mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Release changes for 1.3.12
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
89efe0c6f6
commit
36aa2c8e88
File diff suppressed because it is too large
Load Diff
6
Lrp/etc/shorewall/init
Normal file
6
Lrp/etc/shorewall/init
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
#
|
@ -20,6 +20,8 @@
|
||||
# an alias (e.g., eth0:0) here; see
|
||||
# http://www.shorewall.net/FAQ.htm#faq18
|
||||
#
|
||||
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.If the interface has multiple
|
||||
@ -89,6 +91,14 @@
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
# tcpflags - Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
# such a combination of flags are handled
|
||||
# according to the setting of
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
|
@ -17,6 +17,10 @@
|
||||
# DEST Destination zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# WARNING: Firewall->Firewall policies are not allowed; if
|
||||
# you have a policy where both SOURCE and DEST are $FW,
|
||||
# Shorewall will not start!
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
|
||||
#
|
||||
@ -25,6 +29,12 @@
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case). This will
|
||||
# log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "_" here.
|
||||
#
|
||||
|
@ -47,7 +47,7 @@
|
||||
60.0.0.0/8 logdrop # Reserved
|
||||
70.0.0.0/7 logdrop # Reserved
|
||||
72.0.0.0/5 logdrop # Reserved
|
||||
82.0.0.0/7 logdrop # Reserved
|
||||
83.0.0.0/8 logdrop # Reserved
|
||||
84.0.0.0/6 logdrop # Reserved
|
||||
88.0.0.0/5 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
|
@ -31,18 +31,26 @@
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones or $FW to indicate the
|
||||
# firewall itself. If the ACTION is DNAT or REDIRECT,
|
||||
# sub-zones of the specified zone may be excluded from
|
||||
# the rule by following the zone name with "!' and a
|
||||
# comma-separated list of sub-zone names.
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case) as a log level.\
|
||||
# This will log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Clients may be further restricted to a list of subnets
|
||||
# and/or hosts by appending ":" and a comma-separated
|
||||
# list of subnets and/or hosts. Hosts may be specified
|
||||
# by IP or MAC address; mac addresses must begin with
|
||||
# "~" and must use "-" as a separator.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
# REDIRECT, sub-zones of the specified zone may be
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
@ -64,12 +72,13 @@
|
||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or $FW to indicate the firewall
|
||||
# itself.
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
# Except when "all" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
# interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
#
|
||||
|
@ -9,6 +9,35 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
# 6 info
|
||||
# 5 notice
|
||||
# 4 warning
|
||||
# 3 err
|
||||
# 2 crit
|
||||
# 1 alert
|
||||
# 0 emerg
|
||||
#
|
||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
#
|
||||
@ -97,6 +126,8 @@ LOGBURST=
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
@ -192,6 +223,8 @@ BLACKLIST_DISPOSITION=DROP
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
@ -354,6 +387,8 @@ MUTEX_TIMEOUT=60
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
# Example: LOGNEWNOTSYN=debug
|
||||
|
||||
|
||||
@ -402,7 +437,63 @@ MACLIST_DISPOSITION=REJECT
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# TCP FLAGS Disposition
|
||||
#
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# combination of TCP flags that are received on interfaces having the
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# TCP FLAGS Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail TCP Flags
|
||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||
# such packets will not be logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# RFC1918 Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail RFC 1918
|
||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||
# RFC1918_LOG_LEVEL=info is assumed.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# Mark Packets in the forward chain
|
||||
#
|
||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||
#
|
||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||
# address rewritten so they can be marked based on their destination. When
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||
# to the firewall's external interface.
|
||||
#
|
||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
||||
# setting this variable to Yes may cause startup problems.
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
6
Lrp/etc/shorewall/start
Normal file
6
Lrp/etc/shorewall/start
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
6
Lrp/etc/shorewall/stop
Normal file
6
Lrp/etc/shorewall/stop
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
#
|
6
Lrp/etc/shorewall/stopped
Normal file
6
Lrp/etc/shorewall/stopped
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
#
|
@ -6,6 +6,11 @@
|
||||
# Entries in this file cause packets to be marked as a means of
|
||||
# classifying them for traffic control or policy routing.
|
||||
#
|
||||
# I M P O R T A N T ! ! ! !
|
||||
#
|
||||
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
||||
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
|
@ -58,6 +58,7 @@
|
||||
# shorewall show nat Display the rules in the nat table
|
||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall show classifiers Display classifiers
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
@ -150,8 +151,10 @@ display_chains()
|
||||
iptables -L -n -v > /tmp/chains-$$
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "Standard Chains\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
echo
|
||||
firstchain="Yes"
|
||||
showchain INPUT
|
||||
showchain OUTPUT
|
||||
@ -160,9 +163,11 @@ display_chains()
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo -e "Input Chains\\n"
|
||||
echo "Input Chains"
|
||||
echo
|
||||
|
||||
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
||||
|
||||
@ -176,10 +181,12 @@ display_chains()
|
||||
|
||||
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
firstchain=Yes
|
||||
eval display=\$${zone}_display
|
||||
echo -e "$display Chains\\n"
|
||||
echo "$display Chains"
|
||||
echo
|
||||
for zone1 in $FW $zones; do
|
||||
showchain ${zone}2$zone1
|
||||
showchain @${zone}2$zone1
|
||||
@ -193,9 +200,11 @@ display_chains()
|
||||
done
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo -e "Policy Chains\\n"
|
||||
echo "Policy Chains"
|
||||
echo
|
||||
showchain common
|
||||
showchain badpkt
|
||||
showchain icmpdef
|
||||
@ -212,9 +221,11 @@ display_chains()
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo -e "Dynamic Chain\\n"
|
||||
echo "Dynamic Chain"
|
||||
echo
|
||||
showchain dynamic
|
||||
timed_read
|
||||
|
||||
@ -248,7 +259,8 @@ packet_log() # $1 = number of messages
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
|
||||
sed s/" $host kernel: Shorewall:"/" "/ | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host Shorewall:"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
tail $options
|
||||
@ -284,6 +296,34 @@ show_tc() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Show classifier information
|
||||
#
|
||||
show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device=${1%@*}
|
||||
qdisc=`tc qdisc list dev $device`
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s filter ls dev $device
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
show_one_classifier ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
#
|
||||
# Monitor the Firewall
|
||||
#
|
||||
@ -309,9 +349,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
display_chains
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
|
||||
echo -e "Dropped/Rejected Packet Log\\n"
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
echo
|
||||
|
||||
show_reset
|
||||
|
||||
@ -319,11 +361,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
echo -e '\a'
|
||||
|
||||
$RING_BELL
|
||||
|
||||
packet_log 20
|
||||
|
||||
if [ "$pause" = "Yes" ]; then
|
||||
echo -en '\nEnter any character to continue: '
|
||||
echo
|
||||
echo $ECHO_N 'Enter any character to continue: '
|
||||
read foo
|
||||
else
|
||||
timed_read
|
||||
@ -335,28 +380,48 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
fi
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "NAT Status\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "\\nTOS/MARK Status\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "\\nTracked Connections\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo
|
||||
echo "Tracked Connections"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "\\nTraffic Shaping/Control\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo
|
||||
echo "Traffic Shaping/Control"
|
||||
echo
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo
|
||||
echo "Packet Classifiers"
|
||||
echo
|
||||
show_classifiers
|
||||
timed_read
|
||||
done
|
||||
}
|
||||
|
||||
@ -383,9 +448,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
while true; do
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
|
||||
echo -e "Dropped/Rejected Packet Log\\n"
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
echo
|
||||
|
||||
show_reset
|
||||
|
||||
@ -393,11 +460,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
echo -e '\a'
|
||||
|
||||
$RING_BELL
|
||||
|
||||
packet_log 40
|
||||
|
||||
if [ "$pause" = "Yes" ]; then
|
||||
echo -en '\nEnter any character to continue: '
|
||||
echo
|
||||
echo $ECHO_N 'Enter any character to continue: '
|
||||
read foo
|
||||
else
|
||||
timed_read
|
||||
@ -419,7 +489,7 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " show [<chain>|connections|log|nat|tc|tos]"
|
||||
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " reset"
|
||||
@ -445,7 +515,8 @@ usage() # $1 = exit status
|
||||
#
|
||||
show_reset() {
|
||||
[ -f $STATEDIR/restarted ] && \
|
||||
echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
|
||||
echo "Counters reset `cat $STATEDIR/restarted`" && \
|
||||
echo
|
||||
}
|
||||
|
||||
#
|
||||
@ -537,6 +608,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
get_statedir
|
||||
|
||||
case `echo -e` in
|
||||
-e*)
|
||||
RING_BELL="echo \'\a\'"
|
||||
;;
|
||||
*)
|
||||
RING_BELL="echo -e \'\a\'"
|
||||
;;
|
||||
esac
|
||||
|
||||
case `echo -n "Testing"` in
|
||||
-n*)
|
||||
ECHO_N=
|
||||
;;
|
||||
*)
|
||||
ECHO_N=-n
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
@ -550,32 +639,43 @@ case "$1" in
|
||||
[ $# -gt 2 ] && usage 1
|
||||
case "$2" in
|
||||
connections)
|
||||
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
nat)
|
||||
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L -n -v
|
||||
;;
|
||||
tos|mangle)
|
||||
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L -n -v
|
||||
;;
|
||||
log)
|
||||
get_config
|
||||
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Log at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_reset
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
packet_log 20
|
||||
;;
|
||||
tc)
|
||||
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_tc
|
||||
;;
|
||||
classifiers)
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
*)
|
||||
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_reset
|
||||
iptables -L $2 -n -v
|
||||
;;
|
||||
@ -594,15 +694,20 @@ case "$1" in
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Status at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_reset
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
iptables -L -n -v
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
@ -611,7 +716,9 @@ case "$1" in
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - `date`"
|
||||
echo
|
||||
|
||||
timeout=30
|
||||
|
||||
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
|
||||
|
@ -25,9 +25,22 @@ find_file()
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list()
|
||||
{
|
||||
echo $1 | sed 's/,/ /g'
|
||||
separate_list() {
|
||||
local list
|
||||
local part
|
||||
local newlist
|
||||
|
||||
list="$@"
|
||||
part="${list%%,*}"
|
||||
newlist="$part"
|
||||
|
||||
while [ "x$part" != "x$list" ]; do
|
||||
list="${list#*,}";
|
||||
part="${list%%,*}";
|
||||
newlist="$newlist $part";
|
||||
done
|
||||
|
||||
echo "$newlist"
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -16,3 +16,7 @@
|
||||
/etc/shorewall/tos TOS Type of Service policy
|
||||
/etc/shorewall/blacklist Blacklist Blacklisted hosts
|
||||
/etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option
|
||||
/etc/shorewall/init Init Commands executed before [re]start
|
||||
/etc/shorewall/start Start Commands executed after [re]start
|
||||
/etc/shorewall/stop Stop Commands executed before stop
|
||||
/etc/shorewall/stopped Stopped Commands executed after stop
|
||||
|
@ -1 +1 @@
|
||||
1.3.10
|
||||
1.3.12
|
||||
|
@ -1,17 +1,43 @@
|
||||
Changes since 1.3.10
|
||||
Changes since 1.3.11
|
||||
|
||||
1. Added TCP flags checking.
|
||||
1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
|
||||
|
||||
2. Accomodate bash clones like dash and ash
|
||||
2. "shorewall refresh" now refreshes the traffic shaping rules
|
||||
|
||||
3. Added some comments in the policy chain creation/population logic.
|
||||
3. Turned off debugging after error.
|
||||
|
||||
4. Check for fw->fw rules.
|
||||
4. Removed drop of INVALID state output ICMP packets.
|
||||
|
||||
5. Allow 'all' in rules.
|
||||
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
|
||||
|
||||
6. Add reverse GRE rules for PPTP server and clients.
|
||||
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
|
||||
|
||||
7. Add warning to tcrules file.
|
||||
7. Replaced 'sed' invocation in run_iptables() by shell code and
|
||||
optomized (speedup)
|
||||
|
||||
8. Add warning to policy file that fw->fw policies aren't allowed.
|
||||
8. Only read the interfaces file once (speedup)
|
||||
|
||||
9. Only read the policy file once (speedup)
|
||||
|
||||
10. Removed redundant function input_chains() (duplicate of first_chains())
|
||||
|
||||
11. Generated an error if 'lo' is defined in the interfaces file.
|
||||
|
||||
12. Clarified error message where ORIGINAL DEST is specified on an
|
||||
ACCEPT, DROP or REJECT rule.
|
||||
|
||||
13. Added "shorewall show classifiers" command and added packet
|
||||
classification filter display to "shorewall monitor"
|
||||
|
||||
14. Added an error message when the destination in a rule contained a
|
||||
MAC address.
|
||||
|
||||
15. Added ULOG target support.
|
||||
|
||||
16. Add MARK_IN_FORWARD option.
|
||||
|
||||
17. General Cleanup for Release
|
||||
|
||||
18. Release changes and add init, start, stop and stopped files.
|
||||
|
||||
19. Add headings to NAT and Mangle tables in "shorewall status" output
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2,17 +2,22 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall FAQ</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -29,12 +34,13 @@
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
|
||||
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
|
||||
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||||
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||||
|
||||
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
|
||||
but it doesn't work.<br>
|
||||
@ -44,22 +50,22 @@ I've looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||||
port forwarding</a></p>
|
||||
|
||||
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
|
||||
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
|
||||
local network. <b>External clients can browse</b> http://www.mydomain.com
|
||||
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
|
||||
in my local network. <b>External clients can browse</b> http://www.mydomain.com
|
||||
but <b>internal clients can't</b>.</a></p>
|
||||
|
||||
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
|
||||
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
|
||||
to hosts in Z. Hosts in Z cannot communicate with each other using
|
||||
their external (non-RFC1918 addresses) so they <b>can't access each
|
||||
other using their DNS names.</b></a></p>
|
||||
their external (non-RFC1918 addresses) so they <b>can't access
|
||||
each other using their DNS names.</b></a></p>
|
||||
|
||||
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
|
||||
Messenger </b>with Shorewall. What do I do?</a></p>
|
||||
|
||||
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
|
||||
to check my firewall and it shows <b>some ports as 'closed' rather
|
||||
than 'blocked'.</b> Why?</a></p>
|
||||
to check my firewall and it shows <b>some ports as 'closed'
|
||||
rather than 'blocked'.</b> Why?</a></p>
|
||||
|
||||
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
|
||||
of my firewall and it showed 100s of ports as open!!!!</a></p>
|
||||
@ -74,11 +80,12 @@ other using their DNS names.</b></a></p>
|
||||
that work with Shorewall?</a></p>
|
||||
|
||||
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
|
||||
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
|
||||
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
|
||||
work?</a></p>
|
||||
|
||||
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
|
||||
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
|
||||
on RedHat</b> I get messages about insmod failing -- what's
|
||||
wrong?</a></p>
|
||||
|
||||
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
|
||||
my interfaces </b>properly?</a></p>
|
||||
@ -87,7 +94,7 @@ other using their DNS names.</b></a></p>
|
||||
it work with?</a></p>
|
||||
|
||||
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
|
||||
support?</a></p>
|
||||
support?</a></p>
|
||||
|
||||
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
|
||||
|
||||
@ -95,13 +102,13 @@ support?</a></p>
|
||||
|
||||
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
|
||||
and it has an internel web server that allows me to configure/monitor
|
||||
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0
|
||||
interface, it also blocks the <b>cable modems web server</b></a>.</p>
|
||||
it but as expected if I enable <b> rfc1918 blocking</b> for my
|
||||
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
|
||||
|
||||
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I
|
||||
enable RFC 1918 filtering on my external interface, <b>my DHCP client
|
||||
cannot renew its lease</b>.</a></p>
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address.
