul> <ol>
<li>A 'tcpflags' option has been added to entries in <a <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. and tcstart).</li>
This option causes Shorewall to make a set of sanity check on TCP packet <li>"shorewall debug [re]start" now turns off debugging after an
header flags.</li> error occurs. This places the point of the failure near the end of the
<li>It is now allowed to use 'all' in the SOURCE or DEST column in trace rather than up in the middle of it.</li>
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. <li>"shorewall [re]start" has been speeded up by more than 40% with
When used, 'all' must appear by itself (in may not be qualified) and it does my configuration. Your milage may vary.</li>
not enable intra-zone traffic. For example, the rule <br> <li>A "shorewall show classifiers" command has been added which shows
<br> the current packet classification filters. The output from this command
    ACCEPT loc all tcp 80<br> is also added as a separate page in "shorewall monitor"</li>
<br> <li>ULOG (must be all caps) is now accepted as a valid syslog level
does not enable http traffic from 'loc' to 'loc'.</li> and causes the subject packets to be logged using the ULOG target rather
<li>Shorewall's use of the 'echo' command is now compatible with than the LOG target. This allows you to run ulogd (available from <a
bash clones such as ash and dash.</li> href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules and log all Shorewall messages <a
generate a warning and are ignored</li> href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
</ul> <li>If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the mangle table),
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with one
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.<br>
</li>
</ol>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</b></p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 was set to anything but ULOG, the firewall would fail to start and "shorewall
documenation. the PDF may be downloaded from</p> refresh" would also fail.<br>
<p>    <a <p> You may download the Beta from:<br>
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> </p>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</b></p> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in
the mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when
you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>The main Shorewall web site is now back at SourceForge at <a <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br> delivered. I have installed 9.0 on one of my systems and I am now in
</p> a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0" <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
src="images/new10.gif" width="28" height="12" alt="(New)"> with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
</b></p> who don't need rules of this type need not upgrade to 1.3.11.</p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
10/6/2002 - Shorewall.net now running on RH8.0 </b></p>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b><br> <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
<br> documenation. the PDF may be downloaded from</p>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b> <p><b></b><a href="News.htm">More News</a></p>
</b></p>
Roles up the fix for broken tunnels.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <a href="http://sourceforge.net">M</a></td>
</tr>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b> </tbody>
</b></p>
<img src="images/j0233056.gif" </table>
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at
<a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address in
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is
now disabled after initial installation until the file
/etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved
from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
</center>
</div>
</ul>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>  
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody> <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table> </table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p> <p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
<br> <br>
</p>
<br> <br>
</body> </body>
</html> </html>

160
Shorewall-docs/shoreline.htm
View File

@ -1,118 +1,124 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington <li>Born 1945 in <a
State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University <li>MA Mathematics from <a
of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> <li>Burroughs Corporation (now <a
) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li> (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
<li>Married 1969 - no children.</li> present</li>
<li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a ipchains and developed the scripts which are now collectively known as
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p> Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
RedHat 8.0 installed.</li> has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- My personal Linux System which runs Samba configured as a WINS server. NIC - My personal Linux System which runs Samba configured as a WINS
This system also has <a href="http://www.vmware.com/">VMware</a> installed server. This system also has <a href="http://www.vmware.com/">VMware</a>
and can run both <a href="http://www.debian.org">Debian Woody</a> installed and can run both <a href="http://www.debian.org">Debian
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail machines.</li>
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
(Bind).</li> Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  server (Bind).</li>
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
server.  Also runs PoPToP for road warrior access.</li> (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's server.  Also runs PoPToP for road warrior access.</li>
personal system.</li> <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 wife's personal system.</li>
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li> <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul> </ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p> <p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a <p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p> href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0" </a><font size="4"><a href="http://www.apache.org"><img
src="images/apache_pb1.gif" hspace="2" width="170" height="20"> border="0" src="images/apache_pb1.gif" hspace="2" width="170"
</a> </font></p> height="20">
</a><a href="http://www.mandrakelinux.com"><img
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> <br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

