Release changes for 1.3.12

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-28 15:38:03 +00:00
parent 89efe0c6f6
commit 36aa2c8e88
100 changed files with 26957 additions and 22978 deletions

File diff suppressed because it is too large Load Diff

6
Lrp/etc/shorewall/init Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#

View File

@ -20,6 +20,8 @@
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
@ -89,6 +91,14 @@
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

View File

@ -17,6 +17,10 @@
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
#
@ -25,6 +29,12 @@
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#

View File

@ -47,7 +47,7 @@
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
82.0.0.0/7 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved

View File

@ -31,18 +31,26 @@
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT,
# sub-zones of the specified zone may be excluded from
# the rule by following the zone name with "!' and a
# comma-separated list of sub-zone names.
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
@ -64,12 +72,13 @@
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# The server may be further restricted to a particular
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#

View File

@ -9,6 +9,35 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
@ -97,6 +126,8 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info
@ -192,6 +223,8 @@ BLACKLIST_DISPOSITION=DROP
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
@ -354,6 +387,8 @@ MUTEX_TIMEOUT=60
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
@ -402,7 +437,63 @@ MACLIST_DISPOSITION=REJECT
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#LAST LINE -- DO NOT REMOVE

6
Lrp/etc/shorewall/start Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

6
Lrp/etc/shorewall/stop Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#

View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#

View File

@ -6,6 +6,11 @@
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Columns are:
#
#

View File

@ -58,6 +58,7 @@
# shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
@ -150,8 +151,10 @@ display_chains()
iptables -L -n -v > /tmp/chains-$$
clear
echo -e "$banner `date`\\n"
echo -e "Standard Chains\\n"
echo "$banner `date`"
echo
echo "Standard Chains"
echo
firstchain="Yes"
showchain INPUT
showchain OUTPUT
@ -160,9 +163,11 @@ display_chains()
timed_read
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
firstchain=Yes
echo -e "Input Chains\\n"
echo "Input Chains"
echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -176,10 +181,12 @@ display_chains()
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
firstchain=Yes
eval display=\$${zone}_display
echo -e "$display Chains\\n"
echo "$display Chains"
echo
for zone1 in $FW $zones; do
showchain ${zone}2$zone1
showchain @${zone}2$zone1
@ -193,9 +200,11 @@ display_chains()
done
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
firstchain=Yes
echo -e "Policy Chains\\n"
echo "Policy Chains"
echo
showchain common
showchain badpkt
showchain icmpdef
@ -212,9 +221,11 @@ display_chains()
timed_read
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
firstchain=Yes
echo -e "Dynamic Chain\\n"
echo "Dynamic Chain"
echo
showchain dynamic
timed_read
@ -248,7 +259,8 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \
sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
tail $options
@ -284,6 +296,34 @@ show_tc() {
}
#
# Show classifier information
#
show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s filter ls dev $device
echo
fi
}
ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
show_one_classifier ${interface%:}
;;
*)
;;
esac
done
}
#
# Monitor the Firewall
#
@ -309,9 +349,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
display_chains
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n"
echo "Dropped/Rejected Packet Log"
echo
show_reset
@ -319,11 +361,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 20
if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: '
echo
echo $ECHO_N 'Enter any character to continue: '
read foo
else
timed_read
@ -335,28 +380,48 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
fi
clear
echo -e "$banner `date`\\n"
echo -e "NAT Status\\n"
echo "$banner `date`"
echo
echo "NAT Status"
echo
iptables -t nat -L -n -v
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "\\nTOS/MARK Status\\n"
echo "$banner `date`"
echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L -n -v
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "\\nTracked Connections\\n"
echo "$banner `date`"
echo
echo
echo "Tracked Connections"
echo
cat /proc/net/ip_conntrack
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "\\nTraffic Shaping/Control\\n"
echo "$banner `date`"
echo
echo
echo "Traffic Shaping/Control"
echo
show_tc
timed_read
clear
echo "$banner `date`"
echo
echo
echo "Packet Classifiers"
echo
show_classifiers
timed_read
done
}
@ -383,9 +448,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
while true; do
clear
echo -e "$banner `date`\\n"
echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n"
echo "Dropped/Rejected Packet Log"
echo
show_reset
@ -393,11 +460,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 40
if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: '
echo
echo $ECHO_N 'Enter any character to continue: '
read foo
else
timed_read
@ -419,7 +489,7 @@ usage() # $1 = exit status
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
@ -445,7 +515,8 @@ usage() # $1 = exit status
#
show_reset() {
[ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
echo "Counters reset `cat $STATEDIR/restarted`" && \
echo
}
#
@ -537,6 +608,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case `echo -e` in
-e*)
RING_BELL="echo \'\a\'"
;;
*)
RING_BELL="echo -e \'\a\'"
;;
esac
case `echo -n "Testing"` in
-n*)
ECHO_N=
;;
*)
ECHO_N=-n
;;
esac
case "$1" in
start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
@ -550,32 +639,43 @@ case "$1" in
[ $# -gt 2 ] && usage 1
case "$2" in
connections)
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo
cat /proc/net/ip_conntrack
;;
nat)
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo
show_reset
iptables -t nat -L -n -v
;;
tos|mangle)
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo
show_reset
iptables -t mangle -L -n -v
;;
log)
get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20
;;
tc)
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo
show_tc
;;
classifiers)
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
echo
show_reset
iptables -L $2 -n -v
;;
@ -594,15 +694,20 @@ case "$1" in
[ $# -eq 1 ] || usage 1
get_config
clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L -n -v
echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v
echo
cat /proc/net/ip_conntrack
@ -611,7 +716,9 @@ case "$1" in
[ $# -eq 1 ] || usage 1
get_config
clear
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
echo "Shorewall-$version Hits at $HOSTNAME - `date`"
echo
timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then

View File

@ -25,9 +25,22 @@ find_file()
#
# Replace commas with spaces and echo the result
#
separate_list()
{
echo $1 | sed 's/,/ /g'
separate_list() {
local list
local part
local newlist
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#

View File

@ -16,3 +16,7 @@
/etc/shorewall/tos TOS Type of Service policy
/etc/shorewall/blacklist Blacklist Blacklisted hosts
/etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option
/etc/shorewall/init Init Commands executed before [re]start
/etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop

View File

@ -1 +1 @@
1.3.10
1.3.12

View File

@ -1,17 +1,43 @@
Changes since 1.3.10
Changes since 1.3.11
1. Added TCP flags checking.
1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
2. Accomodate bash clones like dash and ash
2. "shorewall refresh" now refreshes the traffic shaping rules
3. Added some comments in the policy chain creation/population logic.
3. Turned off debugging after error.
4. Check for fw->fw rules.
4. Removed drop of INVALID state output ICMP packets.
5. Allow 'all' in rules.
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
6. Add reverse GRE rules for PPTP server and clients.
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
7. Add warning to tcrules file.
7. Replaced 'sed' invocation in run_iptables() by shell code and
optomized (speedup)
8. Add warning to policy file that fw->fw policies aren't allowed.
8. Only read the interfaces file once (speedup)
9. Only read the policy file once (speedup)
10. Removed redundant function input_chains() (duplicate of first_chains())
11. Generated an error if 'lo' is defined in the interfaces file.
12. Clarified error message where ORIGINAL DEST is specified on an
ACCEPT, DROP or REJECT rule.
13. Added "shorewall show classifiers" command and added packet
classification filter display to "shorewall monitor"
14. Added an error message when the destination in a rule contained a
MAC address.
15. Added ULOG target support.
16. Add MARK_IN_FORWARD option.
17. General Cleanup for Release
18. Release changes and add init, start, stop and stopped files.
19. Add headings to NAT and Mangle tables in "shorewall status" output

File diff suppressed because it is too large Load Diff

View File

@ -2,17 +2,22 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -29,6 +34,7 @@
</td>
</tr>
</tbody>
</table>
@ -44,22 +50,22 @@ I've looked everywhere and can't find <b>how to do it</b>.</a></p>
port forwarding</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
local network. <b>External clients can browse</b> http://www.mydomain.com
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they <b>can't access each
other using their DNS names.</b></a></p>
their external (non-RFC1918 addresses) so they <b>can't access
each other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather
than 'blocked'.</b> Why?</a></p>
to check my firewall and it shows <b>some ports as 'closed'
rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -78,7 +84,8 @@ other using their DNS names.</b></a></p>
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
on RedHat</b> I get messages about insmod failing -- what's
wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
@ -95,13 +102,13 @@ support?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0
interface, it also blocks the <b>cable modems web server</b></a>.</p>
it but as expected if I enable <b> rfc1918 blocking</b> for my
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I
enable RFC 1918 filtering on my external interface, <b>my DHCP client
cannot renew its lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address.
If I enable RFC 1918 filtering on my external interface, <b>my
DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
@ -109,23 +116,24 @@ cannot renew its lease</b>.</a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why
this is</b> getting <b>logged?</b></a><br>
<b>17</b>. <a href="#faq17">How do I find
out <b>why this traffic is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
addresses</b> with Shorewall, and maintain separate rulesets for different
IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
ip addresses</b> with Shorewall, and maintain separate rulesets for
different IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a
server. <b>Do I have to change Shorewall to allow access to my server from
the internet?<br>
</b><br>
</a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do
I have to change Shorewall to allow access to my server from the internet?<br>
<br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?<br>
</a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
@ -139,6 +147,7 @@ the internet?<br>
rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -165,7 +174,9 @@ the internet?<br>
</tr>
</tbody>
</table>
</blockquote>
@ -173,6 +184,7 @@ the internet?<br>
the rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -198,18 +210,18 @@ the internet?<br>
</tr>
</tbody>
</table>
</blockquote>
<div align="left">
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address ( <i>&lt;external
IP&gt;</i> ) on your firewall to an internal system:</div>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -234,7 +246,9 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
</tr>
</tbody>
</table>
</blockquote>
@ -246,9 +260,9 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
<ul>
<li>You are trying to test from inside your firewall
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system
such as an incorrect default gateway configured (it should be set
to the IP address of your firewall's internal interface).</li>
<li>You have a more basic problem with your local
system such as an incorrect default gateway configured (it should
be set to the IP address of your firewall's internal interface).</li>
</ul>
@ -257,30 +271,31 @@ to the IP address of your firewall's internal interface).</li>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter
counters in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root, type "iptables -t nat -Z". This clears the
NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected port from an external
host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the 
('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the
connection request is reaching the firewall and is being redirected to
the server. In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default gateway should
be the IP address of the firewall's interface to the server).</li>
<li>Locate the appropriate DNAT rule. It will be in a chain
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes
the  ('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If
so, the connection request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default gateway
should be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your
firewall and your rule is only redirecting the primary IP address (You
need to specify the secondary IP address in the "ORIG. DEST." column in
your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request in some
other way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
<li>the connection request is not reaching your server
(possibly it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address
on your firewall and your rule is only redirecting the primary IP address
(You need to specify the secondary IP address in the "ORIG. DEST." column
in your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request
in some other way. In that case, you may have to use a packet sniffer
such as tcpdump or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -288,31 +303,34 @@ your DNAT rule); or</li>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External
clients can browse http://www.mydomain.com but internal clients can't.</h4>
(IP 130.151.100.69) to system 192.168.1.5 in my local network.
External clients can browse http://www.mydomain.com but internal
clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local
network is like raising foxes in the corner of your hen house.
If the server is compromised, there's nothing between that server
and your other internal systems. For the cost of another NIC and
a cross-over cable, you can put your server in a DMZ such that
it is isolated from your local systems - assuming that the Server
can be located near the Firewall, of course :-)</li>
<li>Having an internet-accessible server in your
local network is like raising foxes in the corner of your hen
house. If the server is compromised, there's nothing between that
server and your other internal systems. For the cost of another
NIC and a cross-over cable, you can put your server in a DMZ
such that it is isolated from your local systems - assuming that
the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
what I do here at shorewall.net for my local systems that use static NAT.</li>
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
That's what I do here at shorewall.net for my local systems that use
static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP
address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
rather than a DNS solution, then assuming that your external
interface is eth0 and your internal interface is eth1 and that
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -323,6 +341,7 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -346,19 +365,18 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall
1.3.4 or later then include this in /etc/shorewall/params:</p>
IP address. If you have a dynamic IP address and are running
Shorewall 1.3.4 or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
@ -371,6 +389,7 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -394,22 +413,24 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get
a new IP address.</p>
client to automatically restart Shorewall each time that you
get a new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their
DNS names.</h4>
subnet and I use static NAT to assign non-RFC1918 addresses to
hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they can't access each
other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal
@ -420,8 +441,8 @@ a new IP address.</p>
addresses and can be accessed externally and internally using the
same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
(If you are running a Shorewall version earlier than 1.3.9).<br>
@ -437,6 +458,7 @@ traffic through your firewall then:</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2">
<tbody>
@ -454,13 +476,16 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -479,7 +504,9 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
@ -490,6 +517,7 @@ traffic through your firewall then:</p>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3" width="369">
<tbody>
@ -506,7 +534,9 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
@ -515,8 +545,8 @@ traffic through your firewall then:</p>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter mailing
list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
tracking/NAT module</a> that may help. Also check the Netfilter
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -524,15 +554,15 @@ traffic through your firewall then:</p>
than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than
dropping them. This is necessary to prevent outgoing connection
always rejects connection requests on TCP port 113 rather
than dropping them. This is necessary to prevent outgoing connection
problems to services that use the 'Auth' mechanism for identifying
requesting users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator on port
135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
requesting users. Shorewall also rejects TCP ports 135, 137 and
139 as well as UDP ports 137-139. These are ports that are used
by Windows (Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping
them cuts down slightly on the amount of Windows chatter on LAN segments
connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation
@ -542,10 +572,11 @@ of your Service Agreement.</p>
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from
your firewall then it reports the port as open. If you want to see
which UDP ports are really open, temporarily change your net-&gt;all
policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back
from your firewall then it reports the port as open. If you
want to see which UDP ports are really open, temporarily change
your net-&gt;all policy to REJECT, restart Shorewall and do the
nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -555,21 +586,26 @@ policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: </p>
c) Add the following to /etc/shorewall/icmpdef:
</p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT </p>
-j ACCEPT<br>
</p>
</blockquote>
For a complete description of Shorewall 'ping' management, see <a
href="ping.html">this page</a>.
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd
(on a RedHat system, "service syslog restart"). </p>
@ -579,7 +615,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
-- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
</div>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
@ -589,6 +626,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
</p>
<blockquote>
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
@ -598,18 +636,19 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
http://www.logwatch.org</a><br>
</p>
</blockquote>
I personnaly use Logwatch. It emails me a report each day from my various
systems with each report summarizing the logged activity on the corresponding
system. 
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
are activated. If you want to totally open up your firewall, you
must use the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like
this:</p>
@ -646,9 +685,9 @@ with RH7.2.</p>
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -664,17 +703,18 @@ with RH7.2.</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
myself doing other things. I guess I just don't care enough if Shorewall
has a GUI to invest the effort to create one myself. There are several
Shorewall GUI projects underway however and I will publish links to
them when the authors feel that they are ready. </p>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
find myself doing other things. I guess I just don't care enough if
Shorewall has a GUI to invest the effort to create one myself. There
are several Shorewall GUI projects underway however and I will publish
links to them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
(<a href="http://www.cityofshoreline.com">the city where
I live</a>) and "Fire<u>wall</u>". The full name of the product
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor
@ -682,11 +722,12 @@ them when the authors feel that they are ready. </p>
(the internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of
the modem in/out but still block all other rfc1918 addresses.</p>
that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -699,6 +740,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -712,7 +754,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</tr>
</tbody>
</table>
</blockquote>
</div>
@ -722,13 +766,14 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an
entry in /etc/shorewall/rfc1918 for that address. For example, if you
configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918: <br>
interface to correspond to the modem address, you must also make
an entry in /etc/shorewall/rfc1918 for that address. For example,
if you configure the address 192.168.100.2 on your firewall, then
you would add two entries to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
<table cellpadding="2" border="1" style="border-collapse: collapse;">
<tbody>
<tr>
@ -752,15 +797,16 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
</div>
<div align="left">
@ -772,23 +818,26 @@ lease.</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and
what those computers will "see" when things are working properly. That
aside, the most common causes of this problem are:</p>
the net", I wonder where the poster bought computers with eyes
and what those computers will "see" when things are working properly.
That aside, the most common causes of this problem are:</p>
<ol>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled
UDP and TCP port 53 from the firewall to the internet.</p>
@ -800,57 +849,61 @@ lease.</h4>
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under
RedHat, the max log level that is sent to the console is specified
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent to the console
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains (as
indicated in the log message) in Shorewall:<br>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains
(as indicated in the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The destination address is listed in
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
<li><b>man1918 - </b>The destination address is listed
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
<li><b>rfc1918</b> - The source address is listed in
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged under that policy.
If you intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level
and this packet is being logged under that policy. If you intend to
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a>
to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under
the <b>maclist</b> <a href="Documentation.htm#Interfaces">interface
option</a>.<br>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you
have a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and this
packet is being logged under that policy or this packet matches a
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged
under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
<li><b>logpkt</b> - The packet is being logged under
the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under
the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the
source IP is blacklisted in the<a
<li><b>blacklst</b> - The packet is being logged because
the source IP is blacklisted in the<a
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because
it is a TCP packet that is not part of any current connection yet it
is not a syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
IP address that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD and
the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged because it failed the
checks implemented by the <b>tcpflags </b><a
it is a TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such packets
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has
a source IP address that isn't in any of your defined zones ("shorewall
check" and look at the printed zone definitions) or the chain is FORWARD
and the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged because it failed
the checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
@ -858,11 +911,11 @@ the destination IP isn't in any of your defined zones.</li>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules
(or if you use NAT, use the local IP address in your rules). <b>Note:</b>
The ":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<b>Answer: </b>Yes. You simply use the IP address in your
rules (or if you use NAT, use the local IP address in your rules).
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will
disappear eventually. Neither iproute (ip and tc) nor iptables supports
that notation so neither does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
@ -903,41 +956,64 @@ how to set up rules for your server.<br>
<blockquote>
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
</blockquote>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal
LAN<br>
<br>
<b>Answer: </b>While most people associate the Internet Control Message
Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is
used to report problems back to the sender of a packet; this is what is happening
here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
there are a lot of broken implementations. That is what you are seeing with
these messages.<br>
<b>Answer: </b>While most people associate the Internet Control
Message Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet.
ICMP is used to report problems back to the sender of a packet; this is
what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br>
<br>
Here is my interpretation of what is happening -- to confirm this analysis,
one out have to have packet sniffers placed a both ends of the connection.<br>
Here is my interpretation of what is happening -- to confirm this
analysis, one would have to have packet sniffers placed a both ends of
the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query
to 192.0.2.3 and your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a DNS reply).
When the response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had
a connection on UDP port 2857. This causes a port unreachable (type 3, code
3) to be generated back to 192.0.2.3. As this packet is sent back through
206.124.146.179, that box correctly changes the source address in the packet
to 206.124.146.179 but doesn't reset the DST IP in the original DNS response
similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall
has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result is that the
packet gets logged and dropped in the all2all chain. I have also seen cases
where the source IP in the ICMP itself isn't set back to the external IP
of the remote NAT gateway; that causes your firewall to log and drop the packet
out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
query to 192.0.2.3 and your DNS server tried to send a response (the
response information is in the brackets -- note source port 53 which marks
this as a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to
172.16.1.10 who no longer had a connection on UDP port 2857. This causes
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
As this packet is sent back through 206.124.146.179, that box correctly
changes the source address in the packet to 206.124.146.179 but doesn't
reset the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
to anything that was sent. The final result is that the packet gets logged
and dropped in the all2all chain. I have also seen cases where the source
IP in the ICMP itself isn't set back to the external IP of the remote NAT
gateway; that causes your firewall to log and drop the packet out of the
rfc1918 chain because the source IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
You can place these commands in one of the <a
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they are intended.
Many iptables commands published in HOWTOs and other instructional material
use the -A command which adds the rules to the end of the chain. Most chains
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
rule and any rules that you add after that will be ignored. Check "man iptables"
and look at the -I (--insert) command.<br>
<br>
<div align="left"> </div>
<font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
Eastep</a></font>
<font size="2">Last updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -29,13 +29,17 @@
Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses. There are four components to this facility.<br>
with one or more IP addresses. <br>
<br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that subnet
is subject to MAC verification.</li>
@ -43,19 +47,20 @@ is subject to MAC verification.</li>
MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
variable gives the syslogd level at which connection requests that fail verification
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
then failing connection requests are not logged.<br>
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty value
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.</li>
@ -80,8 +85,8 @@ MAC addresses.</li>
<h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
IP address 192.168.1.253. Hosts in the second segment have IP addresses in
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
@ -90,7 +95,7 @@ and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic.
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
<br>
<br>
<br>
<br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,92 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA)
and sign my own X.509 certificates. I use these certificates on my web server
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
as on my mail server (mail.shorewall.net).<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
of establishing an SSL session (URL https://...), your browser verifies the
X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose identities
are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
you are REALLY connecting to www.foo.bar, means that the CAs literally have
a license to print money -- they are selling a string of bits (an X.509 certificate)
for $200US+ per year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the www.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://www.shorewall.net,
the server you are connecting to might not be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