|
||||
If I enable RFC 1918 filtering on my external interface, <b>my
|
||||
DHCP client cannot renew its lease</b>.</a></p>
|
||||
|
||||
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
|
||||
out to the net</b></a></p>
|
||||
@ -109,23 +116,24 @@ cannot renew its lease</b>.</a></p>
|
||||
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
|
||||
all over my console</b> making it unusable!<br>
|
||||
</a></p>
|
||||
<b>17</b>. <a href="#faq17">How do I find out <b>why
|
||||
this is</b> getting <b>logged?</b></a><br>
|
||||
<b>17</b>. <a href="#faq17">How do I find
|
||||
out <b>why this traffic is</b> getting <b>logged?</b></a><br>
|
||||
<br>
|
||||
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
|
||||
addresses</b> with Shorewall, and maintain separate rulesets for different
|
||||
IPs?</a><br>
|
||||
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
|
||||
ip addresses</b> with Shorewall, and maintain separate rulesets for
|
||||
different IPs?</a><br>
|
||||
<br>
|
||||
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
|
||||
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
|
||||
<br>
|
||||
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a
|
||||
server. <b>Do I have to change Shorewall to allow access to my server from
|
||||
the internet?<br>
|
||||
</b><br>
|
||||
</a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
|
||||
what are they?<br>
|
||||
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do
|
||||
I have to change Shorewall to allow access to my server from the internet?<br>
|
||||
<br>
|
||||
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
|
||||
</b>occasionally; what are they?<br>
|
||||
</a><br>
|
||||
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
|
||||
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
|
||||
|
||||
<hr>
|
||||
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
|
||||
@ -139,6 +147,7 @@ the internet?<br>
|
||||
rule to a local system is as follows:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -165,7 +174,9 @@ the internet?<br>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -173,6 +184,7 @@ the internet?<br>
|
||||
the rule is:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -198,18 +210,18 @@ the internet?<br>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
|
||||
</div>
|
||||
|
||||
<p align="left">If you want to forward requests directed to a particular
|
||||
address ( <i><external IP></i> ) on your firewall to an internal system:</p>
|
||||
<div align="left"> <font face="Courier"> </font>If
|
||||
you want to forward requests directed to a particular address ( <i><external
|
||||
IP></i> ) on your firewall to an internal system:</div>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -234,7 +246,9 @@ address ( <i><external IP></i> ) on your firewall to an internal system:</
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -245,10 +259,10 @@ address ( <i><external IP></i> ) on your firewall to an internal system:</
|
||||
|
||||
<ul>
|
||||
<li>You are trying to test from inside your firewall
|
||||
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||
<li>You have a more basic problem with your local system
|
||||
such as an incorrect default gateway configured (it should be set
|
||||
to the IP address of your firewall's internal interface).</li>
|
||||
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||
<li>You have a more basic problem with your local
|
||||
system such as an incorrect default gateway configured (it should
|
||||
be set to the IP address of your firewall's internal interface).</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -257,30 +271,31 @@ to the IP address of your firewall's internal interface).</li>
|
||||
<b>Answer: </b>To further diagnose this problem:<br>
|
||||
|
||||
<ul>
|
||||
<li>As root, type "iptables -t nat -Z". This clears the NetFilter
|
||||
counters in the nat table.</li>
|
||||
<li>Try to connect to the redirected port from an external host.</li>
|
||||
<li>As root, type "iptables -t nat -Z". This clears the
|
||||
NetFilter counters in the nat table.</li>
|
||||
<li>Try to connect to the redirected port from an external
|
||||
host.</li>
|
||||
<li>As root type "shorewall show nat"</li>
|
||||
<li>Locate the appropriate DNAT rule. It will be in a chain called
|
||||
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the
|
||||
('net' in the above examples).</li>
|
||||
<li>Is the packet count in the first column non-zero? If so, the
|
||||
connection request is reaching the firewall and is being redirected to
|
||||
the server. In this case, the problem is usually a missing or incorrect
|
||||
default gateway setting on the server (the server's default gateway should
|
||||
be the IP address of the firewall's interface to the server).</li>
|
||||
<li>Locate the appropriate DNAT rule. It will be in a chain
|
||||
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes
|
||||
the ('net' in the above examples).</li>
|
||||
<li>Is the packet count in the first column non-zero? If
|
||||
so, the connection request is reaching the firewall and is being redirected
|
||||
to the server. In this case, the problem is usually a missing or incorrect
|
||||
default gateway setting on the server (the server's default gateway
|
||||
should be the IP address of the firewall's interface to the server).</li>
|
||||
<li>If the packet count is zero:</li>
|
||||
|
||||
<ul>
|
||||
<li>the connection request is not reaching your server (possibly
|
||||
it is being blocked by your ISP); or</li>
|
||||
<li>you are trying to connect to a secondary IP address on your
|
||||
firewall and your rule is only redirecting the primary IP address (You
|
||||
need to specify the secondary IP address in the "ORIG. DEST." column in
|
||||
your DNAT rule); or</li>
|
||||
<li>your DNAT rule doesn't match the connection request in some
|
||||
other way. In that case, you may have to use a packet sniffer such as tcpdump
|
||||
or ethereal to further diagnose the problem.<br>
|
||||
<li>the connection request is not reaching your server
|
||||
(possibly it is being blocked by your ISP); or</li>
|
||||
<li>you are trying to connect to a secondary IP address
|
||||
on your firewall and your rule is only redirecting the primary IP address
|
||||
(You need to specify the secondary IP address in the "ORIG. DEST." column
|
||||
in your DNAT rule); or</li>
|
||||
<li>your DNAT rule doesn't match the connection request
|
||||
in some other way. In that case, you may have to use a packet sniffer
|
||||
such as tcpdump or ethereal to further diagnose the problem.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -288,31 +303,34 @@ your DNAT rule); or</li>
|
||||
</ul>
|
||||
|
||||
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
|
||||
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External
|
||||
clients can browse http://www.mydomain.com but internal clients can't.</h4>
|
||||
(IP 130.151.100.69) to system 192.168.1.5 in my local network.
|
||||
External clients can browse http://www.mydomain.com but internal
|
||||
clients can't.</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
|
||||
|
||||
<ul>
|
||||
<li>Having an internet-accessible server in your local
|
||||
network is like raising foxes in the corner of your hen house.
|
||||
If the server is compromised, there's nothing between that server
|
||||
and your other internal systems. For the cost of another NIC and
|
||||
a cross-over cable, you can put your server in a DMZ such that
|
||||
it is isolated from your local systems - assuming that the Server
|
||||
can be located near the Firewall, of course :-)</li>
|
||||
<li>Having an internet-accessible server in your
|
||||
local network is like raising foxes in the corner of your hen
|
||||
house. If the server is compromised, there's nothing between that
|
||||
server and your other internal systems. For the cost of another
|
||||
NIC and a cross-over cable, you can put your server in a DMZ
|
||||
such that it is isolated from your local systems - assuming that
|
||||
the Server can be located near the Firewall, of course :-)</li>
|
||||
<li>The accessibility problem is best solved using
|
||||
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
|
||||
(or using a separate DNS server for local clients) such that www.mydomain.com
|
||||
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
|
||||
what I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
(or using a separate DNS server for local clients) such that www.mydomain.com
|
||||
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
|
||||
That's what I do here at shorewall.net for my local systems that use
|
||||
static NAT.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">If you insist on an IP solution to the accessibility problem
|
||||
rather than a DNS solution, then assuming that your external interface
|
||||
is eth0 and your internal interface is eth1 and that eth1 has IP
|
||||
address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
rather than a DNS solution, then assuming that your external
|
||||
interface is eth0 and your internal interface is eth1 and that
|
||||
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
|
||||
the following:</p>
|
||||
|
||||
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
|
||||
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
|
||||
@ -323,6 +341,7 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -346,19 +365,18 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That rule only works of course if you have a static external
|
||||
IP address. If you have a dynamic IP address and are running Shorewall
|
||||
1.3.4 or later then include this in /etc/shorewall/params:</p>
|
||||
IP address. If you have a dynamic IP address and are running
|
||||
Shorewall 1.3.4 or later then include this in /etc/shorewall/params:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -371,6 +389,7 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -394,22 +413,24 @@ address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
|
||||
client to automatically restart Shorewall each time that you get
|
||||
a new IP address.</p>
|
||||
client to automatically restart Shorewall each time that you
|
||||
get a new IP address.</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
|
||||
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
|
||||
in Z. Hosts in Z cannot communicate with each other using their external
|
||||
(non-RFC1918 addresses) so they can't access each other using their
|
||||
DNS names.</h4>
|
||||
subnet and I use static NAT to assign non-RFC1918 addresses to
|
||||
hosts in Z. Hosts in Z cannot communicate with each other using
|
||||
their external (non-RFC1918 addresses) so they can't access each
|
||||
other using their DNS names.</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>This is another problem that is best solved
|
||||
using Bind Version 9 "views". It allows both external and internal
|
||||
@ -418,10 +439,10 @@ a new IP address.</p>
|
||||
<p align="left">Another good way to approach this problem is to switch from
|
||||
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
|
||||
addresses and can be accessed externally and internally using the
|
||||
same address. </p>
|
||||
same address. </p>
|
||||
|
||||
<p align="left">If you don't like those solutions and prefer routing all Z->Z
|
||||
traffic through your firewall then:</p>
|
||||
<p align="left">If you don't like those solutions and prefer routing all
|
||||
Z->Z traffic through your firewall then:</p>
|
||||
|
||||
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
|
||||
(If you are running a Shorewall version earlier than 1.3.9).<br>
|
||||
@ -437,6 +458,7 @@ traffic through your firewall then:</p>
|
||||
<p align="left">In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber2">
|
||||
<tbody>
|
||||
@ -454,13 +476,16 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">In /etc/shorewall/policy:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
@ -479,7 +504,9 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -490,6 +517,7 @@ traffic through your firewall then:</p>
|
||||
<p align="left">In /etc/shorewall/masq:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3" width="369">
|
||||
<tbody>
|
||||
@ -506,7 +534,9 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -515,8 +545,8 @@ traffic through your firewall then:</p>
|
||||
|
||||
<p align="left"><b>Answer: </b>There is an <a
|
||||
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
|
||||
tracking/NAT module</a> that may help. Also check the Netfilter mailing
|
||||
list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
|
||||
tracking/NAT module</a> that may help. Also check the Netfilter
|
||||
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
|
||||
</p>
|
||||
|
||||
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
|
||||
@ -524,28 +554,29 @@ traffic through your firewall then:</p>
|
||||
than 'blocked'. Why?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
|
||||
always rejects connection requests on TCP port 113 rather than
|
||||
dropping them. This is necessary to prevent outgoing connection
|
||||
problems to services that use the 'Auth' mechanism for identifying
|
||||
requesting users. Shorewall also rejects TCP ports 135, 137 and 139
|
||||
as well as UDP ports 137-139. These are ports that are used by Windows
|
||||
(Windows <u>can</u> be configured to use the DCE cell locator on port
|
||||
135). Rejecting these connection requests rather than dropping them
|
||||
cuts down slightly on the amount of Windows chatter on LAN segments connected
|
||||
to the Firewall. </p>
|
||||
always rejects connection requests on TCP port 113 rather
|
||||
than dropping them. This is necessary to prevent outgoing connection
|
||||
problems to services that use the 'Auth' mechanism for identifying
|
||||
requesting users. Shorewall also rejects TCP ports 135, 137 and
|
||||
139 as well as UDP ports 137-139. These are ports that are used
|
||||
by Windows (Windows <u>can</u> be configured to use the DCE cell locator
|
||||
on port 135). Rejecting these connection requests rather than dropping
|
||||
them cuts down slightly on the amount of Windows chatter on LAN segments
|
||||
connected to the Firewall. </p>
|
||||
|
||||
<p align="left">If you are seeing port 80 being 'closed', that's probably
|
||||
your ISP preventing you from running a web server in violation
|
||||
of your Service Agreement.</p>
|
||||
of your Service Agreement.</p>
|
||||
|
||||
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
|
||||
firewall and it showed 100s of ports as open!!!!</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
|
||||
section about UDP scans. If nmap gets <b>nothing</b> back from
|
||||
your firewall then it reports the port as open. If you want to see
|
||||
which UDP ports are really open, temporarily change your net->all
|
||||
policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
|
||||
section about UDP scans. If nmap gets <b>nothing</b> back
|
||||
from your firewall then it reports the port as open. If you
|
||||
want to see which UDP ports are really open, temporarily change
|
||||
your net->all policy to REJECT, restart Shorewall and do the
|
||||
nmap UDP scan again.</p>
|
||||
|
||||
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
|
||||
can't ping through the firewall</h4>
|
||||
@ -555,31 +586,37 @@ policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
|
||||
|
||||
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
|
||||
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
|
||||
c) Add the following to /etc/shorewall/icmpdef: </p>
|
||||
c) Add the following to /etc/shorewall/icmpdef:
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
|
||||
-j ACCEPT </p>
|
||||
-j ACCEPT<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
For a complete description of Shorewall 'ping' management, see <a
|
||||
href="ping.html">this page</a>.
|
||||
|
||||
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
|
||||
and how do I change the destination?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
|
||||
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
|
||||
(see "man openlog") and you get to choose the log level (again, see "man
|
||||
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
|
||||
href="Documentation.htm#Rules">rules</a>. The destination for messaged
|
||||
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
|
||||
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
|
||||
facility (see "man openlog") and you get to choose the log level (again,
|
||||
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
|
||||
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
|
||||
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
When you have changed /etc/syslog.conf, be sure to restart syslogd
|
||||
(on a RedHat system, "service syslog restart"). </p>
|
||||
(on a RedHat system, "service syslog restart"). </p>
|
||||
|
||||
<p align="left">By default, older versions of Shorewall ratelimited log messages
|
||||
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
|
||||
-- If you want to log all messages, set: </p>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
|
||||
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
|
||||
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
|
||||
@ -589,6 +626,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p align="left"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
|
||||
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
|
||||
@ -598,18 +636,19 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
http://www.logwatch.org</a><br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
I personnaly use Logwatch. It emails me a report each day from my various
|
||||
systems with each report summarizing the logged activity on the corresponding
|
||||
system.
|
||||
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
|
||||
stop', I can't connect to anything. Why doesn't that command work?</h4>
|
||||
|
||||
<p align="left">The 'stop' command is intended to place your firewall into
|
||||
a safe state whereby only those interfaces/hosts having the 'routestopped'
|
||||
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
|
||||
If you want to totally open up your firewall, you must use the 'shorewall
|
||||
clear' command. </p>
|
||||
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
|
||||
are activated. If you want to totally open up your firewall, you
|
||||
must use the 'shorewall clear' command. </p>
|
||||
|
||||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
|
||||
7.x, I get messages about insmod failing -- what's wrong?</h4>
|
||||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
|
||||
I get messages about insmod failing -- what's wrong?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>The output you will see looks something like
|
||||
this:</p>
|
||||
@ -626,7 +665,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
<div align="left">
|
||||
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
|
||||
for problems concerning the version of iptables (v1.2.3) shipped
|
||||
with RH7.2.</p>
|
||||
with RH7.2.</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"> </h4>
|
||||
@ -646,9 +685,9 @@ with RH7.2.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
|
||||
zone is defined as all hosts that are connected through eth0 and the local
|
||||
zone is defined as all hosts connected through eth1</p>
|
||||
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
|
||||
Net zone is defined as all hosts that are connected through eth0 and the
|
||||
local zone is defined as all hosts connected through eth1</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
|
||||
@ -664,17 +703,18 @@ with RH7.2.</p>
|
||||
|
||||
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
|
||||
myself doing other things. I guess I just don't care enough if Shorewall
|
||||
has a GUI to invest the effort to create one myself. There are several
|
||||
Shorewall GUI projects underway however and I will publish links to
|
||||
them when the authors feel that they are ready. </p>
|
||||
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
|
||||
find myself doing other things. I guess I just don't care enough if
|
||||
Shorewall has a GUI to invest the effort to create one myself. There
|
||||
are several Shorewall GUI projects underway however and I will publish
|
||||
links to them when the authors feel that they are ready. </p>
|
||||
|
||||
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
|
||||
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
|
||||
and "Fire<u>wall</u>".</p>
|
||||
(<a href="http://www.cityofshoreline.com">the city where
|
||||
I live</a>) and "Fire<u>wall</u>". The full name of the product
|
||||
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
|
||||
|
||||
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
|
||||
and it has an internal web server that allows me to configure/monitor
|
||||
@ -682,11 +722,12 @@ them when the authors feel that they are ready. </p>
|
||||
(the internet one), it also blocks the cable modems web server.</h4>
|
||||
|
||||
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
|
||||
that will let all traffic to and from the 192.168.100.1 address of
|
||||
the modem in/out but still block all other rfc1918 addresses.</p>
|
||||
that will let all traffic to and from the 192.168.100.1 address
|
||||
of the modem in/out but still block all other rfc1918 addresses?</p>
|
||||
|
||||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
|
||||
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
|
||||
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
|
||||
following:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
|
||||
@ -699,6 +740,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
@ -712,7 +754,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
@ -722,13 +766,14 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
</p>
|
||||
|
||||
<p align="left">Note: If you add a second IP address to your external firewall
|
||||
interface to correspond to the modem address, you must also make an
|
||||
entry in /etc/shorewall/rfc1918 for that address. For example, if you
|
||||
configure the address 192.168.100.2 on your firewall, then you would
|
||||
add two entries to /etc/shorewall/rfc1918: <br>
|
||||
interface to correspond to the modem address, you must also make
|
||||
an entry in /etc/shorewall/rfc1918 for that address. For example,
|
||||
if you configure the address 192.168.100.2 on your firewall, then
|
||||
you would add two entries to /etc/shorewall/rfc1918: <br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table cellpadding="2" border="1" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
@ -752,15 +797,16 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
|
||||
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
|
||||
1918 filtering on my external interface, my DHCP client cannot renew its
|
||||
lease.</h4>
|
||||
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
|
||||
RFC 1918 filtering on my external interface, my DHCP client cannot renew
|
||||
its lease.</h4>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -772,23 +818,26 @@ lease.</h4>
|
||||
the net</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
|
||||
the net", I wonder where the poster bought computers with eyes and
|
||||
what those computers will "see" when things are working properly. That
|
||||
aside, the most common causes of this problem are:</p>
|
||||
the net", I wonder where the poster bought computers with eyes
|
||||
and what those computers will "see" when things are working properly.