202
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -1,113 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Shorewall Extension Scripts</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
<tr> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<td width="100%"> id="AutoNumber1" bgcolor="#400169" height="90">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
</td> <tbody>
</tr> <tr>
</table>
<td width="100%">
<p>
Extension scripts are user-provided <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
scripts that are invoked at various points during firewall start, restart,
stop and clear. The scripts are placed in /etc/shorewall and are processed </td>
using the Bourne shell "source" mechanism. The following scripts can be
supplied:</p> </tr>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li> </tbody>
<li>stop -- invoked as a first step when the firewall is being stopped.</li> </table>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before the <p> Extension scripts are user-provided scripts that are invoked at various
common and/or blacklst chains have been rebuilt.</li> points during firewall start, restart, stop and clear. The scripts are
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain placed in /etc/shorewall and are processed using the Bourne shell "source"
has been created but before any rules have been added to it.</li> mechanism. The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul> </ul>
<p>
You can also supply a script with the same name as any of the filter <p><u><b>If your version of Shorewall doesn't have the file that you want
chains in the firewall and the script will be invoked after the /etc/shorewall/rules to use from the above list, you can simply create the file yourself.</b></u></p>
file has been processed but before the /etc/shorewall/policy file has <p> You can also supply a script with the same name as any of the filter
been processed.</p> chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has been
processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These <p>The /etc/shorewall/common file receives special treatment. If this file
default rules are contained in the file /etc/shorewall/common.def which is present, the rules that it defines will totally replace the default
may be used as a starting point for making your own customized file.</p> rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p>
Rather than running iptables directly, you should run it using the function <p> Rather than running iptables directly, you should run it using the
run_iptables. Similarly, rather than running "ip" directly, you should function run_iptables. Similarly, rather than running "ip" directly,
use run_ip. These functions accept the same arguments as the underlying you should use run_ip. These functions accept the same arguments as the
command but cause the firewall to be stopped if an error occurs during underlying command but cause the firewall to be stopped if an error occurs
processing of the command.</p> during processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<p> <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
If you decide to create /etc/shorewall/common it is a good idea to use the </blockquote>
following technique</p>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p> <p>Remember that /etc/shorewall/common defines rules that are only applied
/etc/shorewall/common:</p> if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<blockquote> <p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
<pre>. /etc/shorewall/common.def be rejected by the firewall. It is recommended with this setting that you
&lt;add your rules here&gt;</pre> create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be <p align="left"><font size="2">Last updated 12/22/2002 - <a
rejected by the firewall. It is recommended with this setting that you create href="support.htm">Tom Eastep</a></font></p>
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
</body> </body>
</html>
</html>

392
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,227 +1,269 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.</p> we must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System <li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li> acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System <li><a href="three-interface.htm">Three-interface</a> Linux
acting as a firewall/router for a small local network and a DMZ.</li> System acting as a firewall/router for a small local network and
a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public the steps necessary to set up a firewall where <b>there are multiple
IP addresses involved or if you want to learn more about Shorewall than public IP addresses involved or if you want to learn more about Shorewall
is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
<li><br> Addresses</a></li>
</li> <li><a
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Protocol</a></li> Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 <li><a
Starting and Stopping the Firewall</a></li> href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
above</b>. Please review the appropriate guide before trying to use this described above</b>. Please review the appropriate guide before trying
documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common configuration
file features</a> file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li>Comments in configuration files</li>
<li>Line Continuation</li> <li>Line Continuation</li>
<li>Port Numbers/Service Names</li> <li>Port Numbers/Service Names</li>
<li>Port Ranges</li> <li>Port Ranges</li>
<li>Using Shell Variables</li> <li>Using Shell Variables</li>
<li>Using DNS Names<br> <li>Using DNS Names<br>
</li> </li>
<li>Complementing an IP address or Subnet</li> <li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li> <li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li> <li>Using MAC Addresses in Shorewall</li>
<li>Logging<br>
</li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a> <li><a href="Documentation.htm">Configuration File Reference
Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> <li><font color="#000099"><a
<li><a href="Documentation.htm#Common">common</a></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> <li><font color="#000099"><a
<li><a href="Documentation.htm#modules">modules</a></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
(How to extend Shorewall without modifying Shorewall code)</li> to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally <li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
use Shorewall)</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="myfiles.htm">My Configuration Files</a> (How
I personally use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
firewall to a remote network.</li> your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a <p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