View File

@ -49,8 +49,8 @@
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -139,5 +139,6 @@
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -0,0 +1,145 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -1,40 +1,60 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">VPN</font></h1>
<h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table>
<p>It is often the case that a system behind the firewall needs to be able to
access a remote network through Virtual Private Networking (VPN). The two most
common means for doing this are IPSEC and PPTP. The basic setup is shown in the
following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
<p>It is often the case that a system behind the firewall needs to be able
to access a remote network through Virtual Private Networking (VPN). The
two most common means for doing this are IPSEC and PPTP. The basic setup
is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the
local system has IP address 192.168.1.12 and that the remote gateway has IP
address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements beyond
the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one
local system at a time can be connected to a single remote gateway unless you
patch your kernel from the 'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then there are firewall configuration
requirements as follows:</p>
network through a remote gateway. For this example, we will assume that
the local system has IP address 192.168.1.12 and that the remote gateway
has IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as
follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
<tbody>
<tr>
<td height="38"><u><b>ACTION</b></u></td>
<td height="38"><u><b>SOURCE</b></u></td>
@ -51,9 +71,9 @@ requirements as follows:</p>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">50</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
<tr>
<td height="19">DNAT</td>
@ -61,21 +81,24 @@ requirements as follows:</p>
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall. As
starting points, see
<a href="http://www.shorewall.net/Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p>
<p>If you want to be able to give access to all of your local systems to
the remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
</body>
</html>

View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
@ -38,46 +39,56 @@
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of
the world into <i>zones.</i></li>
<li>/etc/shorewall/shorewall.conf - used to set several
firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell
variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level
policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in
terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where
to use many-to-one (dynamic) Network Address Translation (a.k.a.
Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to
load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS
field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets
for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br>
</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the
end of any line, again by delimiting the comment from the rest of
the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the rest
of the line with a pound sign.</p>
<p>Examples:</p>
@ -100,38 +111,41 @@ the line with a pound sign.</p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting
your firewall.<br>
</li>
</ul>
@ -146,7 +160,7 @@ So change in the DNS-&gt;IP address relationship that occur after the firewall
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
@ -159,14 +173,14 @@ So change in the DNS-&gt;IP address relationship that occur after the firewall
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2>
@ -187,7 +201,8 @@ no white space following the "!".</p>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
<li>Entries in a comma-separated list may appear in
any order.</li>
</ul>
@ -218,6 +233,7 @@ would be embedded white space)</li>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
@ -225,7 +241,9 @@ would be embedded white space)</li>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
@ -233,7 +251,9 @@ would be embedded white space)</li>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
@ -251,50 +271,150 @@ would be embedded white space)</li>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written as a
series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
Mb)<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of
6 hex numbers separated by hyphens. In Shorewall, the MAC address
in the example above would be written "~02-00-08-E3-FA-55".<br>
Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and
consist of 6 hex numbers separated by hyphens. In Shorewall, the
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Logging</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory
and Shorewall will use the files in the alternate directory rather than
the corresponding files in /etc/shorewall. The alternate directory need
not contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p>
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory
need not contain a complete configuration; those files not in the alternate
directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
<li> copying the files that need modification from
/etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol>
@ -302,19 +422,14 @@ will be read from /etc/shorewall.</p>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>

View File

@ -33,35 +33,38 @@
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is also available in PDF format
at:</p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
<br>
Once you've done that, download <u> one</u> of the modules:</p>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM
should also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a
should also work with other distributions that store init
scripts in /etc/init.d and that include chkconfig or insserv).
If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
and would like a .deb package, Shorewall is included in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
@ -76,8 +79,8 @@ Unstable Branch</a>.</li>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
@ -92,8 +95,9 @@ will contain the version)</li>
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -231,10 +235,10 @@ file /etc/shorewall/startup_disabled.</b></font></p>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
@ -283,28 +287,11 @@ file /etc/shorewall/startup_disabled.</b></font></p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
@ -367,11 +354,13 @@ file /etc/shorewall/startup_disabled.</b></font></p>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
@ -387,22 +376,12 @@ file /etc/shorewall/startup_disabled.</b></font></p>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 12/3/2002 - <a
<p align="left"><font size="2">Last Updated 12/12/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

View File

@ -42,22 +42,23 @@
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
@ -72,16 +73,16 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on
SuSE</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM
on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
@ -92,6 +93,13 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
@ -101,12 +109,12 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the .rpm
from shorewall.net or mirrors should no longer see these warnings as the
.rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains !
followed by a sub-zone list) result in an error message and Shorewall fails
to start.<br>
These warnings are harmless and may be ignored. Users downloading the
.rpm from shorewall.net or mirrors should no longer see these warnings as
the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -158,9 +166,9 @@ on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<ul>
<li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file is
installed in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
functions installed in /var/lib/shorewall/functions" whereas the file
is installed in /usr/lib/shorewall/functions. The installer also performs
incorrectly when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
@ -179,8 +187,8 @@ when updating old configurations that had the file /etc/shorewall/functions.
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
<li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
</li>
@ -222,14 +230,14 @@ when updating old configurations that had the file /etc/shorewall/functions.
<ol>
<li>If the firewall is running
a DHCP server, the client won't be
able to obtain an IP address lease
from that server.</li>
a DHCP server, the client won't be able
to obtain an IP address lease from
that server.</li>
<li>With this order of checking,
the "dhcp" option cannot be used as
a noise-reduction measure where there
are both dynamic and static clients
on a LAN segment.</li>
are both dynamic and static clients on
a LAN segment.</li>
</ol>
@ -260,8 +268,8 @@ on a LAN segment.</li>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
an error occurs when the firewall script attempts to add
an SNAT alias. </p>
</li>
<li>
@ -308,8 +316,8 @@ on a LAN segment.</li>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This
problem is corrected by <a
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p>
@ -331,10 +339,10 @@ on a LAN segment.</li>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -351,8 +359,8 @@ it's a good idea to run that command after you have made configuratio
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry
@ -383,8 +391,8 @@ just like "NAT_BEFORE_RULES=Yes".</li>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface
@ -402,8 +410,8 @@ option. For example:<br>
noping. An additional bug has been found that affects only
the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to
1850 GMT today should download and install the corrected
Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li>
</ul>
@ -553,5 +561,6 @@ option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentati
</p>
<br>
<br>
<br>
</body>
</html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.6 KiB

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.2 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.1 KiB

View File

@ -33,10 +33,18 @@
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</a><font color="#ffffff">Shorewall Mailing Lists<a
href="http://www.inter7.com/courierimap/"><img
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix      </b></font> </p>
</b></font></p>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix     </b></font> </p>
</td>
</tr>
@ -71,10 +79,27 @@ Powered by Postfix
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br>
</li>
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2>
@ -110,14 +135,19 @@ fully-qualified DNS name.<br>
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you'll be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can
either use unencrypted access when subscribing to Shorewall mailing lists
or you can use secure access (SSL) and accept the server's certificate when
prompted by your browser.<br>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and accept the server's certificate
when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
@ -187,10 +217,10 @@ list may be found at <a
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name
of list&gt;), enter your subscription email address:". Enter your email
address in the box and click on the "Edit Options" button.</p>
"To change your subscription (set options like digest and delivery
modes, get a reminder of your password, <b>or unsubscribe</b> from
&lt;name of list&gt;), enter your subscription email address:". Enter
your email address in the box and click on the "Edit Options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
@ -205,17 +235,12 @@ address in the box and click on the "Edit Options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 11/22/2002 - <a
<p align="left"><font size="2">Last updated 12/27/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

View File

@ -33,11 +33,11 @@
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -53,5 +53,8 @@
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -0,0 +1,90 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.<br>
<br>
There are several aspects to Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li>
</ol>
These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping
request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h2>Policy Evaluation</h2>
If no applicable rule is found, then the policy for the source to the destination
is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

View File

@ -11,6 +11,7 @@
<base target="_self">
</head>
<body>
@ -20,10 +21,13 @@
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
@ -33,9 +37,10 @@
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
</a></i></font><font color="#ffffff">Shorewall 1.3 -
<font size="4">"<i>iptables made easy"</i></font></font></h1>
@ -47,13 +52,16 @@
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
@ -61,12 +69,15 @@
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
@ -81,6 +92,8 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
@ -92,22 +105,29 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program
is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
This program is distributed in the hope that it
will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br>
You should
have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You should have received a copy of the GNU General
Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -124,20 +144,23 @@ General Public License</a> as published by the Free Software Foundation.<
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a>Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features Shorewall-1.3.10
and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -150,6 +173,7 @@ Bering 1.0 Final!!! </b><br>
<h2>News</h2>
@ -158,283 +182,187 @@ Bering 1.0 Final!!! </b><br>
<h2></h2>
<p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
<p> Features include:<br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an
error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level
and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the mangle table),
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with one
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.<br>
</li>
</ol>
<p>In this version:</p>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall
refresh" would also fail.<br>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option causes Shorewall to make a set of sanity check on TCP packet header
flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column
in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
appear by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw
rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
<p> You may download the Beta from:<br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p>
<p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available to a limited audience). <br>
<br>
Features include:<br>
<br>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in
the mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when
you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
"shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be
specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in
a position to support Shorewall users who run Mandrake 9.0.</p>
</ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b><br>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address
in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions' and
'version' files and the 'firewall' symbolic link have been
moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
@ -442,16 +370,12 @@ file /etc/shorewall/startup_disabled is removed. This avoids
<p><b></b><a href="News.htm">More News</a></p>
<p><a href="News.htm">More News</a></p>
@ -459,17 +383,21 @@ file /etc/shorewall/startup_disabled is removed. This avoids
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <a href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
@ -479,8 +407,10 @@ file /etc/shorewall/startup_disabled is removed. This avoids
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
@ -489,7 +419,9 @@ file /etc/shorewall/startup_disabled is removed. This avoids
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
  </a></p>
 