|
||||
That aside, the most common causes of this problem are:</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The default gateway on each local system isn't set to
|
||||
the IP address of the local firewall interface.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The entry for the local network in the /etc/shorewall/masq
|
||||
file is wrong or missing.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The DNS settings on the local systems are wrong or the
|
||||
user is running a DNS server on the firewall and hasn't enabled
|
||||
UDP and TCP port 53 from the firewall to the internet.</p>
|
||||
@ -800,57 +849,61 @@ lease.</h4>
|
||||
all over my console making it unusable!</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
|
||||
to your startup scripts or place it in /etc/shorewall/start. Under
|
||||
RedHat, the max log level that is sent to the console is specified
|
||||
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
|
||||
to your startup scripts or place it in /etc/shorewall/start.
|
||||
Under RedHat, the max log level that is sent to the console
|
||||
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
|
||||
</p>
|
||||
|
||||
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
|
||||
<b>Answer: </b>Logging occurs out of a number of chains (as
|
||||
indicated in the log message) in Shorewall:<br>
|
||||
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
|
||||
logged?</h4>
|
||||
<b>Answer: </b>Logging occurs out of a number of chains
|
||||
(as indicated in the log message) in Shorewall:<br>
|
||||
|
||||
<ol>
|
||||
<li><b>man1918 - </b>The destination address is listed in
|
||||
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||||
<li><b>man1918 - </b>The destination address is listed
|
||||
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||||
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
|
||||
with a <b>logdrop </b>target -- see <a
|
||||
<li><b>rfc1918</b> - The source address is listed in
|
||||
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||||
<li><b>all2<zone></b>, <b><zone>2all</b> or <b>all2all
|
||||
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
|
||||
specifies a log level and this packet is being logged under that policy.
|
||||
If you intend to ACCEPT this traffic then you need a <a
|
||||
href="Documentation.htm#Rules">rule</a> to that effect.<br>
|
||||
<li><b>all2<zone></b>, <b><zone>2all</b>
|
||||
or <b>all2all </b>- You have a<a
|
||||
href="Documentation.htm#Policy"> policy</a> that specifies a log level
|
||||
and this packet is being logged under that policy. If you intend to
|
||||
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a>
|
||||
to that effect.<br>
|
||||
</li>
|
||||
<li><b><zone1>2<zone2> </b>- Either you have a<a
|
||||
href="Documentation.htm#Policy"> policy</a> for <b><zone1> </b>to
|
||||
<b><zone2></b> that specifies a log level and this packet is being
|
||||
logged under that policy or this packet matches a <a
|
||||
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
|
||||
<li><b><interface>_mac</b> - The packet is being logged under
|
||||
the <b>maclist</b> <a href="Documentation.htm#Interfaces">interface
|
||||
option</a>.<br>
|
||||
<li><b><zone1>2<zone2> </b>- Either you
|
||||
have a<a href="Documentation.htm#Policy"> policy</a> for <b><zone1>
|
||||
</b>to <b><zone2></b> that specifies a log level and this
|
||||
packet is being logged under that policy or this packet matches a
|
||||
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
|
||||
<li><b><interface>_mac</b> - The packet is being logged
|
||||
under the <b>maclist</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
</li>
|
||||
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
|
||||
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
|
||||
<a href="Documentation.htm#Interfaces">interface option</a> as specified
|
||||
<li><b>logpkt</b> - The packet is being logged under
|
||||
the <b>logunclean</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||
<li><b>badpkt </b>- The packet is being logged under
|
||||
the <b>dropunclean</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a> as specified
|
||||
in the <b>LOGUNCLEAN </b>setting in <a
|
||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li><b>blacklst</b> - The packet is being logged because the
|
||||
source IP is blacklisted in the<a
|
||||
<li><b>blacklst</b> - The packet is being logged because
|
||||
the source IP is blacklisted in the<a
|
||||
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
|
||||
<li><b>newnotsyn </b>- The packet is being logged because
|
||||
it is a TCP packet that is not part of any current connection yet it
|
||||
is not a syn packet. Options affecting the logging of such packets include
|
||||
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in <a
|
||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
|
||||
IP address that isn't in any of your defined zones ("shorewall check"
|
||||
and look at the printed zone definitions) or the chain is FORWARD and
|
||||
the destination IP isn't in any of your defined zones.</li>
|
||||
<li><b>logflags </b>- The packet is being logged because it failed the
|
||||
checks implemented by the <b>tcpflags </b><a
|
||||
it is a TCP packet that is not part of any current connection yet
|
||||
it is not a syn packet. Options affecting the logging of such packets
|
||||
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
|
||||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has
|
||||
a source IP address that isn't in any of your defined zones ("shorewall
|
||||
check" and look at the printed zone definitions) or the chain is FORWARD
|
||||
and the destination IP isn't in any of your defined zones.</li>
|
||||
<li><b>logflags </b>- The packet is being logged because it failed
|
||||
the checks implemented by the <b>tcpflags </b><a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
</li>
|
||||
|
||||
@ -858,11 +911,11 @@ the destination IP isn't in any of your defined zones.</li>
|
||||
|
||||
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
|
||||
with Shorewall, and maintain separate rulesets for different IPs?</h4>
|
||||
<b>Answer: </b>Yes. You simply use the IP address in your rules
|
||||
(or if you use NAT, use the local IP address in your rules). <b>Note:</b>
|
||||
The ":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
|
||||
Neither iproute (ip and tc) nor iptables supports that notation so neither
|
||||
does Shorewall. <br>
|
||||
<b>Answer: </b>Yes. You simply use the IP address in your
|
||||
rules (or if you use NAT, use the local IP address in your rules).
|
||||
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will
|
||||
disappear eventually. Neither iproute (ip and tc) nor iptables supports
|
||||
that notation so neither does Shorewall. <br>
|
||||
<br>
|
||||
<b>Example 1:</b><br>
|
||||
<br>
|
||||
@ -893,8 +946,8 @@ The ":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
|
||||
to change Shorewall to allow access to my server from the internet?</b><br>
|
||||
</h4>
|
||||
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
guide</a> that you used during your initial setup for information about
|
||||
how to set up rules for your server.<br>
|
||||
guide</a> that you used during your initial setup for information about
|
||||
how to set up rules for your server.<br>
|
||||
|
||||
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
|
||||
what are they?<br>
|
||||
@ -903,41 +956,64 @@ how to set up rules for your server.<br>
|
||||
<blockquote>
|
||||
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
|
||||
</blockquote>
|
||||
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
|
||||
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal
|
||||
LAN<br>
|
||||
<br>
|
||||
<b>Answer: </b>While most people associate the Internet Control Message
|
||||
Protocol (ICMP) with 'ping', ICMP is a key piece of the internet. ICMP is
|
||||
used to report problems back to the sender of a packet; this is what is happening
|
||||
here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
|
||||
there are a lot of broken implementations. That is what you are seeing with
|
||||
these messages.<br>
|
||||
<b>Answer: </b>While most people associate the Internet Control
|
||||
Message Protocol (ICMP) with 'ping', ICMP is a key piece of the internet.
|
||||
ICMP is used to report problems back to the sender of a packet; this is
|
||||
what is happening here. Unfortunately, where NAT is involved (including
|
||||
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
|
||||
That is what you are seeing with these messages.<br>
|
||||
<br>
|
||||
Here is my interpretation of what is happening -- to confirm this analysis,
|
||||
one out have to have packet sniffers placed a both ends of the connection.<br>
|
||||
Here is my interpretation of what is happening -- to confirm this
|
||||
analysis, one would have to have packet sniffers placed a both ends of
|
||||
the connection.<br>
|
||||
<br>
|
||||
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query
|
||||
to 192.0.2.3 and your DNS server tried to send a response (the response information
|
||||
is in the brackets -- note source port 53 which marks this as a DNS reply).
|
||||
When the response was returned to to 206.124.146.179, it rewrote the destination
|
||||
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had
|
||||
a connection on UDP port 2857. This causes a port unreachable (type 3, code
|
||||
3) to be generated back to 192.0.2.3. As this packet is sent back through
|
||||
206.124.146.179, that box correctly changes the source address in the packet
|
||||
to 206.124.146.179 but doesn't reset the DST IP in the original DNS response
|
||||
similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall
|
||||
has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
|
||||
appear to be related to anything that was sent. The final result is that the
|
||||
packet gets logged and dropped in the all2all chain. I have also seen cases
|
||||
where the source IP in the ICMP itself isn't set back to the external IP
|
||||
of the remote NAT gateway; that causes your firewall to log and drop the packet
|
||||
out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
|
||||
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
|
||||
query to 192.0.2.3 and your DNS server tried to send a response (the
|
||||
response information is in the brackets -- note source port 53 which marks
|
||||
this as a DNS reply). When the response was returned to to 206.124.146.179,
|
||||
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to
|
||||
172.16.1.10 who no longer had a connection on UDP port 2857. This causes
|
||||
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
|
||||
As this packet is sent back through 206.124.146.179, that box correctly
|
||||
changes the source address in the packet to 206.124.146.179 but doesn't
|
||||
reset the DST IP in the original DNS response similarly. When the ICMP
|
||||
reaches your firewall (192.0.2.3), your firewall has no record of having
|
||||
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
|
||||
to anything that was sent. The final result is that the packet gets logged
|
||||
and dropped in the all2all chain. I have also seen cases where the source
|
||||
IP in the ICMP itself isn't set back to the external IP of the remote NAT
|
||||
gateway; that causes your firewall to log and drop the packet out of the
|
||||
rfc1918 chain because the source IP is reserved by RFC 1918.<br>
|
||||
|
||||
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
|
||||
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
|
||||
You can place these commands in one of the <a
|
||||
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
|
||||
sure that you look at the contents of the chain(s) that you will be modifying
|
||||
with your commands to be sure that the commands will do what they are intended.
|
||||
Many iptables commands published in HOWTOs and other instructional material
|
||||
use the -A command which adds the rules to the end of the chain. Most chains
|
||||
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
|
||||
rule and any rules that you add after that will be ignored. Check "man iptables"
|
||||
and look at the -I (--insert) command.<br>
|
||||
<br>
|
||||
|
||||
<div align="left"> </div>
|
||||
<font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<font size="2">Last updated 12/13/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -27,35 +27,40 @@
|
||||
</table>
|
||||
<br>
|
||||
Beginning with Shorewall version 1.3.10, all traffic from an interface
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
set of MAC addresses. Furthermore, each MAC address may be optionally associated
|
||||
with one or more IP addresses. There are four components to this facility.<br>
|
||||
with one or more IP addresses. <br>
|
||||
<br>
|
||||
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
|
||||
<ol>
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
|
||||
option is specified, all traffic arriving on the interface is subjet to MAC
|
||||
verification.</li>
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
|
||||
this option is specified, all traffic arriving on the interface is subjet
|
||||
to MAC verification.</li>
|
||||
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||||
When this option is specified for a subnet, all traffic from that subnet
|
||||
is subject to MAC verification.</li>
|
||||
is subject to MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses with
|
||||
MAC addresses.</li>
|
||||
MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
|
||||
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
|
||||
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
|
||||
variable gives the syslogd level at which connection requests that fail verification
|
||||
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
|
||||
then failing connection requests are not logged.<br>
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
|
||||
determines the disposition of connection requests that fail MAC verification.
|
||||
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
|
||||
requests that fail verification are to be logged. If set the the empty value
|
||||
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
|
||||
<ul>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
|
||||
column although you may use that format if you so choose.</li>
|
||||
@ -80,17 +85,17 @@ MAC addresses.</li>
|
||||
<h3>Example 2: Router in Local Zone</h3>
|
||||
Suppose now that I add a second ethernet segment to my local zone and
|
||||
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses
|
||||
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses in
|
||||
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
file:<br>
|
||||
|
||||
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
|
||||
This entry accomodates traffic from the router itself (192.168.1.253)
|
||||
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
and not that of the host sending the traffic.
|
||||
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
92
STABLE/documentation/Shorewall_CA_html.html
Normal file
92
STABLE/documentation/Shorewall_CA_html.html
Normal file
@ -0,0 +1,92 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Certificate Authority</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
||||
(CA) Certificate</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Given that I develop and support Shorewall without asking for any renumeration,
|
||||
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
||||
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
||||
I am who I am. I have therefore established my own Certificate Authority (CA)
|
||||
and sign my own X.509 certificates. I use these certificates on my web server
|
||||
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
|
||||
as on my mail server (mail.shorewall.net).<br>
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
|
||||
of establishing an SSL session (URL https://...), your browser verifies the
|
||||
X.509 certificate supplied by the HTTPS server against the set of Certificate
|
||||
Authority Certificates that were shipped with your browser. It is expected
|
||||
that the server's certificate was issued by one of the authorities whose identities
|
||||
are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
|
||||
you are REALLY connecting to www.foo.bar, means that the CAs literally have
|
||||
a license to print money -- they are selling a string of bits (an X.509 certificate)
|
||||
for $200US+ per year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and writing
|
||||
Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of the
|
||||
authorities known to your browser. If you try to connect to my server using
|
||||
SSL, your browser will frown and give you a dialog box asking if you want
|
||||
to accept the sleezy X.509 certificate being presented by my server. <br>
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
|
||||
<ol>
|
||||
<li>You can accept the www.shorewall.net certificate when your browser
|
||||
asks -- your acceptence of the certificate can be temporary (for that access
|
||||
only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
||||
certificate.</a> This will make my Certificate Authority known to your browser
|
||||
so that it will accept any certificate signed by me. <br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
What are the risks?<br>
|
||||
|
||||
<ol>
|
||||
<li>If you install my CA certificate then you assume that I am trustworthy
|
||||
and that Shorewall running on your firewall won't redirect HTTPS requests
|
||||
intented to go to your bank's server to one of my systems that will present
|
||||
your browser with a bogus certificate claiming that my server is that of
|
||||
your bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to https://www.shorewall.net,
|
||||
the server you are connecting to might not be mine.</li>
|
||||
|
||||
</ol>
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
won't be offended if you decline to load it into yours... :-)<br>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -49,8 +49,8 @@
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
@ -139,5 +139,6 @@
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
145
STABLE/documentation/Shorewall_sfindex_frame.htm
Normal file
145
STABLE/documentation/Shorewall_sfindex_frame.htm
Normal file
@ -0,0 +1,145 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,40 +1,60 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">VPN</font></h1>
|
||||
<h1 align="center"><font color="#ffffff">VPN</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<p>It is often the case that a system behind the firewall needs to be able to
|
||||
access a remote network through Virtual Private Networking (VPN). The two most
|
||||
common means for doing this are IPSEC and PPTP. The basic setup is shown in the
|
||||
following diagram:</p>
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
|
||||
|
||||
<p>It is often the case that a system behind the firewall needs to be able
|
||||
to access a remote network through Virtual Private Networking (VPN). The
|
||||
two most common means for doing this are IPSEC and PPTP. The basic setup
|
||||
is shown in the following diagram:</p>
|
||||
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568"
|
||||
height="796">
|
||||
</p>
|
||||
|
||||
<p align="left">A system with an RFC 1918 address needs to access a remote
|
||||
network through a remote gateway. For this example, we will assume that the
|
||||
local system has IP address 192.168.1.12 and that the remote gateway has IP
|
||||
address 192.0.2.224.</p>
|
||||
<p align="left">If PPTP is being used, there are no firewall requirements beyond
|
||||
the default loc->net ACCEPT policy. There is one restriction however: Only one
|
||||
local system at a time can be connected to a single remote gateway unless you
|
||||
patch your kernel from the 'Patch-o-matic' patches available at
|
||||
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
<p align="left">If IPSEC is being used then there are firewall configuration
|
||||
requirements as follows:</p>
|
||||
network through a remote gateway. For this example, we will assume that
|
||||
the local system has IP address 192.168.1.12 and that the remote gateway
|
||||
has IP address 192.0.2.224.</p>
|
||||
|
||||
<p align="left">If PPTP is being used, there are no firewall requirements
|
||||
beyond the default loc->net ACCEPT policy. There is one restriction however:
|
||||
Only one local system at a time can be connected to a single remote gateway
|
||||
unless you patch your kernel from the 'Patch-o-matic' patches available
|
||||
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
|
||||
<p align="left">If IPSEC is being used then only one system may connect to
|
||||
the remote gateway and there are firewall configuration requirements as
|
||||
follows:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td height="38"><u><b>ACTION</b></u></td>
|
||||
<td height="38"><u><b>SOURCE</b></u></td>
|
||||
@ -51,9 +71,9 @@ requirements as follows:</p>
|
||||
<td height="19">net:192.0.2.224</td>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">50</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
@ -61,21 +81,24 @@ requirements as follows:</p>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">udp</td>
|
||||
<td height="19">500</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>If you want to be able to give access to all of your local systems to the
|
||||
remote network, you should consider running a VPN client on your firewall. As
|
||||
starting points, see
|
||||
<a href="http://www.shorewall.net/Documentation.htm#Tunnels">
|
||||
http://www.shorewall.net/Documentation.htm#Tunnels</a> or
|
||||
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p> </p>
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to be able to give access to all of your local systems to
|
||||
the remote network, you should consider running a VPN client on your firewall.