4028
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

810
Shorewall-docs/sourceforge_index.htm
View File

@ -4,74 +4,30 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font><a href="http://www.sf.net">
</a></h1>
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
@ -80,10 +36,14 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <h1 align="center"> <font size="4"><i> <a
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
firewall that can be used on a dedicated firewall system, a multi-function alt="Shorwall Logo" height="70" width="85" align="left"
gateway/router/server or on a standalone GNU/Linux system.</p> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
@ -91,24 +51,32 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
<p>This program is free software; you can redistribute it and/or modify </table>
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br> <div align="center">
This
program is distributed in the hope that it will be <center>
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR <table border="0" cellpadding="0" cellspacing="0"
PURPOSE. See the GNU General Public License for style="border-collapse: collapse;" width="100%" id="AutoNumber4">
more details.<br>
<br> <tbody>
You
should have received a copy of the GNU General Public <tr>
License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave, <td width="90%">
Cambridge, MA 02139, USA</p>
@ -116,7 +84,61 @@ Cambridge, MA 02139, USA</p>
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should have received a copy of the GNU
General Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
@ -125,18 +147,23 @@ Cambridge, MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway </a>Jacques Nilo and Eric Wolzak have
on a floppy, CD or compact flash) distribution called a LEAF (router/firewall/gateway on a floppy, CD or compact
<i>Bering</i> that features Shorewall-1.3.10 and flash) distribution called <i>Bering</i> that
Kernel-2.4.18. You can find their work at: <a features Shorewall-1.3.10 and Kernel-2.4.18. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering <b>Congratulations to Jacques and Eric on the recent
1.0 Final!!! <br> release of Bering 1.0 Final!!! <br>
</b> </b>
<h2>News</h2> <h2>News</h2>
@ -147,287 +174,225 @@ Kernel-2.4.18. You can find their work at: <a
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p> Features include:<br>
documenation. the PDF may be downloaded from</p> </p>
<p>    <a <ol>
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an
error occurs. This places the point of the failure near the end of the trace
rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level
and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the
mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> to start and "shorewall refresh" would also fail.<br>
</b></p>
<p> You may download the Beta from:<br>
</p>
<p>The main Shorewall web site is now at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
</p> <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available
(Beta 1 was made available only to a limited audience). <br>
<br>
<p>In this version:</p> Features include:<br>
<br>
<ol>
<ul> <li>"shorewall refresh" now reloads the traffic shaping rules
<li>You may now <a href="IPSEC.htm#Dynamic">define (tcrules and tcstart).</li>
the contents of a zone dynamically</a> with the <a <li>"shorewall debug [re]start" now turns off debugging after
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall an error occurs. This places the point of the failure near the end of the
delete" commands</a>. These commands are expected to be used primarily trace rather than up in the middle of it.</li>
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> <li>"shorewall [re]start" has been speeded up by more than
updown scripts.</li> 40% with my configuration. Your milage may vary.</li>
<li>Shorewall can now do<a <li>A "shorewall show classifiers" command has been added which
href="MAC_Validation.html"> MAC verification</a> on ethernet segments. shows the current packet classification filters. The output from this command
You can specify the set of allowed MAC addresses on the segment is also added as a separate page in "shorewall monitor"</li>
and you can optionally tie each MAC address to one or more IP addresses.</li> <li>ULOG (must be all caps) is now accepted as a valid syslog
<li>PPTP Servers and Clients running on the firewall level and causes the subject packets to be logged using the ULOG target
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> rather than the LOG target. This allows you to run ulogd (available from
file.</li> <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
<li>A new 'ipsecnat' tunnel type is supported and log all Shorewall messages <a
for use when the <a href="IPSEC.htm">remote IPSEC endpoint href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
is behind a NAT gateway</a>.</li> <li>If you are running a kernel that has a FORWARD chain in
<li>The PATH used by Shorewall may now be specified the mangle table ("shorewall show mangle" will show you the chains in the
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
<li>The main firewall script is now /usr/lib/shorewall/firewall. This allows for marking input packets based on their destination even when
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall you are using Masquerading or SNAT.</li>
to do the real work. This change makes custom distributions such <li>I have cluttered up the /etc/shorewall directory with empty
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall 'init', 'start', 'stop' and 'stopped' files. If you already have a file
that tends to have distribution-dependent code.</li> with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
</ol>
</ul> You may download the Beta from:<br>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
<blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre> href="http://www.mandrakesoft.com"><img src="images/logo2.png"
</blockquote> alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced
<a
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
href="http://www.gentoo.org"><br> Network Firewall (MNF)</a> product. Here is the <a
</a></p> href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
Alexandru Hartmann reports that his Shorewall package release</a>.<br>
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
and "shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running
on the firewall system may now be defined in the<a
href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now
be specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses
/sbin/shorewall to do the real work. This change makes custom
distributions such as for Debian and for Gentoo easier to manage
since it is /etc/init.d/shorewall that tends to have distribution-dependent
code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
</ul>
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in
a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0" <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
src="images/new10.gif" width="28" height="12" alt="(New)"> documenation. the PDF may be downloaded from</p>
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running
on RH8.0 </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p> </b></p>
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
<p><b><br> in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
</b></p> This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE
or DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it
does not enable intra-zone traffic. For example, the rule <br>
<p><b><br> <br>
</b></p>     ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now
compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
<p><b><br> fw-&gt;fw rules generate a warning and are ignored</li>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>In this version:<br>
</p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b></b></p>
<ul> <ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection
SOURCE may now be qualified by both interface and IP
address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions'
and 'version' files and the 'firewall' symbolic link
have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
</ul> </ul>
<p><b></b><a href="News.htm">More News</a></p>
<p><a href="News.htm">More News</a></p>
@ -435,86 +400,109 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody> <h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table> </table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