</a></p>
@ -499,8 +431,10 @@ file /etc/shorewall/startup_disabled is removed. This avoids
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
@ -508,12 +442,15 @@ but if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>

View File

@ -0,0 +1,22 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
<frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
</frameset>
</html>

View File

@ -41,12 +41,13 @@
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
@ -67,25 +68,26 @@
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul>
@ -102,19 +104,21 @@ machines.</li>
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
</a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 11/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -1,113 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p>
Extension scripts are user-provided
scripts that are invoked at various points during firewall start, restart,
stop and clear. The scripts are placed in /etc/shorewall and are processed
using the Bourne shell "source" mechanism. The following scripts can be
supplied:</p>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before the
common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
has been created but before any rules have been added to it.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul>
<p>
You can also supply a script with the same name as any of the filter
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
file has been processed but before the /etc/shorewall/policy file has been
processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These
default rules are contained in the file /etc/shorewall/common.def which
may be used as a starting point for making your own customized file.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p>
Rather than running iptables directly, you should run it using the function
run_iptables. Similarly, rather than running "ip" directly, you should
use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
processing of the command.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p>
<p>
If you decide to create /etc/shorewall/common it is a good idea to use the
following technique</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p>
/etc/shorewall/common:</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def
&lt;add your rules here&gt;</pre>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the '.' command. Using this technique allows
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
rejected by the firewall. It is recommended with this setting that you create
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
be rejected by the firewall. It is recommended with this setting that you
create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
<p align="left"><font size="2">Last updated 12/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
</body>
</html>

View File

@ -12,6 +12,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -45,8 +46,9 @@ we must all first walk before we can run.</p>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
<li><a href="three-interface.htm">Three-interface</a> Linux
System acting as a firewall/router for a small local network and
a DMZ.</li>
</ul>
@ -66,29 +68,37 @@ Concepts</a></li>
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
@ -96,31 +106,34 @@ your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
@ -129,10 +142,12 @@ and Ends</a></li>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
@ -144,35 +159,46 @@ and Ends</a></li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
<li>Logging<br>
</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<li><a href="Documentation.htm">Configuration File Reference
Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
@ -182,14 +208,19 @@ to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
</li>
<li><a href="myfiles.htm">My Configuration Files</a> (How
I personally use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
@ -206,26 +237,33 @@ to extend Shorewall without modifying Shorewall code)</li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
<li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -54,24 +54,25 @@
<h2><a name="Introduction"></a>1.0 Introduction</h2>
<p>This guide is intended for users who are setting up Shorewall in an environment
where a set of public IP addresses must be managed or who want to know more
about Shorewall than is contained in the <a
where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you
general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT what I release
-- I suggest that you consider installing a stock Shorewall lrp from the
shorewall.net site before you proceed.</p>
    If you run LEAF Bering, your Shorewall configuration is NOT what I
release -- I suggest that you consider installing a stock Shorewall lrp from
the shorewall.net site before you proceed.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
@ -79,17 +80,17 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must save
them as Unix files if your editor supports that option or you must run them
through dos2unix before trying to use them with Shorewall. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must run
them through dos2unix before trying to use them with Shorewall. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -151,8 +152,9 @@ the internet zone" or "because that is the DMZ".</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -163,17 +165,18 @@ kernel facility. Netfilter implements a <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
tracking function</a> that allows what is often referred to as <i>stateful
inspection</i> of packets. This stateful property allows firewall rules
to be defined in terms of <i>connections</i> rather than in terms of packets.
With Shorewall, you:</p>
to be defined in terms of <i>connections</i> rather than in terms of
packets. With Shorewall, you:</p>
<ol>
<li> Identify the source zone.</li>
<li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add a rule.
That rule is expressed in terms of the client's zone and the server's
zone.</li>
is what you want for this client/server pair, you need do nothing
further.</li>
<li> If the POLICY is not what you want, then you must add a
rule. That rule is expressed in terms of the client's zone and the
server's zone.</li>
</ol>
@ -181,15 +184,15 @@ zone.</li>
A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can have
a proxy running on the firewall that accepts a connection from zone A and
then establishes its own separate connection from the firewall to zone
B.</p>
a proxy running on the firewall that accepts a connection from zone A
and then establishes its own separate connection from the firewall to
zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common.def.</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common.def.</p>
<p>The default /etc/shorewall/policy file has the following policies:</p>
@ -234,9 +237,10 @@ is first checked against the rules in /etc/shorewall/common.def.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network and log a message at the <i>info</i> level (see "man
syslog").</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network and log a message at the <i>info</i> level
(<a href="configuration_file_basics.htm#Levels">here</a> is a description
of log levels).</li>
<li>reject all other connection requests and log a message at the <i>info</i>
level. When a request is rejected, the firewall will return an RST (if
the protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
@ -244,8 +248,8 @@ the protocol is TCP) or an ICMP port-unreachable packet for other protocols.<
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
    At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -256,11 +260,12 @@ you wish.</p>
<p align="left">In this diagram:</p>
<ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to
isolate your internet-accessible servers from your local systems so that
if one of those servers is compromised, you still have the firewall between
the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3. </li>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the firewall
between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3.
</li>
<li>All systems from the ISP outward comprise the Internet Zone. </li>
</ul>
@ -286,8 +291,8 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will
want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
@ -363,8 +368,8 @@ file, that file would might contain:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Edit the /etc/shorewall/interfaces file and define the network interfaces
on your firewall and associate each interface with a zone. If you have a
zone that is interfaced through more than one interface, simply include
on your firewall and associate each interface with a zone. If you have
a zone that is interfaced through more than one interface, simply include
one entry for each interface and repeat the zone name as many times as necessary.</p>
<p align="left">Example:</p>
@ -458,8 +463,8 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
<p align="left">IP version 4 (<i>IPv4) </i>addresses are 32-bit numbers.
The notation w.x.y.z refers to an address where the high-order byte has value
"w", the next byte has value "x", etc. If we take the address 192.0.2.14
The notation w.x.y.z refers to an address where the high-order byte has
value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
and express it in hexadecimal, we get:</p>
<blockquote>
@ -721,9 +726,9 @@ will often hear a subnet of size 64 referred to as a "slash 26" subnet
and one of size 8 referred to as a "slash 29".</p>
<p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
simply a 32-bit number with the first "VLSM" bits set to one and the remaining
bits set to zero. For example, for a subnet of size 64, the subnet mask
has 26 leading one bits:</p>
simply a 32-bit number with the first "VLSM" bits set to one and the
remaining bits set to zero. For example, for a subnet of size 64, the
subnet mask has 26 leading one bits:</p>
<blockquote>
<p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -805,10 +810,10 @@ the subnet with one member and the subnet with 2 ** 32 members.</p>
and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' utility
also uses this syntax). This simply means that the interface is configured
with ip address <b>a.b.c.d</b> and with the netmask that corresponds to
VLSM <b>/v</b>.</p>
used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds
to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p>
@ -829,12 +834,12 @@ and netmask 255.255.255.248.</p>
<p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
the Dallas, Texas area.<br>
<br>
The first three routes are <i>host routes</i> since they indicate how to
get to a single host. In the 'netstat' output this can be seen by the "Genmask"
(Subnet Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder
are 'net' routes since they tell the kernel how to route packets to a subnetwork.
The last route is the <i>default route</i> and the gateway mentioned in
that route is called the <i>default gateway</i>.</p>
The first three routes are <i>host routes</i> since they indicate how
to get to a single host. In the 'netstat' output this can be seen by the
"Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column.
The remainder are 'net' routes since they tell the kernel how to route
packets to a subnetwork. The last route is the <i>default route</i> and
the gateway mentioned in that route is called the <i>default gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p>
@ -894,17 +899,18 @@ eth2.</p>
are sent using the routing table and reply packets are not a special case.
There seems to be a common mis-conception whereby people think that request
packets are like salmon and contain a genetic code that is magically transferred
to reply packets so that the replies follow the reverse route taken by the
request. That isn't the case; the replies may take a totally different route
back to the client than was taken by the requests -- they are totally independent.</p>
to reply packets so that the replies follow the reverse route taken by
the request. That isn't the case; the replies may take a totally different
route back to the client than was taken by the requests -- they are totally
independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
addresses. Each Ethernet device has it's own unique  MAC address which is
burned into a PROM on the device during manufacture. You can obtain the
MAC of an Ethernet device using the 'ip' utility:</p>
addresses. Each Ethernet device has it's own unique  MAC address which
is burned into a PROM on the device during manufacture. You can obtain
the MAC of an Ethernet device using the 'ip' utility:</p>
<blockquote>
<div align="left">
@ -921,8 +927,8 @@ to the card itself. </p>
<div align="left">
<p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
a mechanism is required to translate an IP address into a MAC address;
that is the purpose of the <i>Address Resolution Protocol</i> (ARP). Here
is ARP in action:</p>
that is the purpose of the <i>Address Resolution Protocol</i> (ARP).
Here is ARP in action:</p>
</div>
<div align="left">
@ -934,9 +940,9 @@ is ARP in action:</p>
</div>
<p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
to know the MAC of the device with IP address 192.168.1.19. The system having
that IP address is responding that the MAC address of the device with IP
address 192.168.1.19 is 0:6:25:aa:8a:f0.</p>
to know the MAC of the device with IP address 192.168.1.19. The system
having that IP address is responding that the MAC address of the device
with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.</p>
<p align="left">In order to avoid having to exchange ARP information each
time that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
@ -1001,6 +1007,7 @@ in their infrastructure. </p>
your ISP or by another organization with whom you want to establish
a VPN relationship. </p>
</li>
</ul>
</div>
@ -1017,8 +1024,8 @@ the addresses that you are going to use.</p>
<div align="left">
<p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities
you have in your network. Regardless of how many addresses you have, your
ISP will handle that set of addresses in one of two ways:</p>
you have in your network. Regardless of how many addresses you have,
your ISP will handle that set of addresses in one of two ways:</p>
</div>
<div align="left">
@ -1034,12 +1041,26 @@ your firewall/router's external interface. </p>
<p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
of your addresses directly. </p>
</li>
</ol>
</div>
<div align="left">
<p align="left">In the subsections that follow, we'll look at each of these
separately.</p>
separately.<br>
</p>
<p align="left">Before we begin, there is one thing for you to check:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
</div>
<div align="left">
@ -1049,11 +1070,11 @@ of your addresses directly. </p>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
192.0.2.65. Your ISP has also told you that you should use a netmask of
255.255.255.0 (so your /28 is part of a larger /24). With this many IP
addresses, you are able to subnet your /28 into two /29's and set up your
network as shown in the following diagram.</p>
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
is 192.0.2.65. Your ISP has also told you that you should use a netmask
of 255.255.255.0 (so your /28 is part of a larger /24). With this many
IP addresses, you are able to subnet your /28 into two /29's and set
up your network as shown in the following diagram.</p>
</div>
<div align="left">
@ -1082,8 +1103,8 @@ because of the simplicity of the setup.</p>
<div align="left">
<p align="left">The astute reader may have noticed that the Firewall/Router's
external interface is actually part of the DMZ subnet (192.0.2.64/29).
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing
table on DMZ 1 will look like this:</p>
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
routing table on DMZ 1 will look like this:</p>
</div>
<div align="left">
@ -1136,8 +1157,9 @@ netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
<div align="left">
<p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
and there aren't enough addresses for all of the network interfaces. There
are four different techniques that can be used to work around this problem.</p>
and there aren't enough addresses for all of the network interfaces.
There are four different techniques that can be used to work around this
problem.</p>
</div>
<div align="left">
@ -1157,6 +1179,7 @@ also known as <i>Port Forwarding.</i> </p>
<p align="left"><i>Network Address Translation</i> (NAT) also referred
to as <i>Static NAT</i>. </p>
</li>
</ul>
</div>
@ -1199,8 +1222,8 @@ zone.</p>
<div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    The systems in the local zone would be configured with a default gateway
of 192.168.201.1 (the IP address of the firewall's local interface).</div>
    The systems in the local zone would be configured with a default
gateway of 192.168.201.1 (the IP address of the firewall's local interface).</div>
<div align="left">  </div>
@ -1254,8 +1277,8 @@ do not have a public IP address. DNAT provides a way to allow selected
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
     Suppose that your daughter wants to run a web server on her system
"Local 3". You could allow connections to the internet to her server by
adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
"Local 3". You could allow connections to the internet to her server
by adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div>
<div align="left">
@ -1291,10 +1314,10 @@ adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewal
<p align="left">If one of your daughter's friends at address <b>A</b> wants
to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address to
192.168.201.4 (your daughter's system) and forward the request. When your
daughter's server responds, the firewall will rewrite the source address
back to 192.0.2.176 and send the response back to <b>A.</b></p>
IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When
your daughter's server responds, the firewall will rewrite the source
address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div>
<div align="left">
@ -1327,6 +1350,7 @@ of your public IP addresses (<b>A)</b> and is assigned the same netmask
address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li>
</ul>
</div>
@ -1391,8 +1415,8 @@ add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the internet.
You can call your ISP and ask them to purge the stale ARP cache entry
but many either can't or won't purge individual entries. You can determine
if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
@ -1478,9 +1502,9 @@ and is sharing the firewall external IP (192.0.2.176) for outbound connection
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Suppose now that you have decided to give your daughter her own IP
address (192.0.2.179) for both inbound and outbound connections. You would
do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
    Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections. You
would do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div>
<div align="left">
@ -1517,9 +1541,9 @@ do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Once the relationship between 192.0.2.179 and 192.168.201.4 is established
by the nat file entry above, it is no longer appropriate to use a DNAT
rule for you daughter's web server -- you would rather just use an ACCEPT
rule:</p>
by the nat file entry above, it is no longer appropriate to use a
DNAT rule for you daughter's web server -- you would rather just use
an ACCEPT rule:</p>
</div>
<div align="left">
@ -2266,9 +2290,9 @@ DNS servers. You can combine the two into a single BIND 9 server using
<p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the
three local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
You want your firewall to be known as firewall.foobar.net externally and
it's interface to the local network to be know as gateway.foobar.net and
its interface to the dmz as dmz.foobar.net. Let's have the DNS server
You want your firewall to be known as firewall.foobar.net externally
and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div>
@ -2291,8 +2315,10 @@ on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
<div align="left">
<p align="left">Here are the files in /var/named (those not shown are usually
included in your bind disbribution).</p>
<p align="left">db.192.0.2.176 - This is the reverse zone for the firewall's
external interface</p>
<blockquote>
<pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br> 2001102303 ; serial<br> 10800 ; refresh (3 hour)<br> 3600 ; retry (1 hour)<br> 604800 ; expire (7 days)<br> 86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@ 604800 IN NS ns1.foobar.net.<br>@ 604800 IN NS <i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
</blockquote>
@ -2419,11 +2445,13 @@ and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/19/2002 - <a
<p align="left"><font size="2">Last updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
</body>
</html>