|
||||
As starting points, see <a
|
||||
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
|
||||
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p> </p>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
@ -20,6 +20,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -38,46 +39,56 @@
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several firewall
|
||||
parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell variables
|
||||
that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's view of
|
||||
the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell
|
||||
variables that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces on
|
||||
the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in terms of
|
||||
individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where to use
|
||||
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
|
||||
and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to load kernel
|
||||
modules.</li>
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
on the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in
|
||||
terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation (a.k.a.
|
||||
Masquerading) and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to
|
||||
load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions
|
||||
to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
|
||||
- defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets for
|
||||
later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting the TOS
|
||||
field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
|
||||
with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
|
||||
later) - defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
the TOS field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the completion
|
||||
of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
completion of a "shorewall stop".<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at the
|
||||
end of any line, again by delimiting the comment from the rest of
|
||||
the line with a pound sign.</p>
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the rest
|
||||
of the line with a pound sign.</p>
|
||||
|
||||
<p>Examples:</p>
|
||||
|
||||
@ -100,38 +111,41 @@ the line with a pound sign.</p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start as
|
||||
a result of DNS problems then don't say that you were not forewarned. <br>
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified either as IP addresses or as DNS Names.<br>
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they first appear.
|
||||
When a DNS name appears in a rule, the iptables utility resolves the name
|
||||
to one or more IP addresses and inserts those addresses into the rule.
|
||||
So change in the DNS->IP address relationship that occur after the firewall
|
||||
has started have absolutely no effect on the firewall's ruleset. </p>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall won't
|
||||
start.</li>
|
||||
<li>If your startup scripts try to start your firewall before starting
|
||||
your DNS server then your firewall won't start.<br>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router is
|
||||
down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting your
|
||||
firewall.<br>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
is down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -146,7 +160,7 @@ So change in the DNS->IP address relationship that occur after the firewall
|
||||
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net.</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
@ -159,14 +173,14 @@ So change in the DNS->IP address relationship that occur after the firewall
|
||||
DNS names may not be used as:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
These are iptables restrictions and are not simply imposed for your
|
||||
inconvenience by Shorewall. <br>
|
||||
<br>
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2>Complementing an Address or Subnet</h2>
|
||||
|
||||
@ -185,9 +199,10 @@ no white space following the "!".</p>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or there
|
||||
would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in any order.</li>
|
||||
list, the continuation line(s) must begin in column 1 (or there
|
||||
would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in
|
||||
any order.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -218,6 +233,7 @@ would be embedded white space)</li>
|
||||
<p>Example:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -225,7 +241,9 @@ would be embedded white space)</li>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
@ -233,7 +251,9 @@ would be embedded white space)</li>
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
@ -251,50 +271,150 @@ would be embedded white space)</li>
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a series of
|
||||
6 hex numbers separated by colons. Example:<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a
|
||||
series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
|
||||
Mb)<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address fields,
|
||||
Shorewall requires MAC addresses to be written in another way. In
|
||||
Shorewall, MAC addresses begin with a tilde ("~") and consist of
|
||||
6 hex numbers separated by hyphens. In Shorewall, the MAC address
|
||||
in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and
|
||||
consist of 6 hex numbers separated by hyphens. In Shorewall, the
|
||||
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
</p>
|
||||
|
||||
<h2><a name="Levels"></a>Logging</h2>
|
||||
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||||
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
|
||||
the notation <i>facility.priority</i>). <br>
|
||||
<br>
|
||||
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
|
||||
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
|
||||
<i>local7</i>.<br>
|
||||
<br>
|
||||
Throughout the Shorewall documentation, I will use the term <i>level</i>
|
||||
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
|
||||
The syslog documentation uses the term <i>priority</i>.<br>
|
||||
|
||||
<h3>Syslog Levels<br>
|
||||
</h3>
|
||||
Syslog levels are a method of describing to syslog (8) the importance
|
||||
of a message and a number of Shorewall parameters have a syslog level
|
||||
as their value.<br>
|
||||
<br>
|
||||
Valid levels are:<br>
|
||||
<br>
|
||||
7 debug<br>
|
||||
6 info<br>
|
||||
5 notice<br>
|
||||
4 warning<br>
|
||||
3 err<br>
|
||||
2 crit<br>
|
||||
1 alert<br>
|
||||
0 emerg<br>
|
||||
<br>
|
||||
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
log messages are generated by NetFilter and are logged using the <i>kern</i>
|
||||
facility and the level that you specify. If you are unsure of the level
|
||||
to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
number.<br>
|
||||
<br>
|
||||
Syslogd writes log messages to files (typically in /var/log/*) based
|
||||
on their facility and level. The mapping of these facility/level pairs to
|
||||
log files is done in /etc/syslog.conf (5). If you make changes to this file,
|
||||
you must restart syslogd before the changes can take effect.<br>
|
||||
|
||||
<h3>Configuring a Separate Log for Shorewall Messages</h3>
|
||||
There are a couple of limitations to syslogd-based logging:<br>
|
||||
|
||||
<ol>
|
||||
<li>If you give, for example, kern.info it's own log destination then
|
||||
that destination will also receive all kernel messages of levels 5 (notice)
|
||||
through 0 (emerg).</li>
|
||||
<li>All kernel.info messages will go to that destination and not just
|
||||
those from NetFilter.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
|
||||
support (and most vendor-supplied kernels do), you may also specify a log
|
||||
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
|
||||
netfilter to log the related messages via the ULOG target which will send
|
||||
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
|
||||
and can be configured to log all Shorewall message to their own log file.<br>
|
||||
<br>
|
||||
Download the ulod tar file and:<br>
|
||||
|
||||
<ol>
|
||||
<li>cd /usr/local/src (or wherever you do your builds)</li>
|
||||
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
|
||||
<li>cd ulogd-<i>version</i><br>
|
||||
</li>
|
||||
<li>./configure</li>
|
||||
<li>make</li>
|
||||
<li>make install<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
If you are like me and don't have a development environment on your firewall,
|
||||
you can do the first five steps on another system then either NFS mount your
|
||||
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
|
||||
directory and move it to your firewall system.<br>
|
||||
<br>
|
||||
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
|
||||
|
||||
<ol>
|
||||
<li>syslogfile <i><file that you wish to log to></i></li>
|
||||
<li>syslogsync 1</li>
|
||||
|
||||
</ol>
|
||||
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
|
||||
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
|
||||
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
|
||||
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
|
||||
something else done to activate the script.<br>
|
||||
<br>
|
||||
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file that
|
||||
you wish to log to></i>. This tells the /sbin/shorewall program where to
|
||||
look for the log when processing its "show log", "logwatch" and "monitor"
|
||||
commands.<br>
|
||||
|
||||
<h2><a name="Configs"></a>Shorewall Configurations</h2>
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
|
||||
commands allow you to specify an alternate configuration directory
|
||||
and Shorewall will use the files in the alternate directory rather than
|
||||
the corresponding files in /etc/shorewall. The alternate directory need
|
||||
not contain a complete configuration; those files not in the alternate directory
|
||||
will be read from /etc/shorewall.</p>
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
|
||||
restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate directory
|
||||
need not contain a complete configuration; those files not in the alternate
|
||||
directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
by:</p>
|
||||
|
||||
<ol>
|
||||
<li> copying the files that need modification from /etc/shorewall
|
||||
to a separate directory;</li>
|
||||
<li> modify those files in the separate directory; and</li>
|
||||
<li> specifying the separate directory in a shorewall start
|
||||
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
<li> copying the files that need modification from
|
||||
/etc/shorewall to a separate directory;</li>
|
||||
<li> modify those files in the separate directory;
|
||||
and</li>
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> ).</li>
|
||||
|
||||
</ol>
|
||||
@ -302,19 +422,14 @@ will be read from /etc/shorewall.</p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -33,35 +33,38 @@
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is also available in PDF format
|
||||
at:</p>
|
||||
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
|
||||
|
||||
<p> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
|
||||
<br>
|
||||
Once you've done that, download <u> one</u> of the modules:</p>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the .tgz
|
||||
packages below.</p>
|
||||
|
||||
<p> Once you've done that, download <u> one</u> of the modules:</p>
|
||||
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with
|
||||
a 2.4 kernel, you can use the RPM version (note: the RPM
|
||||
should also work with other distributions that store init scripts
|
||||
in /etc/init.d and that include chkconfig or insserv). If you
|
||||
find that it works in other cases, let <a
|
||||
a 2.4 kernel, you can use the RPM version (note: the RPM
|
||||
should also work with other distributions that store init
|
||||
scripts in /etc/init.d and that include chkconfig or insserv).
|
||||
If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
|
||||
if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you might
|
||||
also want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is in both the <a
|
||||
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
|
||||
Branch</a> and the <a
|
||||
and would like a .deb package, Shorewall is included in both the
|
||||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i> module
|
||||
(.tgz)</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -75,9 +78,9 @@ Unstable Branch</a>.</li>
|
||||
<ul>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
|
||||
<downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" </li>
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" </li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -89,11 +92,12 @@ will contain the version)</li>
|
||||
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
|
||||
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
|
||||
configuration of your firewall, you can enable startup by removing the
|
||||
file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
configuration of your firewall, you can enable startup by removing the
|
||||
file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3"
|
||||
@ -231,10 +235,10 @@ file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
@ -283,28 +287,11 @@ file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b>Documentation in PDF format:</b><br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
|
||||
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
|
||||
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote><a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
|
||||
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p><b>Browse Download Sites:</b></p>
|
||||
|
||||
<blockquote>
|
||||
@ -367,11 +354,13 @@ file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
|
||||
target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
@ -387,22 +376,12 @@ file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/3/2002 - <a
|
||||
<p align="left"><font size="2">Last Updated 12/12/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -42,27 +42,28 @@
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar
|
||||
the archive, replace the 'firewall' script in the untarred directory
|
||||
<p align="left"> <b>If you are installing Shorewall for the
|
||||
first time and plan to use the .tgz and install.sh script, you can
|
||||
untar the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>When the instructions say to install a corrected
|
||||
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
|
||||
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
|
||||
and /var/lib/shorewall/firewall are symbolic links that point
|
||||
to the 'shorewall' file used by your system initialization scripts
|
||||
to start Shorewall during boot. It is that file that must be overwritten
|
||||
with the corrected script.</b></p>
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
|
||||
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
|
||||
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
|
||||
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
|
||||
are symbolic links that point to the 'shorewall' file used by your
|
||||
system initialization scripts to start Shorewall during boot.
|
||||
It is that file that must be overwritten with the corrected
|
||||
script.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
|
||||
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
|
||||
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
@ -72,18 +73,18 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li> <b><a href="#V1.3">Problems
|
||||
in Version 1.3</a></b></li>
|
||||
<li> <b><a href="errata_2.htm">Problems
|
||||
in Version 1.2</a></b></li>
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font color="#660066">
|
||||
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a
|
||||
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems
|
||||
with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on
|
||||
SuSE</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM
|
||||
on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version
|
||||
1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
|
||||
</li>
|
||||
|
||||
@ -92,6 +93,13 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
|
||||
<h3>Version 1.3.11a</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
|
||||
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>Version 1.3.11</h3>
|
||||
|
||||
<ul>
|
||||
@ -101,19 +109,19 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
|
||||
user teastep does not exist - using root<br>
|
||||
group teastep does not exist - using root<br>
|
||||
<br>
|
||||
These warnings are harmless and may be ignored. Users downloading the .rpm
|
||||
from shorewall.net or mirrors should no longer see these warnings as the
|
||||
.rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column contains !
|
||||
followed by a sub-zone list) result in an error message and Shorewall fails
|
||||
to start.<br>
|
||||
These warnings are harmless and may be ignored. Users downloading the
|
||||
.rpm from shorewall.net or mirrors should no longer see these warnings as
|
||||
the .rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column contains
|
||||
! followed by a sub-zone list) result in an error message and Shorewall
|
||||
fails to start.<br>
|
||||
<br>
|
||||
Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
|
||||
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
|
||||
<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -158,9 +166,9 @@ on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
|
||||
<ul>
|
||||
<li>The installer (install.sh) issues a misleading message "Common
|
||||
functions installed in /var/lib/shorewall/functions" whereas the file is
|
||||
installed in /usr/lib/shorewall/functions. The installer also performs incorrectly
|
||||
when updating old configurations that had the file /etc/shorewall/functions.
|
||||
functions installed in /var/lib/shorewall/functions" whereas the file
|
||||
is installed in /usr/lib/shorewall/functions. The installer also performs
|
||||
incorrectly when updating old configurations that had the file /etc/shorewall/functions.
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
|
||||
is an updated version that corrects these problems.<br>
|
||||
@ -179,8 +187,8 @@ when updating old configurations that had the file /etc/shorewall/functions.
|
||||
<ul>
|
||||
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
|
||||
of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP addresses but
|
||||
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
<li>A DNAT rule with the same original and new IP addresses
|
||||
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
tcp 25 - 10.1.1.1")<br>
|
||||
</li>
|
||||
|
||||
@ -222,14 +230,14 @@ when updating old configurations that had the file /etc/shorewall/functions.
|
||||
|
||||
<ol>
|
||||
<li>If the firewall is running
|
||||
a DHCP server, the client won't be
|
||||
able to obtain an IP address lease
|
||||
from that server.</li>
|
||||
a DHCP server, the client won't be able
|
||||
to obtain an IP address lease from
|
||||
that server.</li>
|
||||
<li>With this order of checking,
|
||||
the "dhcp" option cannot be used as
|
||||
a noise-reduction measure where there
|
||||
are both dynamic and static clients
|
||||
on a LAN segment.</li>
|
||||
are both dynamic and static clients on
|
||||
a LAN segment.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -260,8 +268,8 @@ on a LAN segment.</li>
|
||||
<li>
|
||||
|
||||
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
|
||||
an error occurs when the firewall script attempts to add an
|
||||
SNAT alias. </p>
|
||||
an error occurs when the firewall script attempts to add
|
||||
an SNAT alias. </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
@ -308,8 +316,8 @@ on a LAN segment.</li>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
||||
possible to include a single host specification on each line. This
|
||||
problem is corrected by <a
|
||||
possible to include a single host specification on each line.
|
||||
This problem is corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
||||
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
||||
as instructed above.</p>
|
||||
@ -326,15 +334,15 @@ on a LAN segment.</li>
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
||||
as instructed above. This problem is corrected in version
|
||||
1.3.5a.</p>
|
||||
1.3.5a.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 4</h3>
|
||||
|
||||
<p align="left">The "shorewall start" and "shorewall restart" commands
|
||||
to not verify that the zones named in the /etc/shorewall/policy file
|
||||
have been previously defined in the /etc/shorewall/zones file.
|
||||
The "shorewall check" command does perform this verification so
|
||||
it's a good idea to run that command after you have made configuration
|
||||
to not verify that the zones named in the /etc/shorewall/policy
|
||||
file have been previously defined in the /etc/shorewall/zones
|
||||
file. The "shorewall check" command does perform this verification
|
||||
so it's a good idea to run that command after you have made configuration
|
||||
changes.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 3</h3>
|
||||
@ -351,8 +359,8 @@ it's a good idea to run that command after you have made configuratio
|
||||
|
||||
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
|
||||
download sites contained an incorrect version of the .lrp file. That
|
||||
file can be identified by its size (56284 bytes). The correct version
|
||||
has a size of 38126 bytes.</p>
|
||||
file can be identified by its size (56284 bytes). The correct
|
||||
version has a size of 38126 bytes.</p>
|
||||
|
||||
<ul>
|
||||
<li>The code to detect a duplicate interface entry
|
||||
@ -383,14 +391,14 @@ just like "NAT_BEFORE_RULES=Yes".</li>
|
||||
|
||||
<ul>
|
||||
<li>TCP SYN packets may be double counted when
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
|
||||
packet is sent through the limit chain twice).</li>
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
|
||||
each packet is sent through the limit chain twice).</li>
|
||||
<li>An unnecessary jump to the policy chain is sometimes
|
||||
generated for a CONTINUE policy.</li>
|
||||
<li>When an option is given for more than one interface
|
||||
in /etc/shorewall/interfaces then depending on the option,
|
||||
Shorewall may ignore all but the first appearence of the
|
||||
option. For example:<br>
|
||||
option. For example:<br>
|
||||
<br>
|
||||
net eth0 dhcp<br>
|
||||
loc eth1 dhcp<br>
|
||||
@ -402,8 +410,8 @@ option. For example:<br>
|
||||
noping. An additional bug has been found that affects only
|
||||
the 'routestopped' option.<br>
|
||||
<br>
|
||||
Users who downloaded the corrected script prior to
|
||||
1850 GMT today should download and install the corrected
|
||||
Users who downloaded the corrected script prior
|
||||
to 1850 GMT today should download and install the corrected
|
||||
script again to ensure that this second problem is corrected.</li>
|
||||
|
||||
</ul>
|
||||
@ -447,7 +455,7 @@ command will tell you which version that you have installed.</
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
@ -553,5 +561,6 @@ option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentati
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
BIN
STABLE/documentation/images/MDKlinux.jpg
Normal file
BIN
STABLE/documentation/images/MDKlinux.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 15 KiB |
BIN
STABLE/documentation/images/Vexira_Antivirus_Logo.gif
Normal file
BIN
STABLE/documentation/images/Vexira_Antivirus_Logo.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 2.6 KiB |
BIN
STABLE/documentation/images/courier-imap.png
Normal file
BIN
STABLE/documentation/images/courier-imap.png
Normal file
Binary file not shown.