701
Shorewall-docs/standalone.htm
View File

@ -1,427 +1,430 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very <p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p> easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
this package is installed by the presence of an <b>ip</b> program on your if this package is installed by the presence of an <b>ip</b> program on
firewall system. As root, you can use the 'which' command to check for your firewall system. As root, you can use the 'which' command to check
this program:</p> for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you a configuration file from your Windows hard drive to a floppy disk, you must
must run dos2unix against the copy before using it with Shorewall.</p> run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Shorewall Concepts</h2> <h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
/etc/shorewall -- for simple setups, you only need to deal with a few of alt="">
these as described in this guide. After you have <a href="Install.htm">installed     The configuration files for Shorewall are contained in the directory
Shorewall</a>, download the <a /etc/shorewall -- for simple setups, you only need to deal with a few of
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, these as described in this guide. After you have <a href="Install.htm">installed
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall Shorewall</a>, <b>download the <a
(they will replace files with the same names that were placed in /etc/shorewall href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
during Shorewall installation).</p> un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
<p>As each file is introduced, I suggest that you look through the actual during Shorewall installation)</b>.</p>
file on your system -- each file contains detailed configuration instructions
and default entries.</p> <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
<p>Shorewall views the network where it is running as being composed of a and default entries.</p>
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p> <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td> </tbody>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table> </table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> <p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default, <p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p> the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed <p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone to <li>You express your default policy for connections from one zone
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches checked against the /etc/shorewall/rules file. If no rule in that file
the connection request then the first policy in /etc/shorewall/policy that matches the connection request then the first policy in /etc/shorewall/policy
matches the request is applied. If that policy is REJECT or DROP  the that matches the request is applied. If that policy is REJECT or DROP 
request is first checked against the rules in /etc/shorewall/common (the the request is first checked against the rules in /etc/shorewall/common
samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has <p>The /etc/shorewall/policy file included with the one-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>DROP</td>
<td> </td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>net</td> <td>all</td>
<td>net</td> <td>all</td>
<td>DROP</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>all</td> </tbody>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre> <pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to your
firewall</li> firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall <li>reject all other connection requests (Shorewall requires this
policy).</li> catchall policy).</li>
</ol> </ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that <p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p> you wish.</p>
<h2 align="left">External Interface</h2> <h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, you external interface is <b>eth0</b>. If your configuration is different,
will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the option
list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p> for use in private networks:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address of      Before starting Shorewall, you should look at the IP address
your external interface and if it is one of the above ranges, you should of your external interface and if it is one of the above ranges, you
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <h2 align="left">Enabling other Connections</h2>
firewall, the general format is:</p> </div>
</div>
<div align="left">
<div align="left"> <p align="left">If you wish to enable connections from the internet to your
<blockquote> firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <blockquote>
your firewall system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular application <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