View File

@ -0,0 +1,454 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 -
<font size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of the GNU
General Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy, CD or compact
flash) distribution called <i>Bering</i> that
features Shorewall-1.3.10 and Kernel-2.4.18. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.0 Final!!! <br>
</b>
<h2>News</h2>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall
refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available only to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the
mangle table ("shorewall show mangle" will show you the chains in the mangle
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows
for marking input packets based on their destination even when you are using
Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file with
one of these names, don't worry -- the upgrade process won't overwrite your
file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in a
position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b></b></p>
<ul>
</ul>
<p><b></b><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

View File

@ -44,10 +44,10 @@ in one of its most common configurations:</p>
</ul>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -61,8 +61,8 @@ this program:</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -74,14 +74,16 @@ Version of dos2unix</a></li>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation).</p>
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -115,8 +117,8 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,14 +126,14 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -178,8 +180,8 @@ the following policies:</p>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
</ol>
@ -201,8 +203,8 @@ a <b>ppp0</b>. If you connect via a regular modem, your External Interface
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, you
will have to modify the sample /etc/shorewall/interfaces file accordingly.
external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
@ -239,9 +241,9 @@ specified for the interface. Some hints:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
     Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -283,8 +285,8 @@ specified for the interface. Some hints:</p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
@ -326,8 +328,8 @@ your firewall system:</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -416,7 +418,7 @@ added an entry for the IP address that you are connected from to <a
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -425,5 +427,6 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -2,16 +2,22 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -23,63 +29,94 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p> <br>
<span style="font-weight: 400;"></span></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
but I try to spend some amount of time each day responding to problems
posted on the Shorewall mailing list.</b></font></big></h2>
<blockquote> </blockquote>
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venem<br>
</font></span></p>
<h2>Before Reporting a Problem</h2>
<h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being
spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
<h3>T<b>here are a number of sources for problem solution information. Please
try these before you post.</b></h3>
<p>There are also a number of sources for problem solution information.</p>
<h3> </h3>
<h3> </h3>
<ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download
updated components.</li>
<li>The Mailing List Archives search facility can locate posts
about similar problems:</li>
<li>
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
problems.</b></h3>
</li>
</ul>
<h4>Mailing List Archive Search</h4>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
updated components.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The Mailing List Archives search facility can locate posts
about similar problems:</b></h3>
</li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -88,82 +125,163 @@ about similar problems:</li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
</font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p>
</form>
<h3 align="left">Problem Reporting Guideline</h3>
<h2>Problem Reporting Guidelines</h2>
<i>"Let me see if I can translate your message into a real-world example. 
It would be like saying that you have three rooms at home, and when you
walk into one of the rooms, you detect this strange smell.  Can anyone tell
you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to the smell and even
what's causing it.  You would be absolutely amazed at the range and variety
of smells we could come up with.  Even more amazing is that all of the explanations
for the smells would be completely plausible."<br>
</i><br>
<div align="center">   - Russell Mosemann<br>
</div>
<br>
<h3> </h3>
<ul>
<li>When reporting a problem, give as much information as you
can. Reports that say "I tried XYZ and it didn't work" are not at all
helpful.</li>
<li>Please don't describe your environment and then ask us to
send you custom configuration files. We're here to answer your
questions but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that
you think are relevant. If an error occurs when you try to "shorewall
start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
<li>
<h3><b>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card on
October 4, 2002 (they are very effecient at that part of the order process)
and I haven't heard a word from them since (although their news letters
boast that 9.0 boxed sets have been shipping for the last two weeks). If
they can't fill my 9.0 order within <u>6 weeks after they have billed my
credit card</u> then I refuse to spend my free time supporting their product
for them.<br>
<br>
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
order is part of a batch of which was not correctly sent to our shipping
handler, and so unfortunately was not processed". They further assure me
that these mishandled orders will begin shipping on 12/2/2002.<br>
<h3> </h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3>
</li>
<li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
for instructions).</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post
will be rejected.</b></h3>
</li>
</ul>
<h3> </h3>
<h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<h3></h3>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p>
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
</blockquote>
<p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -39,11 +39,12 @@
in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
...</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
dial-up, ...</li>
</ul>
@ -55,43 +56,47 @@
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
files to /etc/shorewall (the files will replace files with the same names
that were placed in /etc/shorewall when Shorewall was installed).</p>
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -133,11 +138,11 @@ following zone names are used:</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -190,8 +195,8 @@ following zone names are used:</p>
<blockquote>
<p>In the three-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -218,10 +223,10 @@ following zone names are used:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network</li>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
@ -243,10 +248,10 @@ any changes that you wish.</p>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular
modem, your External Interface will also be <b>ppp0</b>. If you connect
using ISDN, you external interface will be <b>ippp0.</b></p>
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect via
a regular modem, your External Interface will also be <b>ppp0</b>. If you
connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -255,32 +260,32 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single
local system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only
a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub or
switch (even for testing). It won't work the way that you expect it to
and you will end up confused and believing that Shorewall doesn't work
at all.</p>
</b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect it
to and you will end up confused and believing that Shorewall doesn't
work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration assumes that
the external interface is <b>eth0, </b>the local interface is <b>eth1
    The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is <b>eth1
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interfaces. Some hints:</p>
While you are there, you may wish to review the list of options that
are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -289,8 +294,8 @@ at all.</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -298,17 +303,18 @@ at all.</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>Regardless of how the address is assigned,
it will be shared by all of your systems when you access the Internet.
You will have to assign your own addresses for your internal network (the
local and DMZ Interfaces on your firewall plus your other computers). RFC
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address is
assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -331,10 +337,10 @@ range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
<i>Address</i>. In Shorewall, a subnet is described using <a
href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)</a>
notation with consists of the subnet address followed by "/24". The "24"
refers to the number of consecutive "1" bits from the left of the subnet
mask. </p>
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from
the left of the subnet mask. </p>
</div>
<div align="left">
@ -384,16 +390,16 @@ mask. </p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2) should be
configured with their<i> default gateway</i> set to the IP address of
the firewall's internal interface and your DMZ computers ( DMZ Computers
1 &amp; 2) should be configured with their default gateway set to the
IP address of the firewall's DMZ interface.   </p>
    Your local computers (Local Computers 1 &amp; 2) should
be configured with their<i> default gateway</i> set to the IP address
of the firewall's internal interface and your DMZ computers ( DMZ
Computers 1 &amp; 2) should be configured with their default gateway
set to the IP address of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
@ -410,24 +416,24 @@ IP address of the firewall's DMZ interface.
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your
local systems (let's assume local computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to be
the address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection. 
This is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed accross the internet).
When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer
1. </p>
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will be
able to route return packets back to the firewall (remember that packets
whose destination address is reserved by RFC 1918 can't be routed accross
the internet). When the firewall receives a return packet, it rewrites
the destination address back to 10.10.10.1 and forwards the packet on
to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -437,8 +443,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local network
to use. </p>
the source address that you want outbound packets from your local
network to use. </p>
</li>
</ul>
@ -449,8 +455,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your local
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
not need to modify the file provided with the sample. Otherwise, edit
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
do not need to modify the file provided with the sample. Otherwise, edit
/etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -458,19 +464,34 @@ address back to 10.10.10.1 and forwards the packet on to local computer
    If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static IP
in column 3 makes processing outgoing packets a little more efficient.
in column 3 makes <br>
processing outgoing packets a little more efficient.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
DMZ computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
@ -507,8 +528,8 @@ in the response.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -554,9 +575,9 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your local systems,
you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If
you have problems connecting to your web server, try the following rule
and try connecting to port 5000 (e.g., connect to <a
<li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -590,8 +611,8 @@ and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can replace
the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -621,8 +642,8 @@ and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you have a dynamic ip then you must ensure that your external interface
is up before starting Shorewall and you must take steps as follows (assume
that your external interface is <b>eth0</b>):</p>
is up before starting Shorewall and you must take steps as follows
(assume that your external interface is <b>eth0</b>):</p>
<ol>
<li>Include the following in /etc/shorewall/params:<br>
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. It is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of two
approaches:</p>
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your firewall
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on
your firewall. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the server; you do that by adding the rules in /etc/shorewall/rules.
</p>
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
(which also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the caching name server as their primary (and only)
name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to talk
to your caching name server, you must open port 53 (both UDP and TCP)
from the local network to the server; you do that by adding the rules
in /etc/shorewall/rules. </p>
</li>
</ul>
@ -917,8 +939,8 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
<div align="left">
<p align="left">That rule allows you to run an SSH server on your firewall
and in each of your DMZ systems and to connect to those servers from
your local systems.</p>
and in each of your DMZ systems and to connect to those servers
from your local systems.</p>
</div>
<div align="left">
@ -1004,14 +1026,14 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -1093,16 +1115,16 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/20/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
@ -37,12 +38,12 @@ to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
also requires that you enable packet mangling.<br>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling.<br>
</li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets
for traffic shaping/control.<br>
marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control.<br>
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define
@ -52,13 +53,24 @@ your traffic shaping disciplines and classes. I have provided a <a
the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB
is a lot simpler and better-documented than CBQ. HTB is currently not
a standard part of either the kernel or iproute2 so both must be patched
in order to use it.<br>
support may eventually become an integral part of Shorewall since
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc
function supplied by shorewall if you want tc errors to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by simply copying
them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally
@ -78,8 +90,16 @@ is pretty general.</li>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
means for specifying these marks in a tabular fashion.</p>
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
@ -89,35 +109,35 @@ a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates on
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
list of interface names, IP addresses, MAC addresses in <a
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list of IP
addresses and/or subnets.<br>
<li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
a number or "all"<br>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
protocol is "icmp", this column is interpreted as the destination icmp
type(s).<br>
<li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
if the protocol is "icmp", this column is interpreted as the destination
icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
any source port is acceptable. Specified as a comma-separate list of port
names, port numbers or port ranges.</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</p>
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
</tbody>
</table>
<h3>Hierarchical Token Bucket</h3>
<h3>My Setup<br>
</h3>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p>
<ul>
<li>The gzipped tc binary at the <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
for me -- I had to download the lastest version of the <a
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
README), I have also run with the following set of hand-crafted rules in
my tcstart file:<br>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want
these particular rules.<font face="Courier" size="2"><br>
</font></p>
</blockquote>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at my <a href="myfiles.htm">network configuration</a>
to get an idea of why I wanted these particular rules.<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
</ol>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

View File

@ -18,6 +18,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
@ -44,13 +45,30 @@ of the firewall.</p>
firewall and you can't determine the cause, then do the following:
<ul>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log where
the error message you saw is generated -- in 99.9% of the cases, it will
not be near the end of the log because after startup errors, Shorewall goes
through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
@ -100,6 +118,7 @@ one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
@ -133,8 +152,8 @@ chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<li>Seeing rejected/dropped packets logged out of the INPUT or
FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using
@ -153,15 +172,15 @@ to be allowed between zones, you need a rule of the form:<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have
the following in /etc/shorewall/nat:<br>
The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
8 between the zone containing the system you are pinging from and
the zone containing 10.1.1.2, the ping requests will be dropped. This
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
@ -186,8 +205,8 @@ by default). You may also download the latest source tarball from <a
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
For example, if a zone has two interfaces but only one interface has
an entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a
@ -199,14 +218,17 @@ you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
@ -38,10 +39,11 @@
in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
dial-up ...</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame
Relay, dial-up ...</li>
</ul>
@ -51,6 +53,12 @@
height="635">
</p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
configure the above setup using the Mandrake "Internet Connection Sharing"
applet. From the Mandrake Control Center, select "Network &amp; Internet"
then "Connection Sharing". You should not need to refer to this guide.</b><br>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
@ -62,33 +70,37 @@ for this program:</p>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you
copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
(these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -127,11 +139,11 @@ of these as described in this guide. After you have <a
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -139,8 +151,8 @@ to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
@ -184,8 +196,8 @@ the following policies:</p>
<blockquote>
<p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -212,19 +224,19 @@ the following policies:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
    At this point, edit your /etc/shorewall/policy and make any
changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -237,16 +249,16 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will
be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or<b> ippp0</b> 
then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
@ -256,19 +268,19 @@ using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface to the same
hub or switch (even for testing). It won't work the way that you think
</b></u>Do not connect the internal and external interface to the
same hub or switch (even for testing). It won't work the way that you think
that it will and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes that the
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
    The Shorewall two-interface sample configuration assumes that
the external interface is <b>eth0</b> and the internal interface is
<b>eth1</b>. If your configuration is different, you will have to modify
the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -277,8 +289,8 @@ doesn't work at all.</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -286,17 +298,17 @@ doesn't work at all.</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You will
have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a
single <i> Public</i> IP address. This address may be assigned via the<i>
Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP address;
that means that you configure your firewall's external interface to use
that address permanently.<i> </i>However your external address is assigned,
it will be shared by all of your systems when you access the Internet.
You will have to assign your own addresses in your internal network (the
Internal Interface on your firewall plus your other computers). RFC 1918
reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -307,8 +319,8 @@ several <i>Private </i>IP address ranges for this purpose:</p>
height="13">
    Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's entry
in /etc/shorewall/interfaces.</p>
should remove the 'norfc1918' option from the external interface's
entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -317,11 +329,11 @@ in /etc/shorewall/interfaces.</p>
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet
address followed by "/24". The "24" refers to the number of consecutive
leading "1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -372,8 +384,9 @@ systems send packets through a<i>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their<i> default gateway</i> to be
the IP address of the firewall's internal interface.<i>      </i> </p>
diagram) should be configured with their<i> default gateway</i> to
be the IP address of the firewall's internal interface.<i>      </i>
</p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
@ -394,18 +407,18 @@ the IP address of the firewall's internal interface.<i>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your local
systems (let's assume computer 1) sends a connection request to an internet
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed across the internet so the remote
host can't address its response to computer 1). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one of
your local systems (let's assume computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to
be the address of the firewall's external interface; in other words, the
firewall makes it look as if the firewall itself is initiating the connection. 
This is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
@ -440,19 +453,32 @@ the second column to the name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the third column
in the /etc/shorewall/masq entry if you like although your firewall will
work fine if you leave that column empty. Entering your static IP in column
3 makes processing outgoing packets a little more efficient. </p>
    If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static
IP in column 3 makes processing outgoing packets a little more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
local computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
@ -524,14 +550,14 @@ in the response.</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
<li>You must test the above rule from a client outside of your
local network (i.e., don't test from a browser running on computers
1 or 2 or on the firewall). If you want to be able to access your web
server using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
<li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following
rule and try connecting to port 5000.</li>
</ul>
@ -563,16 +589,16 @@ using the IP address of your external interface, see <a
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any DNAT rules
that you require.</p>
    At this point, modify /etc/shorewall/rules to add any DNAT
rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
@ -580,25 +606,25 @@ in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers
are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</i>Red Hat has an RPM for a caching name server (the RPM also
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
you take this approach, you configure your internal systems to use the
firewall itself as their primary (and only) name server. You use the internal
IP address of the firewall (10.10.10.254 in the example above) for the
name server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
@ -808,7 +834,8 @@ are given in "nameserver" records in that file. </p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your firewall"</p>
listed above under "You can configure a Caching Name Server on your
firewall"</p>
</div>
<div align="left">
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Now edit your /etc/shorewall/rules file to add or delete other
connections as required.</p>
    Now edit your /etc/shorewall/rules file to add or delete
other connections as required.</p>
</div>
<div align="left">
@ -869,7 +896,8 @@ uses, look <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
If your local network isn't connected to <b>eth1</b> or if you wish to
enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/20/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.11a
VERSION=1.3.12
usage() # $1 = exit status
{
@ -119,6 +119,14 @@ restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918
restore_file /etc/shorewall/init
restore_file /etc/shorewall/start
restore_file /etc/shorewall/stop
restore_file /etc/shorewall/stopped
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`"