BIN
STABLE/documentation/images/debian.jpg
Normal file
BIN
STABLE/documentation/images/debian.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 8.2 KiB |
BIN
STABLE/documentation/images/logo2.png
Normal file
BIN
STABLE/documentation/images/logo2.png
Normal file
Binary file not shown.
BIN
STABLE/documentation/images/medbutton.png
Normal file
BIN
STABLE/documentation/images/medbutton.png
Normal file
Binary file not shown.
BIN
STABLE/documentation/images/obrasinf.gif
Normal file
BIN
STABLE/documentation/images/obrasinf.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 7.1 KiB |
@ -33,10 +33,18 @@
|
||||
</a><a href="http://www.postfix.org/"> <img
|
||||
src="images/small-picture.gif" align="right" border="0" width="115"
|
||||
height="45">
|
||||
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
|
||||
</a><font color="#ffffff">Shorewall Mailing Lists<a
|
||||
href="http://www.inter7.com/courierimap/"><img
|
||||
src="images/courier-imap.png" alt="Courier-Imap" width="100"
|
||||
height="38" align="right">
|
||||
</a></font></h1>
|
||||
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
Powered by Postfix </b></font> </p>
|
||||
</b></font></p>
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
Powered by Postfix </b></font> </p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -71,10 +79,27 @@ Powered by Postfix
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command is a valid
|
||||
fully-qualified DNS name.<br>
|
||||
</li>
|
||||
fully-qualified DNS name.</li>
|
||||
|
||||
</ol>
|
||||
<h2>Please post in plain text</h2>
|
||||
While the list server here at shorewall.net accepts and distributes HTML
|
||||
posts, a growing number of MTAs serving list subscribers are rejecting this
|
||||
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse"!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a rather draconian way to control spam
|
||||
and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
|
||||
can help by restricting your list posts to plain text.<br>
|
||||
<br>
|
||||
And as a bonus, subscribers who use email clients like pine and mutt will
|
||||
be able to read your plain text posts whereas they are most likely simply
|
||||
ignoring your HTML posts.<br>
|
||||
<br>
|
||||
A final bonus for the use of HTML is that it cuts down the size of messages
|
||||
by a large percentage -- that is important when the same message must be
|
||||
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
|
||||
|
||||
<h2></h2>
|
||||
|
||||
@ -110,14 +135,19 @@ fully-qualified DNS name.<br>
|
||||
type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
|
||||
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
|
||||
stand the traffic. If I catch you, you'll be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
<h2 align="left">Shorewall CA Certificate</h2>
|
||||
If you want to trust X.509 certificates issued by Shoreline Firewall
|
||||
(such as the one used on my web site), you may <a
|
||||
(such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then you can
|
||||
either use unencrypted access when subscribing to Shorewall mailing lists
|
||||
or you can use secure access (SSL) and accept the server's certificate when
|
||||
prompted by your browser.<br>
|
||||
in your browser. If you don't wish to trust my certificates then you
|
||||
can either use unencrypted access when subscribing to Shorewall mailing
|
||||
lists or you can use secure access (SSL) and accept the server's certificate
|
||||
when prompted by your browser.<br>
|
||||
|
||||
<h2 align="left">Shorewall Users Mailing List</h2>
|
||||
|
||||
@ -187,10 +217,10 @@ list may be found at <a
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
"To change your subscription (set options like digest and delivery modes,
|
||||
get a reminder of your password, <b>or unsubscribe</b> from <name
|
||||
of list>), enter your subscription email address:". Enter your email
|
||||
address in the box and click on the "Edit Options" button.</p>
|
||||
"To change your subscription (set options like digest and delivery
|
||||
modes, get a reminder of your password, <b>or unsubscribe</b> from
|
||||
<name of list>), enter your subscription email address:". Enter
|
||||
your email address in the box and click on the "Edit Options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
@ -205,17 +235,12 @@ address in the box and click on the "Edit Options" button.</p>
|
||||
|
||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/22/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/27/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -33,11 +33,11 @@
|
||||
|
||||
<blockquote>
|
||||
<div align="left">
|
||||
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
|
||||
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
|
||||
</div>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
|
||||
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
|
||||
@ -53,5 +53,8 @@
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
90
STABLE/documentation/ping.html
Normal file
90
STABLE/documentation/ping.html
Normal file
@ -0,0 +1,90 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>ICMP Echo-request (Ping)</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Shorewall 'Ping' management has evolved over time in a less than consistant
|
||||
way. This page describes how it now works.<br>
|
||||
<br>
|
||||
There are several aspects to Shorewall Ping management:<br>
|
||||
<ol>
|
||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>The <b>FORWARDPING</b> option in<a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li>Explicit rules in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
</ol>
|
||||
There are two cases to consider:<br>
|
||||
<ol>
|
||||
<li>Ping requests addressed to the firewall itself; and</li>
|
||||
<li>Ping requests being forwarded to another system. Included here are
|
||||
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
|
||||
routing.</li>
|
||||
</ol>
|
||||
These cases will be covered separately.<br>
|
||||
<h2>Ping Requests Addressed to the Firewall Itself</h2>
|
||||
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
||||
<ol>
|
||||
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
|
||||
interface that receives the ping request then the request will be responded
|
||||
to with an ICMP echo-reply.</li>
|
||||
<li>If <b>noping</b> is specified for the interface that receives the ping
|
||||
request then the request is ignored.</li>
|
||||
<li>If <b>filterping </b>is specified for the interface then the request
|
||||
is passed to the rules/policy evaluation.</li>
|
||||
</ol>
|
||||
<h2>Ping Requests Forwarded by the Firewall</h2>
|
||||
These requests are <b>always</b> passed to rules/policy evaluation.<br>
|
||||
<h2>Rules Evaluation</h2>
|
||||
Ping requests are ICMP type 8. So the general rule format is:<br>
|
||||
<br>
|
||||
<i>Target Source Destination
|
||||
</i>icmp 8<br>
|
||||
<br>
|
||||
Example 1. Accept pings from the net to the dmz (pings are responded to with
|
||||
an ICMP echo-reply):<br>
|
||||
<br>
|
||||
ACCEPT net dmz
|
||||
icmp 8<br>
|
||||
<br>
|
||||
Example 2. Drop pings from the net to the firewall<br>
|
||||
<br>
|
||||
DROP net fw
|
||||
icmp 8<br>
|
||||
<h2>Policy Evaluation</h2>
|
||||
If no applicable rule is found, then the policy for the source to the destination
|
||||
is applied.<br>
|
||||
<ol>
|
||||
<li>If the relevant policy is ACCEPT then the request is responded to with
|
||||
an ICMP echo-reply.</li>
|
||||
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
||||
then the request is responded to with an ICMP echo-reply.</li>
|
||||
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
|
||||
is either rejected or simply ignored.</li>
|
||||
</ol>
|
||||
<p><font size="2">Updated 12/13/2002 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -11,6 +11,7 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
@ -20,10 +21,13 @@
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" height="90">
|
||||
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -33,9 +37,10 @@
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font></h1>
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3 -
|
||||
<font size="4">"<i>iptables made easy"</i></font></font></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -47,13 +52,16 @@
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
@ -61,12 +69,15 @@
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="90%">
|
||||
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
|
||||
@ -81,6 +92,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
@ -92,22 +105,29 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
This program
|
||||
is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty
|
||||
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
See the GNU General Public License for more details.<br>
|
||||
|
||||
This program is distributed in the hope that it
|
||||
will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.<br>
|
||||
|
||||
<br>
|
||||
You should
|
||||
have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
||||
USA</p>
|
||||
|
||||
You should have received a copy of the GNU General
|
||||
Public License along with this program; if not,
|
||||
write to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -124,20 +144,23 @@ General Public License</a> as published by the Free Software Foundation.<
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
</a>Jacques
|
||||
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution called
|
||||
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||||
You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have a LEAF
|
||||
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features Shorewall-1.3.10
|
||||
and Kernel-2.4.18. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.0 Final!!! </b><br>
|
||||
</p>
|
||||
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
@ -150,6 +173,7 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -158,283 +182,187 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2></h2>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
|
||||
don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
|
||||
</b></p>
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after an
|
||||
error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog level
|
||||
and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from <a
|
||||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the mangle table),
|
||||
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with one
|
||||
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
|
||||
at the 'info' level.<br>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<p>In this version:</p>
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
|
||||
was set to anything but ULOG, the firewall would fail to start and "shorewall
|
||||
refresh" would also fail.<br>
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
|
||||
option causes Shorewall to make a set of sanity check on TCP packet header
|
||||
flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or DEST column
|
||||
in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
|
||||
appear by itself (in may not be qualified) and it does not enable intra-zone
|
||||
traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible with
|
||||
bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error. fw->fw
|
||||
rules generate a warning and are ignored</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>The main Shorewall web site is now back at SourceForge at <a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a href="IPSEC.htm#Dynamic">define
|
||||
the contents of a zone dynamically</a> with the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
||||
delete" commands</a>. These commands are expected to be used primarily
|
||||
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
|
||||
updown scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment and
|
||||
you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running on the firewall
|
||||
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
||||
file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported for
|
||||
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
|
||||
behind a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now be specified
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
||||
to do the real work. This change makes custom distributions such as
|
||||
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
||||
that tends to have distribution-dependent code.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
|
||||
to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
||||
1 was made available to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
|
||||
href="http://www.gentoo.org"><br>
|
||||
</a></p>
|
||||
Alexandru Hartmann reports that his Shorewall package
|
||||
is now a part of <a href="http://www.gentoo.org">the Gentoo
|
||||
Linux distribution</a>. Thanks Alex!<br>
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40%
|
||||
with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in
|
||||
the mangle table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even when
|
||||
you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
||||
with one of these names, don't worry -- the upgrade process won't overwrite
|
||||
your file.</li>
|
||||
|
||||
|
||||
|
||||
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
|
||||
In this version:<br>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a
|
||||
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
|
||||
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
|
||||
"shorewall delete" commands</a>. These commands are expected
|
||||
to be used primarily within <a
|
||||
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
|
||||
scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment
|
||||
and you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running on the
|
||||
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
||||
file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported
|
||||
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
|
||||
is behind a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now be
|
||||
specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
||||
to do the real work. This change makes custom distributions such
|
||||
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
||||
that tends to have distribution-dependent code.</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSoft's recently-announced <a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
|
||||
<li><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</li>
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in
|
||||
a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
|
||||
</b><br>
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
This release rolls up fixes to the installer
|
||||
and to the firewall script.<br>
|
||||
<b><br>
|
||||
10/6/2002 - Shorewall.net now running on RH8.0
|
||||
</b><b><img border="0" src="images/new10.gif" width="28"
|
||||
height="12" alt="(New)">
|
||||
</b><br>
|
||||
<br>
|
||||
The firewall and server here at shorewall.net
|
||||
are now running RedHat release 8.0.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
|
||||
</b></p>
|
||||
Roles up the fix for broken tunnels.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
|
||||
</b></p>
|
||||
<img
|
||||
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
|
||||
align="left">
|
||||
There is an updated firewall script
|
||||
at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
-- copy that file to /usr/lib/shorewall/firewall.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
9/28/2002 - Shorewall 1.3.9 </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>In this version:<br>
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
|
||||
allowed in Shorewall config files (although I recommend
|
||||
against using them).</li>
|
||||
<li>The connection SOURCE
|
||||
may now be qualified by both interface and IP address
|
||||
in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
|
||||
<li>Shorewall startup
|
||||
is now disabled after initial installation until the
|
||||
file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
nasty surprises at reboot for users who install Shorewall
|
||||
but don't configure it.</li>
|
||||
<li>The 'functions' and
|
||||
'version' files and the 'firewall' symbolic link have been
|
||||
moved from /var/lib/shorewall to /usr/lib/shorewall to appease
|
||||
the LFS police at Debian.<br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or
|
||||
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible
|
||||
with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
</ul>
|
||||
@ -442,16 +370,12 @@ file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -459,17 +383,21 @@ file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
<td
|
||||
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
|
||||
href="http://sourceforge.net">M</a></td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <a href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
@ -479,8 +407,10 @@ file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
bgcolor="#4b017c">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" style="margin-top: 1px;">
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -489,7 +419,9 @@ file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
</a></p>
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -499,8 +431,10 @@ file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a href="http://www.starlight.org"><font
|
||||
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -508,12 +442,15 @@ but if you try it and find it useful, please consider making a donation
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
22
STABLE/documentation/sfindex.htm
Normal file
22
STABLE/documentation/sfindex.htm
Normal file
@ -0,0 +1,22 @@
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
|
||||
<frameset cols="242,*">
|
||||
<frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
|
||||
<frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
|
||||
<noframes>
|
||||
<body>
|
||||
|
||||
<p>This page uses frames, but your browser doesn't support them.</p>
|
||||
|
||||
</body>
|
||||
</noframes>
|
||||
</frameset>
|
||||
|
||||
</html>
|
@ -41,12 +41,13 @@
|
||||
href="http://www.experiencewashington.com">Washington State</a> .</li>
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a href="http://www.washington.edu">University
|
||||
of Washington</a> 1969</li>
|
||||
<li>MA Mathematics from <a
|
||||
href="http://www.washington.edu">University of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a
|
||||
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
</ul>
|
||||
@ -67,25 +68,26 @@
|
||||
<p>Our current home network consists of: </p>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE
|
||||
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
|
||||
RedHat 8.0 installed.</li>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
|
||||
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a WINS
|
||||
server. This system also has <a href="http://www.vmware.com/">VMware</a>
|
||||
installed and can run both <a href="http://www.debian.org">Debian
|
||||
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
||||
machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC - Mail
|
||||
(Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
|
||||
(Bind).</li>
|
||||
NIC - My personal Linux System which runs Samba configured as a WINS
|
||||
server. This system also has <a href="http://www.vmware.com/">VMware</a>
|
||||
installed and can run both <a href="http://www.debian.org">Debian
|
||||
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
||||
machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC -
|
||||
Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
|
||||
server (Bind).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.11 and a DHCP
|
||||
server. Also runs PoPToP for road warrior access.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
|
||||
personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
|
||||
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
|
||||
wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -102,19 +104,21 @@ machines.</li>
|
||||
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
src="images/pure.jpg" width="88" height="31">
|
||||
</a><font size="4"><a href="http://www.apache.org"><img border="0"
|
||||
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
|
||||
</a> </font></p>
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
|
||||
height="20">
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
|
||||
height="32">
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
width="125" height="40" hspace="4">
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 11/24/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,113 +1,133 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p>
|
||||
Extension scripts are user-provided
|
||||