uses, see <a href="ports.htm">here</a>.</p> the internet because it uses clear text (even for login!). If you want
</div> shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <div align="left">
the internet because it uses clear text (even for login!). If you want <blockquote>
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
</tbody> <td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left"> <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
<p align="left">The firewall is started using the "shorewall start" command package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
and stopped using "shorewall stop". When the firewall is stopped, routing </p>
is enabled on those hosts that have an entry in <a </div>
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. <div align="left">
If you want to totally remove any trace of Shorewall from your Netfilter <p align="left">The firewall is started using the "shorewall start" command
configuration, use "shorewall clear".</p> and stopped using "shorewall stop". When the firewall is stopped, routing
</div> is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
<div align="left"> running firewall may be restarted using the "shorewall restart" command.
<p align="left"><b>WARNING: </b>If you are connected to your firewall from If you want to totally remove any trace of Shorewall from your Netfilter
the internet, do not issue a "shorewall stop" command unless you have configuration, use "shorewall clear".</p>
added an entry for the IP address that you are connected from to <a </div>
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create <div align="left">
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> <p align="left"><b>WARNING: </b>If you are connected to your firewall from
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall the internet, do not issue a "shorewall stop" command unless you have
try" command</a>.</p> added an entry for the IP address that you are connected from to <a
</div> href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
<p align="left"><font size="2">Last updated 11/21/2002 - <a an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p> M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

78
Shorewall-docs/subnet_masks.htm
View File

@ -1,78 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Subnet Masks</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
</td>
</tr>
</table>
<p align="left">IP addresses and subnet masks are 32-bit numbers. The notation
w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next
byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in
hexadecimal,
we get:</p>
<blockquote>
<p align="left">FF.FF.FF.00</p>
</blockquote>
<p align="left">or looking at it as a 32-bit integer</p>
<blockquote>
<p align="left">FFFFFF00</p>
</blockquote>
<p align="left">Each &quot;F&quot; represents the bit pattern &quot;1111&quot; so if we look at the
number in binary, we have:</p>
<blockquote>
<p align="left">11111111111111111111111100000000</p>
</blockquote>
<p align="left">Counting the leading &quot;1&quot; bits, we see that there are 24 -- /24
in VLSM notation.</p>
<p align="left">It is handy to remember that the size of the subnet can be
obtained by subtracting the number of consecutive leading &quot;1&quot; bits from 32 and
raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256
addresses. Remember that the number of usable addresses is two less than that
(254) because the first and last address in the subnet are reserved as the
sub-network and broadcast addresses respectively.</p>
<p align="left">The size of a subnet can be any power of two so long as the
address of the subnet is a multiple of it's size. For example, if you want a
subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29).
The subnet mask would be:</p>
<blockquote>
<p align="left">11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.</p>
</blockquote>
<p align="left">This subnet would have 6 usable addresses: 192.168.12.9 -
192.168.12.14.</p>
<p align="left">You will still hear the terms &quot;Class A network&quot;, &quot;Class B
network&quot; and &quot;Class C network&quot;. In the early days of IP, sub-networks only came
in three sizes:</p>
<blockquote>
<p align="left">Class A - Subnet mask 255.0.0.0, size = 2 ** 24</p>
<p align="left">Class B - Subnet mask 255.255.0.0, size = 2 ** 16</p>
<p align="left">Class C - Subnet mask 255.255.255.0, size = 256</p>
</blockquote>
<p align="left">The class of a network was determined by the value of the high
order byte of its address so you could look at an IP address and immediately
determine the associated subnet mask. </p>
<p align="left">As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
network!). It was then that VLSM was devised -- today, any system that you are
likely to work with understands VLSM and Class-based subnetworking is largely a
thing of the past.</p>
<p align="left"><font size="2">Last updated
7/15/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
</body>
</html>