File diff suppressed because it is too large Load Diff

View File

@ -25,9 +25,22 @@ find_file()
#
# Replace commas with spaces and echo the result
#
separate_list()
{
echo $1 | sed 's/,/ /g'
separate_list() {
local list
local part
local newlist
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#

6
STABLE/init Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.11a
VERSION=1.3.12
usage() # $1 = exit status
{
@ -488,6 +488,46 @@ else
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi
#
# Install the init file
#
if [ -f ${PREFIX}/etc/shorewall/init ]; then
backup_file /etc/shorewall/init
else
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
echo
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the start file
#
if [ -f ${PREFIX}/etc/shorewall/start ]; then
backup_file /etc/shorewall/start
else
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
echo
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
#
# Install the stop file
#
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
backup_file /etc/shorewall/stop
else
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
#
# Install the stopped file
#
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
backup_file /etc/shorewall/stopped
else
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then

View File

@ -29,6 +29,12 @@
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#

View File

@ -2,22 +2,39 @@ This is a minor release of Shorewall that has a couple of new features.
New features include:
1) A 'tcpflags' option has been added to entries in
/etc/shorewall/interfaces. This option causes Shorewall to make a
set of sanity check on TCP packet header flags.
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).
2) It is now allowed to use 'all' in the SOURCE or DEST column in a
rule. When used, 'all' must appear by itself (in may not be
qualified) and it does not enable intra-zone traffic (e.g., the rule
"ACCEPT loc all tcp 80" does not enable http traffic from
'loc' to 'loc').
2) "shorewall debug [re]start" now turns off debugging after an error
occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.
3) Shorewall's use of the 'echo' command is now compatible with bash
clones such as ash and dash.
3) "shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.
4) fw->fw policies now generate a startup error. fw->fw rules generate
a warning and are ignored.
4) A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this
command is also added as a separate page in "shorewall monitor"
5) ULOG (must be all caps) is now accepted as a valid syslog level and
causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
6) If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD=Yes in
shorewall.conf. This allows for marking inbound packets based on
their destination even when you are using Masquerading or SNAT.
7) I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with
one of these names, don't worry -- the upgrade process won't
overwrite your file.
8) I have added a new RFC1918_LOG_LEVEL variable to
shorewall.conf. This variable specifies the syslog level at which
packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.

View File

@ -31,6 +31,13 @@
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or

View File

@ -58,6 +58,7 @@
# shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
@ -258,7 +259,8 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \
sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
tail $options
@ -294,6 +296,34 @@ show_tc() {
}
#
# Show classifier information
#
show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s filter ls dev $device
echo
fi
}
ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
show_one_classifier ${interface%:}
;;
*)
;;
esac
done
}
#
# Monitor the Firewall
#
@ -383,6 +413,15 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
show_tc
timed_read
clear
echo "$banner `date`"
echo
echo
echo "Packet Classifiers"
echo
show_classifiers
timed_read
done
}
@ -450,7 +489,7 @@ usage() # $1 = exit status
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
@ -629,6 +668,11 @@ case "$1" in
echo
show_tc
;;
classifiers)
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
echo
@ -658,8 +702,12 @@ case "$1" in
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L -n -v
echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v
echo
cat /proc/net/ip_conntrack

View File

@ -9,6 +9,35 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
@ -96,6 +125,8 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info
@ -191,6 +222,8 @@ BLACKLIST_DISPOSITION=DROP
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
@ -353,6 +386,8 @@ MUTEX_TIMEOUT=60
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
@ -401,6 +436,8 @@ MACLIST_DISPOSITION=REJECT
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
@ -421,7 +458,41 @@ TCP_FLAGS_DISPOSITION=DROP
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#LAST LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.11a
%define version 1.3.12
%define release 1
%define prefix /usr
@ -94,6 +94,10 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/lib/shorewall/functions
%attr(0544,root,root) /usr/lib/shorewall/firewall
@ -101,6 +105,15 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta3
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta2
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta1
- Add init, start, stop and stopped files.
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>

6
STABLE/start Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

6
STABLE/stop Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#

6
STABLE/stopped Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.11a
VERSION=1.3.12
usage() # $1 = exit status
{

File diff suppressed because it is too large Load Diff

View File

@ -2,17 +2,22 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -24,16 +29,18 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find <b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
@ -43,22 +50,22 @@
port forwarding</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
local network. <b>External clients can browse</b> http://www.mydomain.com
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using their
external (non-RFC1918 addresses) so they <b>can't access each other using
their DNS names.</b></a></p>
to hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they <b>can't access
each other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather
than 'blocked'.</b> Why?</a></p>
to check my firewall and it shows <b>some ports as 'closed'
rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -77,7 +84,8 @@ than 'blocked'.</b> Why?</a></p>
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
on RedHat</b> I get messages about insmod failing -- what's
wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
@ -94,13 +102,13 @@ support?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
it but as expected if I enable <b> rfc1918 blocking</b> for my
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot
renew its lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address.
If I enable RFC 1918 filtering on my external interface, <b>my
DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
@ -108,18 +116,25 @@ support?</a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why
this is</b> getting <b>logged?</b></a><br>
<b>17</b>. <a href="#faq17">How do I find
out <b>why this traffic is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
ip addresses</b> with Shorewall, and maintain separate rulesets for
different IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
</a>
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do
I have to change Shorewall to allow access to my server from the internet?<br>
<br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?<br>
</a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere
@ -132,6 +147,7 @@ but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -158,7 +174,9 @@ port</i>&gt;]</td>
</tr>
</tbody>
</table>
</blockquote>
@ -166,6 +184,7 @@ port</i>&gt;]</td>
the rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -191,18 +210,18 @@ port</i>&gt;]</td>
</tr>
</tbody>
</table>
</blockquote>
<div align="left">
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address ( <i>&lt;external
IP&gt;</i> ) on your firewall to an internal system:</div>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -227,7 +246,9 @@ port</i>&gt;]</td>
</tr>
</tbody>
</table>
</blockquote>
@ -237,11 +258,11 @@ port</i>&gt;]</td>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no,
that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system
such as an incorrect default gateway configured (it should be set to
the IP address of your firewall's internal interface).</li>
<li>You are trying to test from inside your firewall
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local
system such as an incorrect default gateway configured (it should
be set to the IP address of your firewall's internal interface).</li>
</ul>
@ -250,30 +271,31 @@ the IP address of your firewall's internal interface).</li>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root, type "iptables -t nat -Z". This clears the
NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected port from an external
host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the server
('loc' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect default gateway
setting on the server (the server's default gateway should be the IP address
of the firewall's interface to the server).</li>
<li>Locate the appropriate DNAT rule. It will be in a chain
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes
the  ('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If
so, the connection request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default gateway
should be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
or</li>
<li>your DNAT rule doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
<li>the connection request is not reaching your server
(possibly it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address
on your firewall and your rule is only redirecting the primary IP address
(You need to specify the secondary IP address in the "ORIG. DEST." column
in your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request
in some other way. In that case, you may have to use a packet sniffer
such as tcpdump or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -281,31 +303,34 @@ or ethereal to further diagnose the problem.<br>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External
clients can browse http://www.mydomain.com but internal clients can't.</h4>
(IP 130.151.100.69) to system 192.168.1.5 in my local network.
External clients can browse http://www.mydomain.com but internal
clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server
is compromised, there's nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
<li>Having an internet-accessible server in your
local network is like raising foxes in the corner of your hen
house. If the server is compromised, there's nothing between that
server and your other internal systems. For the cost of another
NIC and a cross-over cable, you can put your server in a DMZ
such that it is isolated from your local systems - assuming that
the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
That's what I do here at shorewall.net for my local systems that use
static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
rather than a DNS solution, then assuming that your external
interface is eth0 and your internal interface is eth1 and that
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -316,6 +341,7 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -339,19 +365,18 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall
1.3.4 or later then include this in /etc/shorewall/params:</p>
IP address. If you have a dynamic IP address and are running
Shorewall 1.3.4 or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
@ -364,6 +389,7 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -387,34 +413,36 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a
new IP address.</p>
client to automatically restart Shorewall each time that you
get a new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
subnet and I use static NAT to assign non-RFC1918 addresses to
hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they can't access each
other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external and internal
clients to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
addresses and can be accessed externally and internally using the same
address. </p>
addresses and can be accessed externally and internally using the
same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
(If you are running a Shorewall version earlier than 1.3.9).<br>
@ -430,6 +458,7 @@ traffic through your firewall then:</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2">
<tbody>
@ -447,13 +476,16 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -472,7 +504,9 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
@ -483,6 +517,7 @@ traffic through your firewall then:</p>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3" width="369">
<tbody>
@ -499,7 +534,9 @@ traffic through your firewall then:</p>
</tr>
</tbody>
</table>
</blockquote>
@ -508,37 +545,38 @@ traffic through your firewall then:</p>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter mailing
list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
tracking/NAT module</a> that may help. Also check the Netfilter
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than
'blocked'. Why?</h4>
to check my firewall and it shows some ports as 'closed' rather
than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to
services that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
UDP ports 137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down slightly
on the amount of Windows chatter on LAN segments connected to the Firewall.
</p>
always rejects connection requests on TCP port 113 rather
than dropping them. This is necessary to prevent outgoing connection
problems to services that use the 'Auth' mechanism for identifying
requesting users. Shorewall also rejects TCP ports 135, 137 and
139 as well as UDP ports 137-139. These are ports that are used
by Windows (Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping
them cuts down slightly on the amount of Windows chatter on LAN segments
connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of
your Service Agreement.</p>
your ISP preventing you from running a web server in violation
of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your
firewall then it reports the port as open. If you want to see which
UDP ports are really open, temporarily change your net-&gt;all policy
to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back
from your firewall then it reports the port as open. If you
want to see which UDP ports are really open, temporarily change
your net-&gt;all policy to REJECT, restart Shorewall and do the
nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -548,31 +586,37 @@ on the amount of Windows chatter on LAN segments connected to the Firewall.
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: </p>
c) Add the following to /etc/shorewall/icmpdef:
</p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT </p>
-j ACCEPT<br>
</p>
</blockquote>
For a complete description of Shorewall 'ping' management, see <a
href="ping.html">this page</a>.
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
a RedHat system, "service syslog restart"). </p>
When you have changed /etc/syslog.conf, be sure to restart syslogd
(on a RedHat system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
</div>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
@ -582,26 +626,29 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
</p>
<blockquote>
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
<a
href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
href="http://www.logwatch.org"><br>
http://www.logwatch.org</a><br>
</p>
</blockquote>
I personnaly use Logwatch. It emails me a report each day from my various
systems with each report summarizing the logged activity on the corresponding
system. 
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
are activated. If you want to totally open up your firewall, you
must use the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like
this:</p>
@ -617,8 +664,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with
RH7.2.</p>
for problems concerning the version of iptables (v1.2.3) shipped
with RH7.2.</p>
</div>
<h4 align="left"> </h4>
@ -638,9 +685,9 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -656,17 +703,18 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
myself doing other things. I guess I just don't care enough if Shorewall
has a GUI to invest the effort to create one myself. There are several
Shorewall GUI projects underway however and I will publish links to
them when the authors feel that they are ready. </p>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
find myself doing other things. I guess I just don't care enough if
Shorewall has a GUI to invest the effort to create one myself. There
are several Shorewall GUI projects underway however and I will publish
links to them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
(<a href="http://www.cityofshoreline.com">the city where
I live</a>) and "Fire<u>wall</u>". The full name of the product
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor
@ -674,11 +722,12 @@ them when the authors feel that they are ready. </p>
(the internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of
the modem in/out but still block all other rfc1918 addresses.</p>
that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -691,6 +740,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -704,7 +754,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</tr>
</tbody>
</table>
</blockquote>
</div>
@ -714,13 +766,14 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
interface to correspond to the modem address, you must also make
an entry in /etc/shorewall/rfc1918 for that address. For example,
if you configure the address 192.168.100.2 on your firewall, then
you would add two entries to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
<table cellpadding="2" border="1" style="border-collapse: collapse;">
<tbody>
<tr>
@ -742,16 +795,18 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
</div>
<div align="left">
@ -763,26 +818,29 @@ lease.</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and
what those computers will "see" when things are working properly. That
aside, the most common causes of this problem are:</p>
the net", I wonder where the poster bought computers with eyes
and what those computers will "see" when things are working properly.
That aside, the most common causes of this problem are:</p>
<ol>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP
and TCP port 53 from the firewall to the internet.</p>
user is running a DNS server on the firewall and hasn't enabled
UDP and TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
@ -791,63 +849,73 @@ aside, the most common causes of this problem are:</p>
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under
RedHat, the max log level that is sent to the console is specified
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent to the console
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains (as indicated
in the log message) in Shorewall:<br>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains
(as indicated in the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
<li><b>man1918 - </b>The destination address is listed
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
<li><b>rfc1918</b> - The source address is listed in
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged under that policy.
If you intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level
and this packet is being logged under that policy. If you intend to
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a>
to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
<b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you
have a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and this
packet is being logged under that policy or this packet matches a
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged
under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under
the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under
the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because
the source IP is blacklisted in the<a
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because
it is a TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such packets
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has
a source IP address that isn't in any of your defined zones ("shorewall
check" and look at the printed zone definitions) or the chain is FORWARD
and the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged because it failed
the checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the source
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because it is
a TCP packet that is not part of any current connection yet it is not
a syn packet. Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP
address that isn't in any of your defined zones ("shorewall check" and
look at the printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or
if you use NAT, use the local IP address in your rules). <b>Note:</b> The
":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<b>Answer: </b>Yes. You simply use the IP address in your
rules (or if you use NAT, use the local IP address in your rules).
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will
disappear eventually. Neither iproute (ip and tc) nor iptables supports
that notation so neither does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
@ -873,24 +941,79 @@ does Shorewall. <br>
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
so the contents of the tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br>
</h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
that you used during your initial setup for information about how to set
up rules for your server.<br>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
guide</a> that you used during your initial setup for information about
how to set up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
</h4>
<blockquote>
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
</blockquote>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal
LAN<br>
<br>
<b>Answer: </b>While most people associate the Internet Control
Message Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet.
ICMP is used to report problems back to the sender of a packet; this is
what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br>
<br>
Here is my interpretation of what is happening -- to confirm this
analysis, one would have to have packet sniffers placed a both ends of
the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
query to 192.0.2.3 and your DNS server tried to send a response (the
response information is in the brackets -- note source port 53 which marks
this as a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to
172.16.1.10 who no longer had a connection on UDP port 2857. This causes
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
As this packet is sent back through 206.124.146.179, that box correctly
changes the source address in the packet to 206.124.146.179 but doesn't
reset the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
to anything that was sent. The final result is that the packet gets logged
and dropped in the all2all chain. I have also seen cases where the source
IP in the ICMP itself isn't set back to the external IP of the remote NAT
gateway; that causes your firewall to log and drop the packet out of the
rfc1918 chain because the source IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
You can place these commands in one of the <a
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they are intended.
Many iptables commands published in HOWTOs and other instructional material
use the -A command which adds the rules to the end of the chain. Most chains
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
rule and any rules that you add after that will be ignored. Check "man iptables"
and look at the -I (--insert) command.<br>
<br>
<div align="left"> </div>
<font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -29,13 +29,17 @@
Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses. There are four components to this facility.<br>
with one or more IP addresses. <br>
<br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that subnet
is subject to MAC verification.</li>
@ -43,19 +47,20 @@ is subject to MAC verification.</li>
MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
variable gives the syslogd level at which connection requests that fail verification
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
then failing connection requests are not logged.<br>
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty value
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.</li>
@ -80,8 +85,8 @@ MAC addresses.</li>
<h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
IP address 192.168.1.253. Hosts in the second segment have IP addresses in
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
@ -90,7 +95,7 @@ and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic.
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
<br>
<br>
<br>
<br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -49,8 +49,8 @@
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -139,5 +139,6 @@
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -2,13 +2,17 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
@ -35,7 +39,8 @@
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
@ -45,8 +50,8 @@
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -60,6 +65,7 @@ Guides (HOWTOs)</a><br>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -89,11 +95,12 @@ State, USA</a><br>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
href="sourceforge_index.htm#Donations">Donations</a></li>
@ -101,6 +108,7 @@ State, USA</a><br>
</td>
</tr>
</tbody>
</table>
@ -109,6 +117,7 @@ State, USA</a><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
@ -125,12 +134,12 @@ State, USA</a><br>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
<br>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -1,40 +1,60 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">VPN</font></h1>
<h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table>
<p>It is often the case that a system behind the firewall needs to be able to
access a remote network through Virtual Private Networking (VPN). The two most
common means for doing this are IPSEC and PPTP. The basic setup is shown in the
following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
<p>It is often the case that a system behind the firewall needs to be able
to access a remote network through Virtual Private Networking (VPN). The
two most common means for doing this are IPSEC and PPTP. The basic setup
is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the
local system has IP address 192.168.1.12 and that the remote gateway has IP
address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements beyond
the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one
local system at a time can be connected to a single remote gateway unless you
patch your kernel from the 'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then there are firewall configuration
requirements as follows:</p>
network through a remote gateway. For this example, we will assume that
the local system has IP address 192.168.1.12 and that the remote gateway
has IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as
follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
<tbody>
<tr>
<td height="38"><u><b>ACTION</b></u></td>
<td height="38"><u><b>SOURCE</b></u></td>
@ -51,9 +71,9 @@ requirements as follows:</p>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">50</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
<tr>
<td height="19">DNAT</td>
@ -61,21 +81,24 @@ requirements as follows:</p>
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19"> </td>
<td height="19"> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall. As
starting points, see
<a href="http://www.shorewall.net/Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p>
<p>If you want to be able to give access to all of your local systems to
the remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
</body>
</html>