scripts that are invoked at various points during firewall start, restart,
|
||||
stop and clear. The scripts are placed in /etc/shorewall and are processed
|
||||
using the Bourne shell "source" mechanism. The following scripts can be
|
||||
supplied:</p>
|
||||
<ul>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p> Extension scripts are user-provided scripts that are invoked at various
|
||||
points during firewall start, restart, stop and clear. The scripts are
|
||||
placed in /etc/shorewall and are processed using the Bourne shell "source"
|
||||
mechanism. The following scripts can be supplied:</p>
|
||||
|
||||
<ul>
|
||||
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
|
||||
<li>start -- invoked after the firewall has been started or restarted.</li>
|
||||
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
|
||||
<li>stopped -- invoked after the firewall has been stopped.</li>
|
||||
<li>clear -- invoked after the firewall has been cleared.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but before the
|
||||
common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
|
||||
has been created but before any rules have been added to it.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but before
|
||||
the common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
|
||||
chain has been created but before any rules have been added to it.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
You can also supply a script with the same name as any of the filter
|
||||
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
||||
file has been processed but before the /etc/shorewall/policy file has
|
||||
been processed.</p>
|
||||
|
||||
<p><u><b>If your version of Shorewall doesn't have the file that you want
|
||||
to use from the above list, you can simply create the file yourself.</b></u></p>
|
||||
<p> You can also supply a script with the same name as any of the filter
|
||||
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
||||
file has been processed but before the /etc/shorewall/policy file has been
|
||||
processed.</p>
|
||||
|
||||
|
||||
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
|
||||
defines will totally replace the default rules in the common chain. These
|
||||
default rules are contained in the file /etc/shorewall/common.def which
|
||||
may be used as a starting point for making your own customized file.</p>
|
||||
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file
|
||||
is present, the rules that it defines will totally replace the default
|
||||
rules in the common chain. These default rules are contained in the
|
||||
file /etc/shorewall/common.def which may be used as a starting point
|
||||
for making your own customized file.</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
Rather than running iptables directly, you should run it using the function
|
||||
run_iptables. Similarly, rather than running "ip" directly, you should
|
||||
use run_ip. These functions accept the same arguments as the underlying
|
||||
command but cause the firewall to be stopped if an error occurs during
|
||||
processing of the command.</p>
|
||||
|
||||
<p> Rather than running iptables directly, you should run it using the
|
||||
function run_iptables. Similarly, rather than running "ip" directly,
|
||||
you should use run_ip. These functions accept the same arguments as the
|
||||
underlying command but cause the firewall to be stopped if an error occurs
|
||||
during processing of the command.</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
If you decide to create /etc/shorewall/common it is a good idea to use the
|
||||
following technique</p>
|
||||
|
||||
<p> If you decide to create /etc/shorewall/common it is a good idea to
|
||||
use the following technique</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
/etc/shorewall/common:</p>
|
||||
|
||||
<p> /etc/shorewall/common:</p>
|
||||
|
||||
|
||||
|
||||
<blockquote>
|
||||
<pre>. /etc/shorewall/common.def
|
||||
<add your rules here></pre>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>. /etc/shorewall/common.def<br><add your rules here></pre>
|
||||
</blockquote>
|
||||
<p>If you need to supercede a rule in the released common.def file, you can add
|
||||
the superceding rule before the '.' command. Using this technique allows
|
||||
|
||||
<p>If you need to supercede a rule in the released common.def file, you can
|
||||
add the superceding rule before the '.' command. Using this technique allows
|
||||
you to add new rules while still getting the benefit of the latest common.def
|
||||
file.</p>
|
||||
|
||||
|
||||
|
||||
<p>Remember that /etc/shorewall/common defines rules
|
||||
that are only applied if the applicable policy is DROP or REJECT. These rules
|
||||
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
|
||||
<p>Remember that /etc/shorewall/common defines rules that are only applied
|
||||
if the applicable policy is DROP or REJECT. These rules are NOT applied
|
||||
if the policy is ACCEPT or CONTINUE.</p>
|
||||
|
||||
|
||||
|
||||
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
|
||||
rejected by the firewall. It is recommended with this setting that you create
|
||||
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
|
||||
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
|
||||
be rejected by the firewall. It is recommended with this setting that you
|
||||
create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
|
||||
|
||||
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
|
||||
</pre>
|
||||
<p align="left"><font size="2">Last updated
|
||||
8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/22/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
M. Eastep</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
@ -12,6 +12,7 @@
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -44,9 +45,10 @@ we must all first walk before we can run.</p>
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux System
|
||||
acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux System
|
||||
acting as a firewall/router for a small local network and a DMZ.</li>
|
||||
acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network and
|
||||
a DMZ.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -55,40 +57,48 @@ acting as a firewall/router for a small local network</li>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
|
||||
Concepts</a></li>
|
||||
Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
|
||||
Interfaces</a></li>
|
||||
Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
|
||||
Subnets and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
|
||||
<li><br>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||
Addresses</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
|
||||
Protocol</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
|
||||
1918</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
|
||||
your Network</a>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
||||
|
||||
@ -96,31 +106,34 @@ your Network</a>
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
|
||||
ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
|
||||
NAT</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
|
||||
and Ends</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
|
||||
Odds and Ends</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
|
||||
Starting and Stopping the Firewall</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
|
||||
above</b>. Please review the appropriate guide before trying to use this
|
||||
documentation directly.</p>
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
@ -129,10 +142,12 @@ and Ends</a></li>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
<ul>
|
||||
<li>Comments in configuration files</li>
|
||||
<li>Line Continuation</li>
|
||||
@ -144,35 +159,46 @@ and Ends</a></li>
|
||||
<li>Complementing an IP address or Subnet</li>
|
||||
<li>Shorewall Configurations (making a test configuration)</li>
|
||||
<li>Using MAC Addresses in Shorewall</li>
|
||||
<li>Logging<br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
@ -182,14 +208,19 @@ to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
|
||||
use Shorewall)</li>
|
||||
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How
|
||||
I personally use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
<ul>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
@ -206,26 +237,33 @@ to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
|
||||
<li>VPN
|
||||
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
|
||||
firewall to a remote network.</li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
|
||||
your firewall to a remote network.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List
|
||||
Creation</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
454
STABLE/documentation/sourceforge_index.htm
Normal file
454
STABLE/documentation/sourceforge_index.htm
Normal file
@ -0,0 +1,454 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"> <font size="4"><i> <a
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3 -
|
||||
<font size="4">"<i>iptables made easy"</i></font></font><a
|
||||
href="http://www.sf.net"> </a></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center"><a href="/1.2/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||
that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
||||
Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
|
||||
This program is distributed in the hope that
|
||||
it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or
|
||||
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
|
||||
Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
|
||||
You should have received a copy of the GNU
|
||||
General Public License along with this program;
|
||||
if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have
|
||||
a LEAF (router/firewall/gateway on a floppy, CD or compact
|
||||
flash) distribution called <i>Bering</i> that
|
||||
features Shorewall-1.3.10 and Kernel-2.4.18. You
|
||||
can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations to Jacques and Eric on the recent
|
||||
release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
|
||||
was set to anything but ULOG, the firewall would fail to start and "shorewall
|
||||
refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
||||
1 was made available only to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40%
|
||||
with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the
|
||||
mangle table ("shorewall show mangle" will show you the chains in the mangle
|
||||
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows
|
||||
for marking input packets based on their destination even when you are using
|
||||
Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file with
|
||||
one of these names, don't worry -- the upgrade process won't overwrite your
|
||||
file.</li>
|
||||
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSofts's recently-announced <a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in a
|
||||
position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><b></b><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or
|
||||
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible
|
||||
with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b></b></p>
|
||||
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
<h4> </h4>
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
@ -34,7 +34,7 @@
|
||||
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||||
Shorewall. It rather focuses on what is required to configure Shorewall
|
||||
in one of its most common configurations:</p>
|
||||
in one of its most common configurations:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system</li>
|
||||
@ -44,10 +44,10 @@ in one of its most common configurations:</p>
|
||||
</ul>
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
|
||||
this package is installed by the presence of an <b>ip</b> program on your
|
||||
firewall system. As root, you can use the 'which' command to check for
|
||||
this program:</p>
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
@ -61,27 +61,29 @@ this program:</p>
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you copy
|
||||
a configuration file from your Windows hard drive to a floppy disk, you
|
||||
must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
a configuration file from your Windows hard drive to a floppy disk, you must
|
||||
run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
these as described in this guide. After you have <a href="Install.htm">installed
|
||||
Shorewall</a>, download the <a
|
||||
Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
|
||||
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
|
||||
(they will replace files with the same names that were placed in /etc/shorewall
|
||||
during Shorewall installation).</p>
|
||||
during Shorewall installation)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -115,8 +117,8 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone to
|
||||
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
@ -124,14 +126,14 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
|
||||
</ul>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file matches
|
||||
the connection request then the first policy in /etc/shorewall/policy that
|
||||
matches the request is applied. If that policy is REJECT or DROP the
|
||||
request is first checked against the rules in /etc/shorewall/common (the
|
||||
samples provide that file for you).</p>
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample has
|
||||
the following policies:</p>
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample
|
||||
has the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
@ -177,9 +179,9 @@ the following policies:</p>
|
||||
<ol>
|
||||
<li>allow all connection requests from the firewall to the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
firewall</li>
|
||||
<li>reject all other connection requests (Shorewall requires this catchall
|
||||
policy).</li>
|
||||
firewall</li>
|
||||
<li>reject all other connection requests (Shorewall requires this
|
||||
catchall policy).</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -201,10 +203,10 @@ a <b>ppp0</b>. If you connect via a regular modem, your External Interface
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
The Shorewall one-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b>. If your configuration is different, you
|
||||
will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interface. Some hints:</p>
|
||||
external interface is <b>eth0</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interface. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -239,9 +241,9 @@ specified for the interface. Some hints:</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
Before starting Shorewall, you should look at the IP address of
|
||||
your external interface and if it is one of the above ranges, you should
|
||||
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -283,8 +285,8 @@ specified for the interface. Some hints:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server on
|
||||
your firewall system:</p>
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server
|
||||
on your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -326,8 +328,8 @@ your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular application
|
||||
uses, see <a href="ports.htm">here</a>.</p>
|
||||
<p align="left">If you don't know what port and protocol a particular
|
||||
application uses, see <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -408,15 +410,15 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
try" command</a>.</p>
|
||||
try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/9/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -425,5 +427,6 @@ try" command</a>.</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,16 +2,22 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Support</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -23,63 +29,94 @@
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
|
||||
is easier to post a problem than to use your own brain" </font>-- </i> <font
|
||||
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
|
||||
<p> <br>
|
||||
<span style="font-weight: 400;"></span></p>
|
||||
|
||||
<p align="left"> <i>"Any sane computer will tell you how it works -- you
|
||||
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
|
||||
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
|
||||
but I try to spend some amount of time each day responding to problems
|
||||
posted on the Shorewall mailing list.</b></font></big></h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
|
||||
|
||||
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
|
||||
free software comes at no cost. The cost is incredibly high."</i>
|
||||
- <font size="2"> Wietse Venem<br>
|
||||
</font></span></p>
|
||||
<h2>Before Reporting a Problem</h2>
|
||||
|
||||
<h3 align="left">Before Reporting a Problem</h3>
|
||||
<b><i>"Reading the documentation fully is a prerequisite to getting help
|
||||
for your particular situation. I know it's harsh but you will have to get
|
||||
so far on your own before you can get reasonable help from a list full of
|
||||
busy people. A mailing list is not a tool to speed up your day by being
|
||||
spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
|
||||
<h3>T<b>here are a number of sources for problem solution information. Please
|
||||
try these before you post.</b></h3>
|
||||
|
||||
<p>There are also a number of sources for problem solution information.</p>
|
||||
<h3> </h3>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
|
||||
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
|
||||
contains a number of tips to help you solve common problems.</li>
|
||||
<li>The <a href="errata.htm"> Errata</a> has links to download
|
||||
updated components.</li>
|
||||
<li>The Mailing List Archives search facility can locate posts
|
||||
about similar problems:</li>
|
||||
<li>
|
||||
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
|
||||
problems.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h4>Mailing List Archive Search</h4>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
|
||||
contains a number of tips to help you solve common problems.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
|
||||
updated components.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The Mailing List Archives search facility can locate posts
|
||||
about similar problems:</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
<h2>Mailing List Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -88,82 +125,163 @@ about similar problems:</li>
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config" value="htdig"> <input
|
||||
type="hidden" name="restrict"
|
||||
</font> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30" name="words" value=""> <input
|
||||
type="submit" value="Search"> </p>
|
||||
Search: <input type="text" size="30" name="words"
|
||||
value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h3 align="left">Problem Reporting Guideline</h3>
|
||||
<h2>Problem Reporting Guidelines</h2>
|
||||
<i>"Let me see if I can translate your message into a real-world example.
|
||||
It would be like saying that you have three rooms at home, and when you
|
||||
walk into one of the rooms, you detect this strange smell. Can anyone tell
|
||||
you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the smell and even
|
||||
what's causing it. You would be absolutely amazed at the range and variety
|
||||
of smells we could come up with. Even more amazing is that all of the explanations
|
||||
for the smells would be completely plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - Russell Mosemann<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>When reporting a problem, give as much information as you
|
||||
can. Reports that say "I tried XYZ and it didn't work" are not at all
|
||||
helpful.</li>
|
||||
<li>Please don't describe your environment and then ask us to
|
||||
send you custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.</li>
|
||||
<li>Do you see any "Shorewall" messages in /var/log/messages
|
||||
when you exercise the function that is giving you problems?</li>
|
||||
<li>Have you looked at the packet flow with a tool like tcpdump
|
||||
to try to understand what is going on?</li>
|
||||
<li>Have you tried using the diagnostic capabilities of the
|
||||
application that isn't working? For example, if "ssh" isn't able
|
||||
to connect, using the "-v" option gives you a lot of valuable diagnostic
|
||||
information.</li>
|
||||
<li>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file) that
|
||||
you think are relevant. If an error occurs when you try to "shorewall
|
||||
start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions).</li>
|
||||
<li>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc to the Mailing List -- your post will
|
||||
be rejected.</li>
|
||||
<li>
|
||||
<h3><b>When reporting a problem, give as much information as you can.