364
Shorewall-docs/support.htm
View File

@ -1,85 +1,122 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Support</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> <h1 align="center"><font color="#ffffff">Shorewall Support<img
</tr> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</tbody> </td>
</table> </tr>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font </tbody>
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3> </table>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just <p> <br>
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> <span style="font-weight: 400;"></span></p>
<blockquote> </blockquote> <h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
but I try to spend some amount of time each day responding to problems
<p><span style="font-weight: 400;"><i>"It irks me when people believe that posted on the Shorewall mailing list.</b></font></big></h2>
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venem<br> <h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
</font></span></p>
<h2>Before Reporting a Problem</h2>
<h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help <h3>T<b>here are a number of sources for problem solution information. Please
for your particular situation. I know it's harsh but you will have to get try these before you post.</b></h3>
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon <h3> </h3>
fed</i></b><i><b>".</b> </i>-- Simon White<br>
<h3> </h3>
<p>There are also a number of sources for problem solution information.</p>
<ul>
<ul> <li>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information problems.</b></h3>
contains a number of tips to help you solve common problems.</li> </li>
<li>The <a href="errata.htm"> Errata</a> has links to download
updated components.</li> </ul>
<li>The Mailing List Archives search facility can locate posts
about similar problems:</li> <h3> </h3>
</ul> <ul>
<li>
<h4>Mailing List Archive Search</h4> <h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</b></h3>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> </li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
updated components.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The Mailing List Archives search facility can locate posts
about similar problems:</b></h3>
</li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -88,76 +125,163 @@ about similar problems:</li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config"
type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h3 align="left">Problem Reporting Guideline</h3> <h2>Problem Reporting Guidelines</h2>
<i>"Let me see if I can translate your message into a real-world example. 
<ul> It would be like saying that you have three rooms at home, and when you
<li>When reporting a problem, give as much information as you can. walk into one of the rooms, you detect this strange smell.  Can anyone tell
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li> you what that strange smell is?<br>
<li>Please don't describe your environment and then ask us to send <br>
you custom configuration files. We're here to answer your questions Now, all of us could do some wonderful guessing as to the smell and even
but we can't do your job for you.</li> what's causing it.  You would be absolutely amazed at the range and variety
<li>Do you see any "Shorewall" messages in /var/log/messages of smells we could come up with.  Even more amazing is that all of the explanations
when you exercise the function that is giving you problems?</li> for the smells would be completely plausible."<br>
<li>Have you looked at the packet flow with a tool like tcpdump </i><br>
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please <div align="center">   - Russell Mosemann<br>
post your question or problem to the <a </div>
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> <br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<h3> </h3>
<ul>
<li>
<h3><b>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3>
</li>
<li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
for instructions).</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post
will be rejected.</b></h3>
</li>
</ul>
<h3> </h3>
<h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<h3></h3>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
</blockquote>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