View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
@ -38,46 +39,56 @@
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of
the world into <i>zones.</i></li>
<li>/etc/shorewall/shorewall.conf - used to set several
firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell
variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level
policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in
terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where
to use many-to-one (dynamic) Network Address Translation (a.k.a.
Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to
load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS
field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets
for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br>
</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the
end of any line, again by delimiting the comment from the rest of
the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the rest
of the line with a pound sign.</p>
<p>Examples:</p>
@ -100,38 +111,41 @@ the line with a pound sign.</p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting
your firewall.<br>
</li>
</ul>
@ -146,7 +160,7 @@ So change in the DNS-&gt;IP address relationship that occur after the firewall
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
@ -159,14 +173,14 @@ So change in the DNS-&gt;IP address relationship that occur after the firewall
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br>
<br>
These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2>
@ -187,7 +201,8 @@ no white space following the "!".</p>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
<li>Entries in a comma-separated list may appear in
any order.</li>
</ul>
@ -218,6 +233,7 @@ would be embedded white space)</li>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
@ -225,7 +241,9 @@ would be embedded white space)</li>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
@ -233,7 +251,9 @@ would be embedded white space)</li>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
@ -251,50 +271,150 @@ would be embedded white space)</li>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written as a
series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
Mb)<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of
6 hex numbers separated by hyphens. In Shorewall, the MAC address
in the example above would be written "~02-00-08-E3-FA-55".<br>
Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and
consist of 6 hex numbers separated by hyphens. In Shorewall, the
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Logging</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory
and Shorewall will use the files in the alternate directory rather than
the corresponding files in /etc/shorewall. The alternate directory need
not contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p>
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory
need not contain a complete configuration; those files not in the alternate
directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification from /etc/shorewall
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
<li> copying the files that need modification from
/etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol>
@ -302,19 +422,14 @@ will be read from /etc/shorewall.</p>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>

View File

@ -30,30 +30,41 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a
2.4 kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a
Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM
should also work with other distributions that store init
scripts in /etc/init.d and that include chkconfig or insserv).
If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
and would like a .deb package, Shorewall is included in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
@ -66,10 +77,10 @@ Testing Branch</a> and the <a
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
@ -84,8 +95,9 @@ Testing Branch</a> and the <a
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -221,13 +233,14 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
@ -274,28 +287,11 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
@ -334,7 +330,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
@ -357,11 +354,13 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
@ -377,19 +376,12 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</p>
</blockquote>
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
<p align="left"><font size="2">Last Updated 12/12/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,21 +41,24 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
@ -66,19 +71,20 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM
on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
@ -87,11 +93,44 @@ with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive the following
warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the
.rpm from shorewall.net or mirrors should no longer see these warnings as
the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running on
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
@ -106,8 +145,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
@ -116,8 +155,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -126,10 +165,10 @@ is the real script now and not just a symbolic link to the real script.<br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file
is installed in /usr/lib/shorewall/functions. The installer also performs
incorrectly when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
@ -148,8 +187,8 @@ when updating old configurations that had the file /etc/shorewall/functions.
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
<li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
</li>
@ -190,15 +229,15 @@ tcp 25 - 10.1.1.1")<br>
has two problems:</p>
<ol>
<li>If the firewall is running a
DHCP server, the client won't be able
to obtain an IP address lease from that
server.</li>
<li>If the firewall is running
a DHCP server, the client won't be able
to obtain an IP address lease from
that server.</li>
<li>With this order of checking,
the "dhcp" option cannot be used as a
noise-reduction measure where there are
both dynamic and static clients on a LAN
segment.</li>
the "dhcp" option cannot be used as
a noise-reduction measure where there
are both dynamic and static clients on
a LAN segment.</li>
</ol>
@ -229,8 +268,8 @@ segment.</li>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
an error occurs when the firewall script attempts to add
an SNAT alias. </p>
</li>
<li>
@ -277,8 +316,8 @@ segment.</li>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This
problem is corrected by <a
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p>
@ -324,11 +363,11 @@ message in this case.</p>
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it
from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
<li>The code to detect a duplicate interface entry
in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -352,8 +391,8 @@ from working correctly. </li>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface
@ -365,15 +404,15 @@ option. For example:<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<li>Update 17 June 2002 - The bug described in the
prior bullet affects the following options: dhcp, dropunclean,
logunclean, norfc1918, routefilter, multi, filterping and
noping. An additional bug has been found that affects only
the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li>
</ul>
@ -385,10 +424,10 @@ option.<br>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the
download page before 23:40 GMT, 29 May 2002 may have downloaded
1.2.13 rather than 1.3.0. The "shorewall version" command
will tell you which version that you have installed.</li>
<li>Folks who downloaded 1.3.0 from the links on
the download page before 23:40 GMT, 29 May 2002 may have
downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
command will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
@ -408,8 +447,8 @@ will tell you which version that you have installed.</li>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
@ -417,8 +456,8 @@ will tell you which version that you have installed.</li>
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
@ -451,6 +490,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
@ -459,9 +499,9 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
@ -508,22 +548,17 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 11/24/2002 -
<p><font size="2"> Last updated 12/3/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.1 KiB

View File

@ -33,10 +33,18 @@
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</a><font color="#ffffff">Shorewall Mailing Lists<a
href="http://www.inter7.com/courierimap/"><img
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix      </b></font> </p>
</b></font></p>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix     </b></font> </p>
</td>
</tr>
@ -71,10 +79,27 @@ Powered by Postfix
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br>
</li>
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2>
@ -110,14 +135,19 @@ fully-qualified DNS name.<br>
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you'll be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can
either use unencrypted access when subscribing to Shorewall mailing lists
or you can use secure access (SSL) and accept the server's certificate when
prompted by your browser.<br>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and accept the server's certificate
when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
@ -187,10 +217,10 @@ list may be found at <a
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name
of list&gt;), enter your subscription email address:". Enter your email
address in the box and click on the "Edit Options" button.</p>
"To change your subscription (set options like digest and delivery
modes, get a reminder of your password, <b>or unsubscribe</b> from
&lt;name of list&gt;), enter your subscription email address:". Enter
your email address in the box and click on the "Edit Options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
@ -205,17 +235,12 @@ address in the box and click on the "Edit Options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 11/22/2002 - <a
<p align="left"><font size="2">Last updated 12/27/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

View File

@ -33,11 +33,11 @@
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -53,5 +53,8 @@
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

90
Shorewall-docs/ping.html Normal file
View File

@ -0,0 +1,90 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.<br>
<br>
There are several aspects to Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li>
</ol>
These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping
request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h2>Policy Evaluation</h2>
If no applicable rule is found, then the policy for the source to the destination
is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

View File

@ -11,6 +11,7 @@
<base target="_self">
</head>
<body>
@ -20,10 +21,13 @@
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
@ -33,9 +37,10 @@
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
</a></i></font><font color="#ffffff">Shorewall 1.3 -
<font size="4">"<i>iptables made easy"</i></font></font></h1>
@ -47,12 +52,16 @@
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td>
</tr>
</tbody>
</table>
@ -60,12 +69,16 @@
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
@ -79,9 +92,11 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -90,22 +105,29 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program
is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
This program is distributed in the hope that it
will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br>
You should
have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You should have received a copy of the GNU General
Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -121,22 +143,28 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a>Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features Shorewall-1.3.10
and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -154,256 +182,187 @@ Public License</a> as published by the Free Software Foundation.<br>
<h2></h2>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
<p> Features include:<br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an
error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level
and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the mangle table),
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with one
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.<br>
</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall
refresh" would also fail.<br>
<p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
<p> You may download the Beta from:<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available to a limited audience). <br>
<br>
Features include:<br>
<br>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40%
with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in
the mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when
you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in
a position to support Shorewall users who run Mandrake 9.0.</p>
</ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at
<a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b><br>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address in
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is
now disabled after initial installation until the file
/etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved
from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
@ -411,13 +370,11 @@ the LFS police at Debian.<br>
<p><b></b><a href="News.htm">More News</a></p>
<p><a href="News.htm">More News</a></p>
@ -426,27 +383,34 @@ the LFS police at Debian.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <a href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
@ -455,32 +419,38 @@ the LFS police at Debian.<br>
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
  </a></p>
 
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

View File

@ -37,16 +37,17 @@
</p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
@ -56,8 +57,8 @@ State University</a> 1967</li>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
@ -67,24 +68,26 @@ ipchains and developed the scripts which are now collectively known as <a
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian Woody</a>
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul>
@ -101,17 +104,20 @@ and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
</a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
</body>

View File

@ -1,113 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p>
Extension scripts are user-provided
scripts that are invoked at various points during firewall start, restart,
stop and clear. The scripts are placed in /etc/shorewall and are processed
using the Bourne shell "source" mechanism. The following scripts can be
supplied:</p>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before the
common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
has been created but before any rules have been added to it.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul>
<p>
You can also supply a script with the same name as any of the filter
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
file has been processed but before the /etc/shorewall/policy file has been
processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These
default rules are contained in the file /etc/shorewall/common.def which
may be used as a starting point for making your own customized file.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p>
Rather than running iptables directly, you should run it using the function
run_iptables. Similarly, rather than running "ip" directly, you should
use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
processing of the command.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p>
<p>
If you decide to create /etc/shorewall/common it is a good idea to use the
following technique</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p>
/etc/shorewall/common:</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def
&lt;add your rules here&gt;</pre>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the '.' command. Using this technique allows
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
rejected by the firewall. It is recommended with this setting that you create
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
be rejected by the firewall. It is recommended with this setting that you
create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
<p align="left"><font size="2">Last updated 12/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
</body>
</html>