|
||||
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Where to Send your Problem Report or to Ask for Help</h3>
|
||||
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
|
||||
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
|
||||
on October 3, 2002; MandrakeSoft issued a charge against my credit card on
|
||||
October 4, 2002 (they are very effecient at that part of the order process)
|
||||
and I haven't heard a word from them since (although their news letters
|
||||
boast that 9.0 boxed sets have been shipping for the last two weeks). If
|
||||
they can't fill my 9.0 order within <u>6 weeks after they have billed my
|
||||
credit card</u> then I refuse to spend my free time supporting their product
|
||||
for them.<br>
|
||||
<br>
|
||||
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
|
||||
order is part of a batch of which was not correctly sent to our shipping
|
||||
handler, and so unfortunately was not processed". They further assure me
|
||||
that these mishandled orders will begin shipping on 12/2/2002.<br>
|
||||
<h3> </h3>
|
||||
|
||||
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
|
||||
post your question or problem to the <a
|
||||
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.</b></h3>
|
||||
</li>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
|
||||
there are lots of folks there who are willing to help you. Your question/problem
|
||||
description and their responses will be placed in the mailing list archives
|
||||
to help people who have a similar question or problem in the future.</p>
|
||||
</ul>
|
||||
|
||||
<p>I don't look at problems sent to me directly but I try to spend some amount
|
||||
of time each day responding to problems posted on the mailing list.</p>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
|
||||
when you exercise the function that is giving you problems?</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you looked at the packet flow with a tool like tcpdump
|
||||
to try to understand what is going on?</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you tried using the diagnostic capabilities of the
|
||||
application that isn't working? For example, if "ssh" isn't able
|
||||
to connect, using the "-v" option gives you a lot of valuable diagnostic
|
||||
information.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file)
|
||||
that you think are relevant.</b></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3><b>If an error occurs when you try to "shorewall start", include
|
||||
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
|
||||
for instructions).</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc to the Mailing List -- your post
|
||||
will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
<blockquote>
|
||||
<h3><b> While the list server here at shorewall.net accepts and distributes
|
||||
HTML posts, a growing number of MTAs serving list subscribers are rejecting
|
||||
this HTML list traffic. At least one MTA has gone so far as to blacklist
|
||||
shorewall.net "for continuous abuse"!!</b></h3>
|
||||
<h3><b> I think that blocking all HTML is a rather draconian way to control
|
||||
spam and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
|
||||
help by restricting your list posts to plain text.</b></h3>
|
||||
<h3><b> And as a bonus, subscribers who use email clients like pine and
|
||||
mutt will be able to read your plain text posts whereas they are most likely
|
||||
simply ignoring your HTML posts.</b></h3>
|
||||
<h3><b> A final bonus for the use of HTML is that it cuts down the size
|
||||
of messages by a large percentage -- that is important when the same message
|
||||
must be sent 500 times over the slow DSL line connecting the list server
|
||||
to the internet.</b> </h3>
|
||||
</blockquote>
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<h3></h3>
|
||||
|
||||
<blockquote>
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
|
||||
list</a>.</span></h4>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
|
||||
|
||||
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -39,11 +39,12 @@
|
||||
in one of its more popular configurations:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Linux system used as a firewall/router for a small local
|
||||
network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li>DMZ connected to a separate ethernet interface.</li>
|
||||
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
|
||||
...</li>
|
||||
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
|
||||
dial-up, ...</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -55,43 +56,47 @@
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
if this package is installed by the presence of an <b>ip</b> program
|
||||
on your firewall system. As root, you can use the 'which' command to
|
||||
check for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>I recommend that you first read through the guide to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
changes. Points at which configuration changes are recommended are
|
||||
flagged with <img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
If you edit your configuration files on a Windows system, you
|
||||
must save them as Unix files if your editor supports that option or you
|
||||
must run them through dos2unix before trying to use them. Similarly, if
|
||||
you copy a configuration file from your Windows hard drive to a floppy disk,
|
||||
you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
If you edit your configuration files on a Windows system,
|
||||
you must save them as Unix files if your editor supports that option
|
||||
or you must run them through dos2unix before trying to use them. Similarly,
|
||||
if you copy a configuration file from your Windows hard drive to a floppy
|
||||
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
|
||||
Version of dos2unix</a></li>
|
||||
<li><a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
|
||||
of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a few
|
||||
of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, download the <a
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a
|
||||
few of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
|
||||
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
|
||||
files to /etc/shorewall (the files will replace files with the same names
|
||||
that were placed in /etc/shorewall when Shorewall was installed).</p>
|
||||
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
|
||||
the files to /etc/shorewall (the files will replace files with the same
|
||||
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -99,7 +104,7 @@ of these as described in this guide. After you have <a
|
||||
|
||||
<p>Shorewall views the network where it is running as being composed of a
|
||||
set of <i>zones.</i> In the three-interface sample configuration, the
|
||||
following zone names are used:</p>
|
||||
following zone names are used:</p>
|
||||
|
||||
<table border="0" style="border-collapse: collapse;" cellpadding="3"
|
||||
cellspacing="0" id="AutoNumber2">
|
||||
@ -133,11 +138,11 @@ following zone names are used:</p>
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one
|
||||
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
<li>You define exceptions to those default policies in the
|
||||
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -146,7 +151,7 @@ following zone names are used:</p>
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the three-interface sample
|
||||
has the following policies:</p>
|
||||
@ -190,8 +195,8 @@ following zone names are used:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>In the three-interface sample, the line below is included but commented
|
||||
out. If you want your firewall system to have full access to servers on
|
||||
the internet, uncomment that line.</p>
|
||||
out. If you want your firewall system to have full access to servers
|
||||
on the internet, uncomment that line.</p>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
@ -218,19 +223,19 @@ following zone names are used:</p>
|
||||
<p>The above policy will:</p>
|
||||
|
||||
<ol>
|
||||
<li>allow all connection requests from your local network to the
|
||||
internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to
|
||||
your firewall or local network</li>
|
||||
<li>allow all connection requests from your local network to
|
||||
the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet
|
||||
to your firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
<li>reject all other connection requests.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
|
||||
At this point, edit your /etc/shorewall/policy file and make
|
||||
any changes that you wish.</p>
|
||||
any changes that you wish.</p>
|
||||
|
||||
<h2 align="left">Network Interfaces</h2>
|
||||
|
||||
@ -241,12 +246,12 @@ any changes that you wish.</p>
|
||||
<p align="left">The firewall has three network interfaces. Where Internet
|
||||
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter that is connected to that "Modem" (e.g.,
|
||||
<b>eth0</b>) <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
|
||||
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular
|
||||
modem, your External Interface will also be <b>ppp0</b>. If you connect
|
||||
using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
<b>eth0</b>) <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
|
||||
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect via
|
||||
a regular modem, your External Interface will also be <b>ppp0</b>. If you
|
||||
connect using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
@ -255,32 +260,32 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
|
||||
|
||||
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
|
||||
eth1 or eth2) and will be connected to a hub or switch. Your local computers
|
||||
will be connected to the same switch (note: If you have only a single
|
||||
local system, you can connect the firewall directly to the computer using
|
||||
a <i>cross-over </i> cable).</p>
|
||||
eth1 or eth2) and will be connected to a hub or switch. Your local
|
||||
computers will be connected to the same switch (note: If you have only
|
||||
a single local system, you can connect the firewall directly to the
|
||||
computer using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
|
||||
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
|
||||
computers will be connected to the same switch (note: If you have only
|
||||
a single DMZ system, you can connect the firewall directly to the computer
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
|
||||
DMZ computers will be connected to the same switch (note: If you have
|
||||
only a single DMZ system, you can connect the firewall directly to the
|
||||
computer using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
|
||||
width="60" height="60">
|
||||
</b></u>Do not connect more than one interface to the same hub or
|
||||
switch (even for testing). It won't work the way that you expect it to
|
||||
and you will end up confused and believing that Shorewall doesn't work
|
||||
at all.</p>
|
||||
</b></u>Do not connect more than one interface to the same hub
|
||||
or switch (even for testing). It won't work the way that you expect it
|
||||
to and you will end up confused and believing that Shorewall doesn't
|
||||
work at all.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
The Shorewall three-interface sample configuration assumes that
|
||||
the external interface is <b>eth0, </b>the local interface is <b>eth1
|
||||
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
|
||||
The Shorewall three-interface sample configuration assumes
|
||||
that the external interface is <b>eth0, </b>the local interface is <b>eth1
|
||||
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interfaces. Some hints:</p>
|
||||
While you are there, you may wish to review the list of options that
|
||||
are specified for the interfaces. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -289,8 +294,8 @@ at all.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
list. </p>
|
||||
or if you have a static IP address, you can remove "dhcp" from the
|
||||
option list. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -298,17 +303,18 @@ at all.</p>
|
||||
<h2 align="left">IP Addresses</h2>
|
||||
|
||||
<p align="left">Before going further, we should say a few words about Internet
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
|
||||
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
|
||||
Host Configuration Protocol</i> (DHCP) or as part of establishing your
|
||||
connection when you dial in (standard modem) or establish your PPP connection.
|
||||
In rare cases, your ISP may assign you a<i> static</i> IP address; that
|
||||
means that you configure your firewall's external interface to use that
|
||||
address permanently.<i> </i>Regardless of how the address is assigned,
|
||||
it will be shared by all of your systems when you access the Internet.
|
||||
You will have to assign your own addresses for your internal network (the
|
||||
local and DMZ Interfaces on your firewall plus your other computers). RFC
|
||||
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
|
||||
a single <i> Public</i> IP address. This address may be assigned via
|
||||
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
|
||||
establishing your connection when you dial in (standard modem) or establish
|
||||
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
|
||||
IP address; that means that you configure your firewall's external interface
|
||||
to use that address permanently.<i> </i>Regardless of how the address is
|
||||
assigned, it will be shared by all of your systems when you access the
|
||||
Internet. You will have to assign your own addresses for your internal
|
||||
network (the local and DMZ Interfaces on your firewall plus your other
|
||||
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
|
||||
this purpose:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
@ -330,11 +336,11 @@ entry in /etc/shorewall/interfaces.</p>
|
||||
range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
|
||||
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
|
||||
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
|
||||
<i>Address</i>. In Shorewall, a subnet is described using <a
|
||||
href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)</a>
|
||||
notation with consists of the subnet address followed by "/24". The "24"
|
||||
refers to the number of consecutive "1" bits from the left of the subnet
|
||||
mask. </p>
|
||||
<i>Address</i>. In Shorewall, a subnet is described using <a
|
||||
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
|
||||
</i>(CIDR)</a> notation with consists of the subnet address followed
|
||||
by "/24". The "24" refers to the number of consecutive "1" bits from
|
||||
the left of the subnet mask. </p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -384,16 +390,16 @@ mask. </p>
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
Your local computers (Local Computers 1 & 2) should be
|
||||
configured with their<i> default gateway</i> set to the IP address of
|
||||
the firewall's internal interface and your DMZ computers ( DMZ Computers
|
||||
1 & 2) should be configured with their default gateway set to the
|
||||
IP address of the firewall's DMZ interface. </p>
|
||||
Your local computers (Local Computers 1 & 2) should
|
||||
be configured with their<i> default gateway</i> set to the IP address
|
||||
of the firewall's internal interface and your DMZ computers ( DMZ
|
||||
Computers 1 & 2) should be configured with their default gateway
|
||||
set to the IP address of the firewall's DMZ interface. </p>
|
||||
</div>
|
||||
|
||||
<p align="left">The foregoing short discussion barely scratches the surface
|
||||
regarding subnetting and routing. If you are interested in learning more
|
||||
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
|
||||
regarding subnetting and routing. If you are interested in learning
|
||||
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
|
||||
What Everyone Needs to Know about Addressing & Routing",</i> Thomas
|
||||
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
|
||||
|
||||
@ -410,24 +416,24 @@ IP address of the firewall's DMZ interface.
|
||||
<h2 align="left">IP Masquerading (SNAT)</h2>
|
||||
|
||||
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't forward
|
||||
packets which have an RFC-1918 destination address. When one of your
|
||||
local systems (let's assume local computer 1) sends a connection request
|
||||
to an internet host, the firewall must perform <i>Network Address Translation
|
||||
</i>(NAT). The firewall rewrites the source address in the packet to be
|
||||
the address of the firewall's external interface; in other words, the firewall
|
||||
makes it look as if the firewall itself is initiating the connection.
|
||||
This is necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed accross the internet).
|
||||
When the firewall receives a return packet, it rewrites the destination
|
||||
address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
1. </p>
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't
|
||||
forward packets which have an RFC-1918 destination address. When one
|
||||
of your local systems (let's assume local computer 1) sends a connection
|
||||
request to an internet host, the firewall must perform <i>Network Address
|
||||
Translation </i>(NAT). The firewall rewrites the source address in the
|
||||
packet to be the address of the firewall's external interface; in other
|
||||
words, the firewall makes it look as if the firewall itself is initiating
|
||||
the connection. This is necessary so that the destination host will be
|
||||
able to route return packets back to the firewall (remember that packets
|
||||
whose destination address is reserved by RFC 1918 can't be routed accross
|
||||
the internet). When the firewall receives a return packet, it rewrites
|
||||
the destination address back to 10.10.10.1 and forwards the packet on
|
||||
to local computer 1. </p>
|
||||
|
||||
<p align="left">On Linux systems, the above process is often referred to as<i>
|
||||
IP Masquerading</i> and you will also see the term <i>Source Network Address
|
||||
Translation </i>(SNAT) used. Shorewall follows the convention used with
|
||||
Netfilter:</p>
|
||||
<p align="left">On Linux systems, the above process is often referred to
|
||||
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
|
||||
Address Translation </i>(SNAT) used. Shorewall follows the convention used
|
||||
with Netfilter:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -437,8 +443,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
|
||||
the source address that you want outbound packets from your local network
|
||||
to use. </p>
|
||||
the source address that you want outbound packets from your local
|
||||
network to use. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -449,28 +455,43 @@ address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
If your external firewall interface is <b>eth0</b>, your local
|
||||
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
|
||||
not need to modify the file provided with the sample. Otherwise, edit
|
||||
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
|
||||
do not need to modify the file provided with the sample. Otherwise, edit
|
||||
/etc/shorewall/masq and change it to match your configuration.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
If your external IP is static, you can enter it in the third
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static IP
|
||||
in column 3 makes processing outgoing packets a little more efficient.
|
||||
</p>
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static IP
|
||||
in column 3 makes <br>
|
||||
processing outgoing packets a little more efficient.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13" alt="">
|
||||
If you are using the Debian package, please check your shorewall.conf
|
||||
file to ensure that the following are set correctly; if they are not, change
|
||||
them appropriately:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>NAT_ENABLED=Yes</li>
|
||||
<li>IP_FORWARDING=On<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Port Forwarding (DNAT)</h2>
|
||||
|
||||
<p align="left">One of your goals will be to run one or more servers on your
|
||||
DMZ computers. Because these computers have RFC-1918 addresses, it is not
|
||||
possible for clients on the internet to connect directly to them. It
|
||||
is rather necessary for those clients to address their connection requests
|
||||
to your firewall who rewrites the destination address to the address of
|
||||
your server and forwards the packet to that server. When your server responds,
|
||||
the firewall automatically performs SNAT to rewrite the source address
|
||||
in the response.</p>
|
||||
DMZ computers. Because these computers have RFC-1918 addresses, it is
|
||||
not possible for clients on the internet to connect directly to them.
|
||||
It is rather necessary for those clients to address their connection
|
||||
requests to your firewall who rewrites the destination address to the
|
||||
address of your server and forwards the packet to that server. When your
|
||||
server responds, the firewall automatically performs SNAT to rewrite
|
||||
the source address in the response.</p>
|
||||
|
||||
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
|
||||
Destination Network Address Translation</i> (DNAT). You configure port
|
||||
@ -507,8 +528,8 @@ in the response.</p>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>If you don't specify the <i><server port></i>, it is assumed to be
|
||||
the same as <i><port></i>.</p>
|
||||
<p>If you don't specify the <i><server port></i>, it is assumed to
|
||||
be the same as <i><port></i>.</p>
|
||||
|
||||
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
|
||||
TCP port 80 to that system:</p>
|
||||
@ -554,9 +575,9 @@ the same as <i><port></i>.</p>
|
||||
<ul>
|
||||
<li>When you are connecting to your server from your local systems,
|
||||
you must use the server's internal IP address (10.10.11.2).</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80. If
|
||||
you have problems connecting to your web server, try the following rule
|
||||
and try connecting to port 5000 (e.g., connect to <a
|
||||
<li>Many ISPs block incoming connection requests to port 80.
|
||||
If you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000 (e.g., connect to <a
|
||||
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
|
||||
external IP).</li>
|
||||
|
||||
@ -590,8 +611,8 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to be able to access your server from the local network using
|
||||
your external address, then if you have a static external IP you can replace
|
||||
the loc->dmz rule above with:</p>
|
||||
your external address, then if you have a static external IP you can
|
||||
replace the loc->dmz rule above with:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
@ -621,8 +642,8 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you have a dynamic ip then you must ensure that your external interface
|
||||
is up before starting Shorewall and you must take steps as follows (assume
|
||||
that your external interface is <b>eth0</b>):</p>
|
||||
is up before starting Shorewall and you must take steps as follows
|
||||
(assume that your external interface is <b>eth0</b>):</p>
|
||||
|
||||
<ol>
|
||||
<li>Include the following in /etc/shorewall/params:<br>
|
||||
@ -662,7 +683,7 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to access your server from the DMZ using your external IP
|
||||
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
|
||||
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
|
||||
At this point, add the DNAT and ACCEPT rules for your servers.
|
||||
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
<p align="left">Normally, when you connect to your ISP, as part of getting
|
||||
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will
|
||||
be written). Alternatively, your ISP may have given you the IP address of
|
||||
a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. It is <u>your</u> responsibility to
|
||||
configure the resolver in your internal systems. You can take one of two
|
||||
approaches:</p>
|
||||
be written). Alternatively, your ISP may have given you the IP address
|
||||
of a pair of DNS <i> name servers</i> for you to manually configure as
|
||||
your primary and secondary name servers. It is <u>your</u> responsibility
|
||||
to configure the resolver in your internal systems. You can take one
|
||||
of two approaches:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">You can configure your internal systems to use your ISP's
|
||||
name servers. If you ISP gave you the addresses of their servers or
|
||||
if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information isn't
|
||||
available, look in /etc/resolv.conf on your firewall system -- the name
|
||||
servers are given in "nameserver" records in that file. </p>
|
||||
name servers. If you ISP gave you the addresses of their servers
|
||||
or if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information
|
||||
isn't available, look in /etc/resolv.conf on your firewall system
|
||||
-- the name servers are given in "nameserver" records in that file.