2011
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

448
Shorewall-docs/traffic_shaping.htm
View File

@ -1,257 +1,293 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title> <title>Traffic Shaping</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support <p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall, for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p> to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
also requires that you enable packet mangling.<br> Shaping also requires that you enable packet mangling.<br>
</li> </li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall <li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets marking of packets. The firewall mark value may be used to classify
for traffic shaping/control.<br> packets for traffic shaping/control.<br>
</li> </li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced <li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define by Shorewall during "shorewall start" and which you can use to define
your traffic shaping disciplines and classes. I have provided a <a your traffic shaping disciplines and classes. I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections of table-driven CBQ shaping but if you read the traffic shaping sections of
the HOWTO mentioned above, you can probably code your own faster than the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB support may eventually become an integral part of Shorewall since
is a lot simpler and better-documented than CBQ. HTB is currently not HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
a standard part of either the kernel or iproute2 so both must be patched HTB is a standard part of the kernel but iproute2 must be patched in
in order to use it.<br> order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc
function supplied by shorewall if you want tc errors to stop the firewall.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function You can generally use off-the-shelf traffic shaping scripts by simply copying
supplied by shorewall. <br> them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced <li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally by Shorewall when it is clearing traffic shaping. This file is normally
not required as Shorewall's method of clearing qdisc and filter definitions not required as Shorewall's method of clearing qdisc and filter definitions
is pretty general.</li> is pretty general.</li>
</ul> </ul>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p> <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a packets for traffic shaping. The /etc/shorewall/tcrules file provides
means for specifying these marks in a tabular fashion.</p> a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case of <li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br> a match. This is an integer in the range 1-255.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates on <li>SOURCE - The source of the packet. If the packet originates
the firewall, place "fw" in this column. Otherwise, this is a comma-separated on the firewall, place "fw" in this column. Otherwise, this is a
list of interface names, IP addresses, MAC addresses in <a comma-separated list of interface names, IP addresses, MAC addresses in
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list of IP <li>DEST -- Destination of the packet. Comma-separated list of
addresses and/or subnets.<br> IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol, <li>PROTO - Protocol - Must be the name of a protocol from
a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names <li>PORT(S) - Destination Ports. A comma-separated list of Port
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the names (from /etc/services), port numbers or port ranges (e.g., 21:22);
protocol is "icmp", this column is interpreted as the destination icmp if the protocol is "icmp", this column is interpreted as the destination
type(s).<br> icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
any source port is acceptable. Specified as a comma-separate list of port omitted, any source port is acceptable. Specified as a comma-separate
names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets with 1. All packets arriving on eth2 and eth3 should be marked with 2.
originating on the firewall itself should be marked with 3.</p> All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>1</td>
<td>eth1</td> <td>eth1</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td>2</td>
<td>eth2</td> <td>eth2</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>3</td> <td valign="top">2<br>
<td>fw</td> </td>
<td>0.0.0.0/0</td> <td valign="top">eth3<br>
<td>all</td> </td>
<td> </td> <td valign="top">0.0.0.0/0<br>
<td> </td> </td>
</tr> <td valign="top">all<br>
</td>
</tbody> <td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p> on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>47</td> <td>47</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>22</td> <td>22</td>
<td>192.168.1.0/24</td> <td>192.168.1.0/24</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3>Hierarchical Token Bucket</h3> <h3>My Setup<br>
</h3>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p> <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
<ul> wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
<li>The gzipped tc binary at the <a README), I have also run with the following set of hand-crafted rules in
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work my tcstart file:<br>
for me -- I had to download the lastest version of the <a </p>
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre> <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre> <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre> <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre> <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want <p>My tcrules file that went with this tcstart file is shown in Example 1
these particular rules.<font face="Courier" size="2"><br> above. You can look at my <a href="myfiles.htm">network configuration</a>
</font></p> to get an idea of why I wanted these particular rules.<br>
</blockquote> </p>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
</ol>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
</body> </body>
</html> </html>