View File

@ -12,6 +12,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -31,8 +32,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
@ -45,8 +46,9 @@ must all first walk before we can run.</p>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
<li><a href="three-interface.htm">Three-interface</a> Linux
System acting as a firewall/router for a small local network and
a DMZ.</li>
</ul>
@ -54,9 +56,9 @@ acting as a firewall/router for a small local network</li>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -66,60 +68,72 @@ Concepts</a></li>
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
@ -128,10 +142,12 @@ Starting and Stopping the Firewall</a></li>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
@ -143,85 +159,111 @@ Starting and Stopping the Firewall</a></li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
<li>Logging<br>
</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<li><a href="Documentation.htm">Configuration File Reference
Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
</li>
<li><a href="myfiles.htm">My Configuration Files</a> (How
I personally use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
<li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -54,24 +54,25 @@
<h2><a name="Introduction"></a>1.0 Introduction</h2>
<p>This guide is intended for users who are setting up Shorewall in an environment
where a set of public IP addresses must be managed or who want to know more
about Shorewall than is contained in the <a
where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you
general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT what I release
-- I suggest that you consider installing a stock Shorewall lrp from the
shorewall.net site before you proceed.</p>
    If you run LEAF Bering, your Shorewall configuration is NOT what I
release -- I suggest that you consider installing a stock Shorewall lrp from
the shorewall.net site before you proceed.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
@ -79,17 +80,17 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must save
them as Unix files if your editor supports that option or you must run them
through dos2unix before trying to use them with Shorewall. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must run
them through dos2unix before trying to use them with Shorewall. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -151,8 +152,9 @@ the internet zone" or "because that is the DMZ".</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -163,17 +165,18 @@ kernel facility. Netfilter implements a <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
tracking function</a> that allows what is often referred to as <i>stateful
inspection</i> of packets. This stateful property allows firewall rules
to be defined in terms of <i>connections</i> rather than in terms of packets.
With Shorewall, you:</p>
to be defined in terms of <i>connections</i> rather than in terms of
packets. With Shorewall, you:</p>
<ol>
<li> Identify the source zone.</li>
<li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add a rule.
That rule is expressed in terms of the client's zone and the server's
zone.</li>
is what you want for this client/server pair, you need do nothing
further.</li>
<li> If the POLICY is not what you want, then you must add a
rule. That rule is expressed in terms of the client's zone and the
server's zone.</li>
</ol>
@ -181,15 +184,15 @@ zone.</li>
A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can have
a proxy running on the firewall that accepts a connection from zone A and
then establishes its own separate connection from the firewall to zone
B.</p>
a proxy running on the firewall that accepts a connection from zone A
and then establishes its own separate connection from the firewall to
zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common.def.</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common.def.</p>
<p>The default /etc/shorewall/policy file has the following policies:</p>
@ -234,9 +237,10 @@ is first checked against the rules in /etc/shorewall/common.def.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network and log a message at the <i>info</i> level (see "man
syslog").</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network and log a message at the <i>info</i> level
(<a href="configuration_file_basics.htm#Levels">here</a> is a description
of log levels).</li>
<li>reject all other connection requests and log a message at the <i>info</i>
level. When a request is rejected, the firewall will return an RST (if
the protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
@ -244,8 +248,8 @@ the protocol is TCP) or an ICMP port-unreachable packet for other protocols.<
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
    At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -256,11 +260,12 @@ you wish.</p>
<p align="left">In this diagram:</p>
<ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to
isolate your internet-accessible servers from your local systems so that
if one of those servers is compromised, you still have the firewall between
the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3. </li>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the firewall
between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3.
</li>
<li>All systems from the ISP outward comprise the Internet Zone. </li>
</ul>
@ -286,8 +291,8 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will
want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
@ -363,8 +368,8 @@ file, that file would might contain:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Edit the /etc/shorewall/interfaces file and define the network interfaces
on your firewall and associate each interface with a zone. If you have a
zone that is interfaced through more than one interface, simply include
on your firewall and associate each interface with a zone. If you have
a zone that is interfaced through more than one interface, simply include
one entry for each interface and repeat the zone name as many times as necessary.</p>
<p align="left">Example:</p>
@ -458,8 +463,8 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
<p align="left">IP version 4 (<i>IPv4) </i>addresses are 32-bit numbers.
The notation w.x.y.z refers to an address where the high-order byte has value
"w", the next byte has value "x", etc. If we take the address 192.0.2.14
The notation w.x.y.z refers to an address where the high-order byte has
value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
and express it in hexadecimal, we get:</p>
<blockquote>
@ -721,9 +726,9 @@ will often hear a subnet of size 64 referred to as a "slash 26" subnet
and one of size 8 referred to as a "slash 29".</p>
<p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
simply a 32-bit number with the first "VLSM" bits set to one and the remaining
bits set to zero. For example, for a subnet of size 64, the subnet mask
has 26 leading one bits:</p>
simply a 32-bit number with the first "VLSM" bits set to one and the
remaining bits set to zero. For example, for a subnet of size 64, the
subnet mask has 26 leading one bits:</p>
<blockquote>
<p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -805,10 +810,10 @@ the subnet with one member and the subnet with 2 ** 32 members.</p>
and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' utility
also uses this syntax). This simply means that the interface is configured
with ip address <b>a.b.c.d</b> and with the netmask that corresponds to
VLSM <b>/v</b>.</p>
used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds
to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p>
@ -829,12 +834,12 @@ and netmask 255.255.255.248.</p>
<p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
the Dallas, Texas area.<br>
<br>
The first three routes are <i>host routes</i> since they indicate how to
get to a single host. In the 'netstat' output this can be seen by the "Genmask"
(Subnet Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder
are 'net' routes since they tell the kernel how to route packets to a subnetwork.
The last route is the <i>default route</i> and the gateway mentioned in
that route is called the <i>default gateway</i>.</p>
The first three routes are <i>host routes</i> since they indicate how
to get to a single host. In the 'netstat' output this can be seen by the
"Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column.
The remainder are 'net' routes since they tell the kernel how to route
packets to a subnetwork. The last route is the <i>default route</i> and
the gateway mentioned in that route is called the <i>default gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p>
@ -894,17 +899,18 @@ eth2.</p>
are sent using the routing table and reply packets are not a special case.
There seems to be a common mis-conception whereby people think that request
packets are like salmon and contain a genetic code that is magically transferred
to reply packets so that the replies follow the reverse route taken by the
request. That isn't the case; the replies may take a totally different route
back to the client than was taken by the requests -- they are totally independent.</p>
to reply packets so that the replies follow the reverse route taken by
the request. That isn't the case; the replies may take a totally different
route back to the client than was taken by the requests -- they are totally
independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
addresses. Each Ethernet device has it's own unique  MAC address which is
burned into a PROM on the device during manufacture. You can obtain the
MAC of an Ethernet device using the 'ip' utility:</p>
addresses. Each Ethernet device has it's own unique  MAC address which
is burned into a PROM on the device during manufacture. You can obtain
the MAC of an Ethernet device using the 'ip' utility:</p>
<blockquote>
<div align="left">
@ -921,8 +927,8 @@ to the card itself. </p>
<div align="left">
<p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
a mechanism is required to translate an IP address into a MAC address;
that is the purpose of the <i>Address Resolution Protocol</i> (ARP). Here
is ARP in action:</p>
that is the purpose of the <i>Address Resolution Protocol</i> (ARP).
Here is ARP in action:</p>
</div>
<div align="left">
@ -934,9 +940,9 @@ is ARP in action:</p>
</div>
<p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
to know the MAC of the device with IP address 192.168.1.19. The system having
that IP address is responding that the MAC address of the device with IP
address 192.168.1.19 is 0:6:25:aa:8a:f0.</p>
to know the MAC of the device with IP address 192.168.1.19. The system
having that IP address is responding that the MAC address of the device
with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.</p>
<p align="left">In order to avoid having to exchange ARP information each
time that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
@ -1001,6 +1007,7 @@ in their infrastructure. </p>
your ISP or by another organization with whom you want to establish
a VPN relationship. </p>
</li>
</ul>
</div>
@ -1017,8 +1024,8 @@ the addresses that you are going to use.</p>
<div align="left">
<p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities
you have in your network. Regardless of how many addresses you have, your
ISP will handle that set of addresses in one of two ways:</p>
you have in your network. Regardless of how many addresses you have,
your ISP will handle that set of addresses in one of two ways:</p>
</div>
<div align="left">
@ -1034,12 +1041,26 @@ your firewall/router's external interface. </p>
<p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
of your addresses directly. </p>
</li>
</ol>
</div>
<div align="left">
<p align="left">In the subsections that follow, we'll look at each of these
separately.</p>
separately.<br>
</p>
<p align="left">Before we begin, there is one thing for you to check:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
</div>
<div align="left">
@ -1049,11 +1070,11 @@ of your addresses directly. </p>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
192.0.2.65. Your ISP has also told you that you should use a netmask of
255.255.255.0 (so your /28 is part of a larger /24). With this many IP
addresses, you are able to subnet your /28 into two /29's and set up your
network as shown in the following diagram.</p>
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
is 192.0.2.65. Your ISP has also told you that you should use a netmask
of 255.255.255.0 (so your /28 is part of a larger /24). With this many
IP addresses, you are able to subnet your /28 into two /29's and set
up your network as shown in the following diagram.</p>
</div>
<div align="left">
@ -1082,8 +1103,8 @@ because of the simplicity of the setup.</p>
<div align="left">
<p align="left">The astute reader may have noticed that the Firewall/Router's
external interface is actually part of the DMZ subnet (192.0.2.64/29).
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing
table on DMZ 1 will look like this:</p>
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
routing table on DMZ 1 will look like this:</p>
</div>
<div align="left">
@ -1136,8 +1157,9 @@ netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
<div align="left">
<p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
and there aren't enough addresses for all of the network interfaces. There
are four different techniques that can be used to work around this problem.</p>
and there aren't enough addresses for all of the network interfaces.
There are four different techniques that can be used to work around this
problem.</p>
</div>
<div align="left">
@ -1157,6 +1179,7 @@ also known as <i>Port Forwarding.</i> </p>
<p align="left"><i>Network Address Translation</i> (NAT) also referred
to as <i>Static NAT</i>. </p>
</li>
</ul>
</div>
@ -1199,8 +1222,8 @@ zone.</p>
<div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    The systems in the local zone would be configured with a default gateway
of 192.168.201.1 (the IP address of the firewall's local interface).</div>
    The systems in the local zone would be configured with a default
gateway of 192.168.201.1 (the IP address of the firewall's local interface).</div>
<div align="left">  </div>
@ -1254,8 +1277,8 @@ do not have a public IP address. DNAT provides a way to allow selected
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
     Suppose that your daughter wants to run a web server on her system
"Local 3". You could allow connections to the internet to her server by
adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
"Local 3". You could allow connections to the internet to her server
by adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div>
<div align="left">
@ -1291,10 +1314,10 @@ adding the following entry in <a href="Documentation.htm#Rules">/etc/shorewal
<p align="left">If one of your daughter's friends at address <b>A</b> wants
to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address to
192.168.201.4 (your daughter's system) and forward the request. When your
daughter's server responds, the firewall will rewrite the source address
back to 192.0.2.176 and send the response back to <b>A.</b></p>
IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When
your daughter's server responds, the firewall will rewrite the source
address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div>
<div align="left">
@ -1327,6 +1350,7 @@ of your public IP addresses (<b>A)</b> and is assigned the same netmask
address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li>
</ul>
</div>
@ -1391,8 +1415,8 @@ add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the internet.
You can call your ISP and ask them to purge the stale ARP cache entry
but many either can't or won't purge individual entries. You can determine
if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
@ -1478,9 +1502,9 @@ and is sharing the firewall external IP (192.0.2.176) for outbound connection
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Suppose now that you have decided to give your daughter her own IP
address (192.0.2.179) for both inbound and outbound connections. You would
do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
    Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections. You
would do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div>
<div align="left">
@ -1517,9 +1541,9 @@ do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Once the relationship between 192.0.2.179 and 192.168.201.4 is established
by the nat file entry above, it is no longer appropriate to use a DNAT
rule for you daughter's web server -- you would rather just use an ACCEPT
rule:</p>
by the nat file entry above, it is no longer appropriate to use a
DNAT rule for you daughter's web server -- you would rather just use
an ACCEPT rule:</p>
</div>
<div align="left">
@ -2266,9 +2290,9 @@ DNS servers. You can combine the two into a single BIND 9 server using
<p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the
three local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
You want your firewall to be known as firewall.foobar.net externally and
it's interface to the local network to be know as gateway.foobar.net and
its interface to the dmz as dmz.foobar.net. Let's have the DNS server
You want your firewall to be known as firewall.foobar.net externally
and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div>
@ -2291,8 +2315,10 @@ on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
<div align="left">
<p align="left">Here are the files in /var/named (those not shown are usually
included in your bind disbribution).</p>
<p align="left">db.192.0.2.176 - This is the reverse zone for the firewall's
external interface</p>
<blockquote>
<pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br> 2001102303 ; serial<br> 10800 ; refresh (3 hour)<br> 3600 ; retry (1 hour)<br> 604800 ; expire (7 days)<br> 86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@ 604800 IN NS ns1.foobar.net.<br>@ 604800 IN NS <i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
</blockquote>
@ -2419,11 +2445,13 @@ and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/19/2002 - <a
<p align="left"><font size="2">Last updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
</body>
</html>

View File

@ -5,12 +5,14 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
@ -20,10 +22,14 @@
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
@ -34,10 +40,12 @@
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font><a href="http://www.sf.net">
</a></h1>
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
@ -50,7 +58,9 @@
</tr>
</tbody>
</table>
@ -61,7 +71,9 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
@ -71,6 +83,8 @@
<h2 align="left">What is it?</h2>
@ -80,9 +94,11 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,23 +108,29 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This
program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for
more details.<br>
This program is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You
should have received a copy of the GNU General Public
License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave,
Cambridge, MA 02139, USA</p>
You should have received a copy of the GNU
General Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -126,17 +148,22 @@ Cambridge, MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and
Kernel-2.4.18. You can find their work at: <a
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy, CD or compact
flash) distribution called <i>Bering</i> that
features Shorewall-1.3.10 and Kernel-2.4.18. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! <br>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.0 Final!!! <br>
</b>
<h2>News</h2>
@ -148,271 +175,213 @@ Kernel-2.4.18. You can find their work at: <a
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
<p> Features include:<br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an
error occurs. This places the point of the failure near the end of the trace
rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level
and causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the
mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
at the 'info' level.</li>
</ol>
<p>The main Shorewall web site is now at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta 2, if
BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail
to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available
(Beta 1 was made available only to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than
40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which
shows the current packet classification filters. The output from this command
is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in
the mangle table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when
you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty
'init', 'start', 'stop' and 'stopped' files. If you already have a file
with one of these names, don't worry -- the upgrade process won't overwrite
your file.</li>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
and "shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running
on the firewall system may now be defined in the<a
href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now
be specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses
/sbin/shorewall to do the real work. This change makes custom
distributions such as for Debian and for Gentoo easier to manage
since it is /etc/init.d/shorewall that tends to have distribution-dependent
code.</li>
</ul>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in
a position to support Shorewall users who run Mandrake 9.0.</p>
</ul>
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
</b><br>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running
on RH8.0 </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p><b><br>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
<p>In this version:<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection
SOURCE may now be qualified by both interface and IP
address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions'
and 'version' files and the 'firewall' symbolic link
have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE
or DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it
does not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now
compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b></b></p>
<ul>
@ -423,13 +392,11 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<p><b></b><a href="News.htm">More News</a></p>
<p><a href="News.htm">More News</a></p>
@ -439,33 +406,44 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<br>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
@ -473,10 +451,14 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
@ -486,6 +468,7 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
@ -494,28 +477,33 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

View File

@ -44,10 +44,10 @@ in one of its most common configurations:</p>
</ul>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -61,8 +61,8 @@ this program:</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -74,14 +74,16 @@ Version of dos2unix</a></li>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation).</p>
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -115,8 +117,8 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,14 +126,14 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -178,8 +180,8 @@ the following policies:</p>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
</ol>
@ -201,8 +203,8 @@ a <b>ppp0</b>. If you connect via a regular modem, your External Interface
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, you
will have to modify the sample /etc/shorewall/interfaces file accordingly.
external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
@ -239,9 +241,9 @@ specified for the interface. Some hints:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
     Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -283,8 +285,8 @@ specified for the interface. Some hints:</p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
@ -326,8 +328,8 @@ your firewall system:</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -416,7 +418,7 @@ added an entry for the IP address that you are connected from to <a
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -425,5 +427,6 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -1,78 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Subnet Masks</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
</td>
</tr>
</table>
<p align="left">IP addresses and subnet masks are 32-bit numbers. The notation
w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next
byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in
hexadecimal,
we get:</p>
<blockquote>
<p align="left">FF.FF.FF.00</p>
</blockquote>
<p align="left">or looking at it as a 32-bit integer</p>
<blockquote>
<p align="left">FFFFFF00</p>
</blockquote>
<p align="left">Each &quot;F&quot; represents the bit pattern &quot;1111&quot; so if we look at the
number in binary, we have:</p>
<blockquote>
<p align="left">11111111111111111111111100000000</p>
</blockquote>
<p align="left">Counting the leading &quot;1&quot; bits, we see that there are 24 -- /24
in VLSM notation.</p>
<p align="left">It is handy to remember that the size of the subnet can be
obtained by subtracting the number of consecutive leading &quot;1&quot; bits from 32 and
raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256
addresses. Remember that the number of usable addresses is two less than that
(254) because the first and last address in the subnet are reserved as the
sub-network and broadcast addresses respectively.</p>
<p align="left">The size of a subnet can be any power of two so long as the
address of the subnet is a multiple of it's size. For example, if you want a
subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29).
The subnet mask would be:</p>
<blockquote>
<p align="left">11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.</p>
</blockquote>
<p align="left">This subnet would have 6 usable addresses: 192.168.12.9 -
192.168.12.14.</p>
<p align="left">You will still hear the terms &quot;Class A network&quot;, &quot;Class B
network&quot; and &quot;Class C network&quot;. In the early days of IP, sub-networks only came
in three sizes:</p>
<blockquote>
<p align="left">Class A - Subnet mask 255.0.0.0, size = 2 ** 24</p>
<p align="left">Class B - Subnet mask 255.255.0.0, size = 2 ** 16</p>
<p align="left">Class C - Subnet mask 255.255.255.0, size = 256</p>
</blockquote>
<p align="left">The class of a network was determined by the value of the high
order byte of its address so you could look at an IP address and immediately
determine the associated subnet mask. </p>
<p align="left">As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
network!). It was then that VLSM was devised -- today, any system that you are
likely to work with understands VLSM and Class-based subnetworking is largely a
thing of the past.</p>
<p align="left"><font size="2">Last updated
7/15/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
</body>
</html>

View File

@ -2,16 +2,22 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -23,63 +29,94 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p> <br>
<span style="font-weight: 400;"></span></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
but I try to spend some amount of time each day responding to problems
posted on the Shorewall mailing list.</b></font></big></h2>
<blockquote> </blockquote>
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venem<br>
</font></span></p>
<h2>Before Reporting a Problem</h2>
<h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon
fed</i></b><i><b>".</b> </i>-- Simon White<br>
<h3>T<b>here are a number of sources for problem solution information. Please
try these before you post.</b></h3>
<p>There are also a number of sources for problem solution information.</p>
<h3> </h3>
<h3> </h3>
<ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download
updated components.</li>
<li>The Mailing List Archives search facility can locate posts
about similar problems:</li>
<li>
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
problems.</b></h3>
</li>
</ul>
<h4>Mailing List Archive Search</h4>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
updated components.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The Mailing List Archives search facility can locate posts
about similar problems:</b></h3>
</li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -88,76 +125,163 @@ about similar problems:</li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
</font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p>
</form>
<h3 align="left">Problem Reporting Guideline</h3>
<h2>Problem Reporting Guidelines</h2>
<i>"Let me see if I can translate your message into a real-world example. 
It would be like saying that you have three rooms at home, and when you
walk into one of the rooms, you detect this strange smell.  Can anyone tell
you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to the smell and even
what's causing it.  You would be absolutely amazed at the range and variety
of smells we could come up with.  Even more amazing is that all of the explanations
for the smells would be completely plausible."<br>
</i><br>
<div align="center">   - Russell Mosemann<br>
</div>
<br>
<h3> </h3>
<ul>
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
<li>
<h3><b>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
<h3> </h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3>
</li>
<li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
for instructions).</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post
will be rejected.</b></h3>
</li>
</ul>
<h3> </h3>
<h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<h3></h3>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p>
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
</blockquote>
<p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -39,11 +39,12 @@
in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
...</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
dial-up, ...</li>
</ul>
@ -55,43 +56,47 @@
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
files to /etc/shorewall (the files will replace files with the same names
that were placed in /etc/shorewall when Shorewall was installed).</p>
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -133,11 +138,11 @@ following zone names are used:</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -190,8 +195,8 @@ following zone names are used:</p>
<blockquote>
<p>In the three-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -218,10 +223,10 @@ following zone names are used:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network</li>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
@ -243,10 +248,10 @@ any changes that you wish.</p>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular
modem, your External Interface will also be <b>ppp0</b>. If you connect
using ISDN, you external interface will be <b>ippp0.</b></p>
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect via
a regular modem, your External Interface will also be <b>ppp0</b>. If you
connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -255,32 +260,32 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single
local system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only
a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub or
switch (even for testing). It won't work the way that you expect it to
and you will end up confused and believing that Shorewall doesn't work
at all.</p>
</b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect it
to and you will end up confused and believing that Shorewall doesn't
work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration assumes that
the external interface is <b>eth0, </b>the local interface is <b>eth1
    The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is <b>eth1
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interfaces. Some hints:</p>
While you are there, you may wish to review the list of options that
are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -289,8 +294,8 @@ at all.</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -298,17 +303,18 @@ at all.</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>Regardless of how the address is assigned,
it will be shared by all of your systems when you access the Internet.
You will have to assign your own addresses for your internal network (the
local and DMZ Interfaces on your firewall plus your other computers). RFC
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address is
assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -331,10 +337,10 @@ range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
<i>Address</i>. In Shorewall, a subnet is described using <a
href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)</a>
notation with consists of the subnet address followed by "/24". The "24"
refers to the number of consecutive "1" bits from the left of the subnet
mask. </p>
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from
the left of the subnet mask. </p>
</div>
<div align="left">
@ -384,16 +390,16 @@ mask. </p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2) should be
configured with their<i> default gateway</i> set to the IP address of
the firewall's internal interface and your DMZ computers ( DMZ Computers
1 &amp; 2) should be configured with their default gateway set to the
IP address of the firewall's DMZ interface.   </p>
    Your local computers (Local Computers 1 &amp; 2) should
be configured with their<i> default gateway</i> set to the IP address
of the firewall's internal interface and your DMZ computers ( DMZ
Computers 1 &amp; 2) should be configured with their default gateway
set to the IP address of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
@ -410,24 +416,24 @@ IP address of the firewall's DMZ interface.
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your
local systems (let's assume local computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to be
the address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection. 
This is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed accross the internet).
When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer
1. </p>
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will be
able to route return packets back to the firewall (remember that packets
whose destination address is reserved by RFC 1918 can't be routed accross
the internet). When the firewall receives a return packet, it rewrites
the destination address back to 10.10.10.1 and forwards the packet on
to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -437,8 +443,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local network
to use. </p>
the source address that you want outbound packets from your local
network to use. </p>
</li>
</ul>
@ -449,8 +455,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your local
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
not need to modify the file provided with the sample. Otherwise, edit
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
do not need to modify the file provided with the sample. Otherwise, edit
/etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -458,19 +464,34 @@ address back to 10.10.10.1 and forwards the packet on to local computer
    If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static IP
in column 3 makes processing outgoing packets a little more efficient.
in column 3 makes <br>
processing outgoing packets a little more efficient.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
DMZ computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
@ -507,8 +528,8 @@ in the response.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -554,9 +575,9 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your local systems,
you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If
you have problems connecting to your web server, try the following rule
and try connecting to port 5000 (e.g., connect to <a
<li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -590,8 +611,8 @@ and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can replace
the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -621,8 +642,8 @@ and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you have a dynamic ip then you must ensure that your external interface
is up before starting Shorewall and you must take steps as follows (assume
that your external interface is <b>eth0</b>):</p>
is up before starting Shorewall and you must take steps as follows
(assume that your external interface is <b>eth0</b>):</p>
<ol>
<li>Include the following in /etc/shorewall/params:<br>
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. It is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of two
approaches:</p>
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your firewall
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on
your firewall. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the server; you do that by adding the rules in /etc/shorewall/rules.
</p>
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
(which also requires the 'bind' RPM) and for Bering users, there
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the caching name server as their primary (and only)
name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to talk
to your caching name server, you must open port 53 (both UDP and TCP)
from the local network to the server; you do that by adding the rules
in /etc/shorewall/rules. </p>
</li>
</ul>
@ -917,8 +939,8 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
<div align="left">
<p align="left">That rule allows you to run an SSH server on your firewall
and in each of your DMZ systems and to connect to those servers from
your local systems.</p>
and in each of your DMZ systems and to connect to those servers
from your local systems.</p>
</div>
<div align="left">
@ -1004,14 +1026,14 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -1093,16 +1115,16 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/20/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
@ -37,12 +38,12 @@ to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
also requires that you enable packet mangling.<br>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling.<br>
</li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall
marking of packets. The firewall mark value may be used to classify packets
for traffic shaping/control.<br>
marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control.<br>
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
by Shorewall during "shorewall start" and which you can use to define
@ -52,13 +53,24 @@ your traffic shaping disciplines and classes. I have provided a <a
the HOWTO mentioned above, you can probably code your own faster than
you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB
is a lot simpler and better-documented than CBQ. HTB is currently not
a standard part of either the kernel or iproute2 so both must be patched
in order to use it.<br>
support may eventually become an integral part of Shorewall since
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc
function supplied by shorewall if you want tc errors to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by simply copying
them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
by Shorewall when it is clearing traffic shaping. This file is normally
@ -78,8 +90,16 @@ is pretty general.</li>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
means for specifying these marks in a tabular fashion.</p>
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
@ -89,35 +109,35 @@ a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates on
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
list of interface names, IP addresses, MAC addresses in <a
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list of IP
addresses and/or subnets.<br>
<li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
a number or "all"<br>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
protocol is "icmp", this column is interpreted as the destination icmp
type(s).<br>
<li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
if the protocol is "icmp", this column is interpreted as the destination
icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
any source port is acceptable. Specified as a comma-separate list of port
names, port numbers or port ranges.</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</p>
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
</tbody>
</table>
<h3>Hierarchical Token Bucket</h3>
<h3>My Setup<br>
</h3>
<p>I personally use HTB. I have found a couple of things that may be of use
to others.</p>
<ul>
<li>The gzipped tc binary at the <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
for me -- I had to download the lastest version of the <a
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.</li>
<li>I'm currently running with this set of shaping rules in my tcstart
file. I recently changed from using a ceiling of 10Mbit (interface speed)
to 384kbit (DSP Uplink speed).<br>
<br>
</li>
</ul>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
README), I have also run with the following set of hand-crafted rules in
my tcstart file:<br>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled SFQ on Second Level Classes"</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
<p>My tcrules file is shown in Example 1 above. You can look at my <a
href="myfiles.htm">network configuration</a> to get an idea of why I want
these particular rules.<font face="Courier" size="2"><br>
</font></p>
</blockquote>
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at my <a href="myfiles.htm">network configuration</a>
to get an idea of why I wanted these particular rules.<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
</ol>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

View File

@ -18,7 +18,11 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</font></h1>
</td>
</tr>
@ -37,16 +41,34 @@ of the firewall.</p>
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
If you receive an error message when starting or restarting the
firewall and you can't determine the cause, then do the following:
<ul>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log where
the error message you saw is generated -- in 99.9% of the cases, it will
not be near the end of the log because after startup errors, Shorewall goes
through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
@ -55,8 +77,8 @@ of the firewall.</p>
</p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Port Forwarding where client and server are in the
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
@ -80,10 +102,10 @@ that you forget to remove them later.</p>
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
If you DO see packet messages, it may be an indication that you are missing
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
@ -96,16 +118,18 @@ that you forget to remove them later.</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -128,42 +152,42 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<li>Seeing rejected/dropped packets logged out of the INPUT or
FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
you?); or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and that interface doesn't have the 'multi' option
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have
the following in /etc/shorewall/nat:<br>
The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and
the zone containing 10.1.1.2, the ping requests will be dropped. This
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
of their nearest firewall interface. One often overlooked aspect of
routing is that in order for two hosts to communicate, the routing between
them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a
@ -172,17 +196,17 @@ shell with broken variable expansion. <a
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
<li>Some features require the "ip" program. That program is
generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
For example, if a zone has two interfaces but only one interface has
an entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a
@ -194,12 +218,17 @@ external addresses to be use with NAT unless you have set <a
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
@ -38,10 +39,11 @@
in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Linux system used as a firewall/router for a small local
network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
dial-up ...</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame
Relay, dial-up ...</li>
</ul>
@ -51,6 +53,12 @@
height="635">
</p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
configure the above setup using the Mandrake "Internet Connection Sharing"
applet. From the Mandrake Control Center, select "Network &amp; Internet"
then "Connection Sharing". You should not need to refer to this guide.</b><br>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
@ -62,33 +70,37 @@ for this program:</p>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you
copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
(these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -127,11 +139,11 @@ of these as described in this guide. After you have <a
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -139,8 +151,8 @@ to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
@ -184,8 +196,8 @@ the following policies:</p>
<blockquote>
<p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -212,19 +224,19 @@ the following policies:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
    At this point, edit your /etc/shorewall/policy and make any
changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -237,16 +249,16 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will
be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or<b> ippp0</b> 
then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
@ -256,19 +268,19 @@ using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface to the same
hub or switch (even for testing). It won't work the way that you think
</b></u>Do not connect the internal and external interface to the
same hub or switch (even for testing). It won't work the way that you think
that it will and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes that the
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
    The Shorewall two-interface sample configuration assumes that
the external interface is <b>eth0</b> and the internal interface is
<b>eth1</b>. If your configuration is different, you will have to modify
the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -277,8 +289,8 @@ doesn't work at all.</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -286,17 +298,17 @@ doesn't work at all.</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You will
have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a
single <i> Public</i> IP address. This address may be assigned via the<i>
Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP address;
that means that you configure your firewall's external interface to use
that address permanently.<i> </i>However your external address is assigned,
it will be shared by all of your systems when you access the Internet.
You will have to assign your own addresses in your internal network (the
Internal Interface on your firewall plus your other computers). RFC 1918
reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -307,8 +319,8 @@ several <i>Private </i>IP address ranges for this purpose:</p>
height="13">
    Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's entry
in /etc/shorewall/interfaces.</p>
should remove the 'norfc1918' option from the external interface's
entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -317,11 +329,11 @@ in /etc/shorewall/interfaces.</p>
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet
address followed by "/24". The "24" refers to the number of consecutive
leading "1" bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -372,8 +384,9 @@ systems send packets through a<i>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their<i> default gateway</i> to be
the IP address of the firewall's internal interface.<i>      </i> </p>
diagram) should be configured with their<i> default gateway</i> to
be the IP address of the firewall's internal interface.<i>      </i>
</p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
@ -394,18 +407,18 @@ the IP address of the firewall's internal interface.<i>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your local
systems (let's assume computer 1) sends a connection request to an internet
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed across the internet so the remote
host can't address its response to computer 1). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one of
your local systems (let's assume computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to
be the address of the firewall's external interface; in other words, the
firewall makes it look as if the firewall itself is initiating the connection. 
This is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
@ -440,19 +453,32 @@ the second column to the name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the third column
in the /etc/shorewall/masq entry if you like although your firewall will
work fine if you leave that column empty. Entering your static IP in column
3 makes processing outgoing packets a little more efficient. </p>
    If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static
IP in column 3 makes processing outgoing packets a little more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
local computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
@ -524,14 +550,14 @@ in the response.</p>
<p>A couple of important points to keep in mind:</p>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
<li>You must test the above rule from a client outside of your
local network (i.e., don't test from a browser running on computers
1 or 2 or on the firewall). If you want to be able to access your web
server using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
<li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following
rule and try connecting to port 5000.</li>
</ul>
@ -563,16 +589,16 @@ using the IP address of your external interface, see <a
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any DNAT rules
that you require.</p>
    At this point, modify /etc/shorewall/rules to add any DNAT
rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
@ -580,25 +606,25 @@ in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers
are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</i>Red Hat has an RPM for a caching name server (the RPM also
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
you take this approach, you configure your internal systems to use the
firewall itself as their primary (and only) name server. You use the internal
IP address of the firewall (10.10.10.254 in the example above) for the
name server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
@ -808,7 +834,8 @@ are given in "nameserver" records in that file. </p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your firewall"</p>
listed above under "You can configure a Caching Name Server on your
firewall"</p>
</div>
<div align="left">
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Now edit your /etc/shorewall/rules file to add or delete other
connections as required.</p>
    Now edit your /etc/shorewall/rules file to add or delete
other connections as required.</p>
</div>
<div align="left">
@ -869,7 +896,8 @@ uses, look <a href="ports.htm">here</a>.</p>
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
If your local network isn't connected to <b>eth1</b> or if you wish to
enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 11/21/2002 - <a
<p align="left"><font size="2">Last updated 12/20/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.12-Beta3
VERSION=1.3.12
usage() # $1 = exit status
{

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.12-Beta3
VERSION=1.3.12
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.3.12
%define release 0Beta3
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta3
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.12-Beta3
VERSION=1.3.12
usage() # $1 = exit status
{