323
Shorewall-docs/troubleshoot.htm
View File

@ -1,205 +1,234 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
</td> <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
</tr> src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</tbody> </font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version sure that there isn't an update that you are missing for your version
of the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall If you receive an error message when starting or restarting the
and you can't determine the cause, then do the following: firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>Make a note of the error message that you see.<br>
<li>Look at the /tmp/trace file and see if that helps you determine </li>
what the problem is.</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>If you still can't determine what's wrong then see the <a <li>Look at the /tmp/trace file and see if that helps you
href="support.htm">support page</a>.</li> determine what the problem is. Be sure you find the place in the log where
the error message you saw is generated -- in 99.9% of the cases, it will
not be near the end of the log because after startup errors, Shorewall goes
through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul> </ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus: actually an ill-conceived network setup. Here are several popular snafus:
</p> </p>
<ul> <ul>
<li>Port Forwarding where client and server are in the same <li>Port Forwarding where client and server are in the
subnet. See <a href="FAQ.htm">FAQ 2.</a></li> same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li> is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given <li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li> type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p> that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted will generate when you try to connect in a way that isn't permitted
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
your problem is probably NOT a Shorewall problem. If you DO see packet messages, see Shorewall messages, then your problem is probably NOT a Shorewall problem.
it may be an indication that you are missing one or more rules -- see <a If you DO see packet messages, it may be an indication that you are missing
href="FAQ.htm#faq17">FAQ 17</a>.</p> one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p> LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
</font> LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain <li>all2all:REJECT - This packet was REJECTed out of the all2all
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
<a href="FAQ.htm#faq17">FAQ 17).</a></li> (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p> is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br> <p align="left">ACCEPT    dmz    loc    udp    53<br>
</p> </p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br> about how to interpret the chain name appearing in a Shorewall log message.<br>
</p> </p>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD <li>Seeing rejected/dropped packets logged out of the INPUT or
chains? This means that: FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is sending <li>your zone definitions are screwed up and the host that is
the packets or the destination host isn't in any zone (using an sending the packets or the destination host isn't in any zone (using
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
you?); or</li> are you?); or</li>
<li>the source and destination hosts are both connected to the same <li>the source and destination hosts are both connected to the
interface and that interface doesn't have the 'multi' option specified same interface and that interface doesn't have the 'multi' option
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP type <li>Remember that Shorewall doesn't automatically allow ICMP
8 ("ping") requests to be sent between zones. If you want pings to be type 8 ("ping") requests to be sent between zones. If you want pings
allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you have The ramifications of this can be subtle. For example, if you
the following in /etc/shorewall/nat:<br> have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 and you ping 130.252.100.18, unless you have allowed icmp type
between the zone containing the system you are pinging from and the 8 between the zone containing the system you are pinging from and
zone containing 10.1.1.2, the ping requests will be dropped. This is the zone containing 10.1.1.2, the ping requests will be dropped. This
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually <li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing of their nearest firewall interface. One often overlooked aspect of
is that in order for two hosts to communicate, the routing between them routing is that in order for two hosts to communicate, the routing between
must be set up <u>in both directions.</u> So when setting up routing them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li> <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a <li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally <li>Some features require the "ip" program. That program is
included in the "iproute" package which should be included with your generally included in the "iproute" package which should be included
distribution (though many distributions don't install iproute by with your distribution (though many distributions don't install iproute
default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an For example, if a zone has two interfaces but only one interface has
entry in /etc/shorewall/hosts then hosts attached to the other interface an entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all <li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

1535
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.12-Beta3 VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.12-Beta3 VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.3.12 %define version 1.3.12
%define release 0Beta3 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net> * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta3 - Changes version to 1.3.12-0Beta3
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net> * Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.12-Beta3 VERSION=1.3.12
usage() # $1 = exit status usage() # $1 = exit status
{ {