|
||||
</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif"
|
||||
width="13" height="13">
|
||||
You can configure a<i> Caching Name Server </i>on your firewall
|
||||
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
|
||||
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
|
||||
If you take this approach, you configure your internal systems to use
|
||||
the caching name server as their primary (and only) name server. You use
|
||||
the internal IP address of the firewall (10.10.10.254 in the example above)
|
||||
for the name server address if you choose to run the name server on
|
||||
your firewall. To allow your local systems to talk to your caching name
|
||||
server, you must open port 53 (both UDP and TCP) from the local network
|
||||
to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
</p>
|
||||
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
|
||||
(which also requires the 'bind' RPM) and for Bering users, there
|
||||
is dnscache.lrp. If you take this approach, you configure your internal
|
||||
systems to use the caching name server as their primary (and only)
|
||||
name server. You use the internal IP address of the firewall (10.10.10.254
|
||||
in the example above) for the name server address if you choose to
|
||||
run the name server on your firewall. To allow your local systems to talk
|
||||
to your caching name server, you must open port 53 (both UDP and TCP)
|
||||
from the local network to the server; you do that by adding the rules
|
||||
in /etc/shorewall/rules. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -917,8 +939,8 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That rule allows you to run an SSH server on your firewall
|
||||
and in each of your DMZ systems and to connect to those servers from
|
||||
your local systems.</p>
|
||||
and in each of your DMZ systems and to connect to those servers
|
||||
from your local systems.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -1004,14 +1026,14 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular application
|
||||
uses, look <a href="ports.htm">here</a>.</p>
|
||||
<p align="left">If you don't know what port and protocol a particular
|
||||
application uses, look <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
|
||||
the internet because it uses clear text (even for login!). If you want
|
||||
shell access to your firewall from the internet, use SSH:</p>
|
||||
the internet because it uses clear text (even for login!). If you
|
||||
want shell access to your firewall from the internet, use SSH:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">The firewall is started using the "shorewall start" command
|
||||
and stopped using "shorewall stop". When the firewall is stopped, routing
|
||||
is enabled on those hosts that have an entry in <a
|
||||
and stopped using "shorewall stop". When the firewall is stopped,
|
||||
routing is enabled on those hosts that have an entry in <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
|
||||
running firewall may be restarted using the "shorewall restart" command.
|
||||
If you want to totally remove any trace of Shorewall from your Netfilter
|
||||
@ -1085,24 +1107,24 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
The three-interface sample assumes that you want to enable
|
||||
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
|
||||
when Shorewall is stopped. If these two interfaces don't connect to
|
||||
your local network and DMZ or if you want to enable a different set
|
||||
of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
|
||||
when Shorewall is stopped. If these two interfaces don't connect to
|
||||
your local network and DMZ or if you want to enable a different set
|
||||
of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
the internet, do not issue a "shorewall stop" command unless you
|
||||
have added an entry for the IP address that you are connected from
|
||||
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/20/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -20,6 +20,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -28,42 +29,53 @@
|
||||
</table>
|
||||
|
||||
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<ul>
|
||||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
|
||||
also requires that you enable packet mangling.<br>
|
||||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
|
||||
Shaping also requires that you enable packet mangling.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcrules - A file where you can specify firewall
|
||||
marking of packets. The firewall mark value may be used to classify packets
|
||||
for traffic shaping/control.<br>
|
||||
marking of packets. The firewall mark value may be used to classify
|
||||
packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
|
||||
by Shorewall during "shorewall start" and which you can use to define
|
||||
your traffic shaping disciplines and classes. I have provided a <a
|
||||
by Shorewall during "shorewall start" and which you can use to define
|
||||
your traffic shaping disciplines and classes. I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections of
|
||||
the HOWTO mentioned above, you can probably code your own faster than
|
||||
you can learn how to use my sample. I personally use <a
|
||||
the HOWTO mentioned above, you can probably code your own faster than
|
||||
you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||
support may eventually become an integral part of Shorewall since HTB
|
||||
is a lot simpler and better-documented than CBQ. HTB is currently not
|
||||
a standard part of either the kernel or iproute2 so both must be patched
|
||||
in order to use it.<br>
|
||||
support may eventually become an integral part of Shorewall since
|
||||
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the run_tc function
|
||||
supplied by shorewall. <br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the run_tc
|
||||
function supplied by shorewall if you want tc errors to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply copying
|
||||
them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
|
||||
use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been applied
|
||||
so when traffic shaping happens, all outbound traffic will have as a source
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
|
||||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||||
is pretty general.</li>
|
||||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||||
is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -78,46 +90,54 @@ is pretty general.</li>
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
|
||||
means for specifying these marks in a tabular fashion.</p>
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
|
||||
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
|
||||
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in case of
|
||||
a match. This is an integer in the range 1-255.<br>
|
||||
a match. This is an integer in the range 1-255.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates on
|
||||
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
|
||||
list of interface names, IP addresses, MAC addresses in <a
|
||||
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses in
|
||||
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||||
addresses and/or subnets.<br>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of
|
||||
IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
|
||||
a number or "all"<br>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||||
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||||
protocol is "icmp", this column is interpreted as the destination icmp
|
||||
type(s).<br>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
|
||||
if the protocol is "icmp", this column is interpreted as the destination
|
||||
icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
|
||||
any source port is acceptable. Specified as a comma-separate list of port
|
||||
names, port numbers or port ranges.</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 should be marked with 2. All packets
|
||||
originating on the firewall itself should be marked with 3.</p>
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
|
||||
All packets originating on the firewall itself should be marked with 3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -183,7 +218,7 @@ on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>Hierarchical Token Bucket</h3>
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
|
||||
<p>I personally use HTB. I have found a couple of things that may be of use
|
||||
to others.</p>
|
||||
|
||||
<ul>
|
||||
<li>The gzipped tc binary at the <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
|
||||
for me -- I had to download the lastest version of the <a
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
|
||||
them for HTB.</li>
|
||||
<li>I'm currently running with this set of shaping rules in my tcstart
|
||||
file. I recently changed from using a ceiling of 10Mbit (interface speed)
|
||||
to 384kbit (DSP Uplink speed).<br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
|
||||
README), I have also run with the following set of hand-crafted rules in
|
||||
my tcstart file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500</pre>
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
|
||||
<pre>echo " Enabled SFQ on Second Level Classes"</pre>
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
|
||||
<p>My tcrules file is shown in Example 1 above. You can look at my <a
|
||||
href="myfiles.htm">network configuration</a> to get an idea of why I want
|
||||
these particular rules.<font face="Courier" size="2"><br>
|
||||
</font></p>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at my <a href="myfiles.htm">network configuration</a>
|
||||
to get an idea of why I wanted these particular rules.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
can use all available bandwidth if there is no traffic from the local systems
|
||||
or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -18,6 +18,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
|
||||
src="images/obrasinf.gif" alt="Beating head on table" width="90"
|
||||
height="90" align="middle">
|
||||
@ -32,7 +33,7 @@
|
||||
|
||||
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
|
||||
sure that there isn't an update that you are missing for your version
|
||||
of the firewall.</p>
|
||||
of the firewall.</p>
|
||||
|
||||
<h3 align="left">Check the FAQs</h3>
|
||||
|
||||
@ -41,16 +42,33 @@ of the firewall.</p>
|
||||
|
||||
<h3 align="left">If the firewall fails to start</h3>
|
||||
If you receive an error message when starting or restarting the
|
||||
firewall and you can't determine the cause, then do the following:
|
||||
firewall and you can't determine the cause, then do the following:
|
||||
|
||||
<ul>
|
||||
<li>Make a note of the error message that you see.<br>
|
||||
</li>
|
||||
<li>shorewall debug start 2> /tmp/trace</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you determine
|
||||
what the problem is.</li>
|
||||
<li>If you still can't determine what's wrong then see the <a
|
||||
href="support.htm">support page</a>.</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you
|
||||
determine what the problem is. Be sure you find the place in the log where
|
||||
the error message you saw is generated -- in 99.9% of the cases, it will
|
||||
not be near the end of the log because after startup errors, Shorewall goes
|
||||
through a "shorewall stop" phase which will also be traced.</li>
|
||||
<li>If you still can't determine what's wrong then see the
|
||||
<a href="support.htm">support page</a>.</li>
|
||||
|
||||
</ul>
|
||||
Here's an example. During startup, a user sees the following:<br>
|
||||
<blockquote>
|
||||
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
|
||||
</blockquote>
|
||||
A search through the trace for "No chain/target/match by that name" turned
|
||||
up the following:
|
||||
<blockquote>
|
||||
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
|
||||
</blockquote>
|
||||
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
|
||||
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
|
||||
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
|
||||
|
||||
<h3>Your network environment</h3>
|
||||
|
||||
@ -60,7 +78,7 @@ firewall and you can't determine the cause, then do the following:
|
||||
|
||||
<ul>
|
||||
<li>Port Forwarding where client and server are in the
|
||||
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
<li>Changing the IP address of a local system to be in the external
|
||||
subnet, thinking that Shorewall will suddenly believe that the system
|
||||
is in the 'net' zone.</li>
|
||||
@ -85,9 +103,9 @@ same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
by your rule set.</p>
|
||||
|
||||
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
|
||||
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
|
||||
If you DO see packet messages, it may be an indication that you are missing
|
||||
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
|
||||
If you DO see packet messages, it may be an indication that you are missing
|
||||
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
|
||||
<p align="left">While you are troubleshooting, it is a good idea to clear
|
||||
two variables in /etc/shorewall/shorewall.conf:</p>
|
||||
@ -100,6 +118,7 @@ one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
|
||||
<p align="left">Example:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
|
||||
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
|
||||
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
|
||||
@ -109,8 +128,8 @@ LEN=47</font></p>
|
||||
|
||||
<ul>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||
chain -- the packet was rejected under the "all"->"all" REJECT policy
|
||||
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
chain -- the packet was rejected under the "all"->"all" REJECT policy
|
||||
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
<li>IN=eth2 - the packet entered the firewall via eth2</li>
|
||||
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
|
||||
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
||||
@ -133,42 +152,42 @@ chain -- the packet was rejected under the "all"->"all" REJECT policy
|
||||
<h3 align="left">Other Gotchas</h3>
|
||||
|
||||
<ul>
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
|
||||
chains? This means that:
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or
|
||||
FORWARD chains? This means that:
|
||||
<ol>
|
||||
<li>your zone definitions are screwed up and the host that is
|
||||
sending the packets or the destination host isn't in any zone (using
|
||||
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
|
||||
sending the packets or the destination host isn't in any zone (using
|
||||
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
|
||||
are you?); or</li>
|
||||
<li>the source and destination hosts are both connected to the
|
||||
same interface and that interface doesn't have the 'multi' option
|
||||
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
same interface and that interface doesn't have the 'multi' option
|
||||
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
|
||||
</ol>
|
||||
</li>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP
|
||||
type 8 ("ping") requests to be sent between zones. If you want pings
|
||||
to be allowed between zones, you need a rule of the form:<br>
|
||||
to be allowed between zones, you need a rule of the form:<br>
|
||||
<br>
|
||||
ACCEPT <source zone> <destination zone>
|
||||
icmp echo-request<br>
|
||||
<br>
|
||||
The ramifications of this can be subtle. For example, if you have
|
||||
the following in /etc/shorewall/nat:<br>
|
||||
The ramifications of this can be subtle. For example, if you
|
||||
have the following in /etc/shorewall/nat:<br>
|
||||
<br>
|
||||
10.1.1.2 eth0 130.252.100.18<br>
|
||||
<br>
|
||||
and you ping 130.252.100.18, unless you have allowed icmp type
|
||||
8 between the zone containing the system you are pinging from and the
|
||||
zone containing 10.1.1.2, the ping requests will be dropped. This is
|
||||
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
8 between the zone containing the system you are pinging from and
|
||||
the zone containing 10.1.1.2, the ping requests will be dropped. This
|
||||
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
<li>If you specify "routefilter" for an interface, that interface
|
||||
must be up prior to starting the firewall.</li>
|
||||
<li>Is your routing correct? For example, internal systems usually
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect of
|
||||
routing is that in order for two hosts to communicate, the routing between
|
||||
them must be set up <u>in both directions.</u> So when setting up routing
|
||||
routing is that in order for two hosts to communicate, the routing between
|
||||
them must be set up <u>in both directions.</u> So when setting up routing
|
||||
between <b>A</b> and<b> B</b>, be sure to verify that the route from
|
||||
<b>B</b> back to <b>A</b> is defined.</li>
|
||||
<li>Some versions of LRP (EigerStein2Beta for example) have a
|
||||
@ -178,16 +197,16 @@ them must be set up <u>in both directions.</u> So when setting up routing
|
||||
<li>Do you have your kernel properly configured? <a
|
||||
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
|
||||
<li>Some features require the "ip" program. That program is
|
||||
generally included in the "iproute" package which should be included
|
||||
with your distribution (though many distributions don't install iproute
|
||||
by default). You may also download the latest source tarball from <a
|
||||
generally included in the "iproute" package which should be included
|
||||
with your distribution (though many distributions don't install iproute
|
||||
by default). You may also download the latest source tarball from <a
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
|
||||
.</li>
|
||||
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
|
||||
then the zone must be entirely defined in /etc/shorewall/hosts unless
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has an
|
||||
entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has
|
||||
an entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
will <u>not</u> be considered part of the zone.</li>
|
||||
<li>Problems with NAT? Be sure that you let Shorewall add all
|
||||
external addresses to be use with NAT unless you have set <a
|
||||
@ -199,14 +218,17 @@ you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
|
||||
<p>See the<a href="support.htm"> support page.</a></p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</font>
|
||||
<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p>
|
||||
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -22,6 +22,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -38,10 +39,11 @@
|
||||
in its most common configuration:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Linux system used as a firewall/router for a small local
|
||||
network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
|
||||
dial-up ...</li>
|
||||
<li>Internet connection through cable modem, DSL, ISDN, Frame
|
||||
Relay, dial-up ...</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -51,44 +53,54 @@
|
||||
height="635">
|
||||
</p>
|
||||
|
||||
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
|
||||
configure the above setup using the Mandrake "Internet Connection Sharing"
|
||||
applet. From the Mandrake Control Center, select "Network & Internet"
|
||||
then "Connection Sharing". You should not need to refer to this guide.</b><br>
|
||||
</p>
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>I recommend that you first read through the guide to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
with <img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
.</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you
|
||||
copy a configuration file from your Windows hard drive to a floppy disk,
|
||||
you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
If you edit your configuration files on a Windows system, you
|
||||
must save them as Unix files if your editor supports that option or you
|
||||
must run them through dos2unix before trying to use them. Similarly, if
|
||||
you copy a configuration file from your Windows hard drive to a floppy
|
||||
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
|
||||
Version of dos2unix</a></li>
|
||||
<li><a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a few
|
||||
of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, download the <a
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a
|
||||
few of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
|
||||
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
|
||||
(these files will replace files with the same name).</p>
|
||||
(these files will replace files with the same name).</b></p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -127,20 +139,20 @@ of these as described in this guide. After you have <a
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one
|
||||
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
<li>You define exceptions to those default policies in the
|
||||
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common (the
|
||||
samples provide that file for you).</p>
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the two-interface sample has
|
||||
the following policies:</p>
|
||||
@ -184,8 +196,8 @@ the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>In the two-interface sample, the line below is included but commented
|
||||
out. If you want your firewall system to have full access to servers on
|
||||
the internet, uncomment that line.</p>
|
||||
out. If you want your firewall system to have full access to servers
|
||||
on the internet, uncomment that line.</p>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
@ -212,19 +224,19 @@ the following policies:</p>
|
||||
<p>The above policy will:</p>
|
||||
|
||||
<ol>
|
||||
<li>allow all connection requests from your local network to the
|
||||
internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall to
|
||||
the internet (if you uncomment the additional policy)</li>
|
||||
<li>allow all connection requests from your local network to
|
||||
the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to
|
||||
your firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
<li>reject all other connection requests.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
At this point, edit your /etc/shorewall/policy and make any changes
|
||||
that you wish.</p>
|
||||
At this point, edit your /etc/shorewall/policy and make any
|
||||
changes that you wish.</p>
|
||||
|
||||
<h2 align="left">Network Interfaces</h2>
|
||||
|
||||
@ -237,38 +249,38 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
|
||||
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
|
||||
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
|
||||
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will
|
||||
be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
|
||||
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
|
||||
your external interface will be <b>ippp0.</b></p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
If your external interface is <b>ppp0</b> or<b> ippp0</b> then
|
||||
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
|
||||
/etc/shorewall/shorewall.conf.</a></p>
|
||||
If your external interface is <b>ppp0</b> or<b> ippp0</b>
|
||||
then you will want to set CLAMPMSS=yes in <a
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
|
||||
|
||||
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
|
||||
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
|
||||
will be connected to the same hub/switch (note: If you have only a single
|
||||
internal system, you can connect the firewall directly to the computer
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
|
||||
width="60" height="60">
|
||||
</b></u>Do not connect the internal and external interface to the same
|
||||
hub or switch (even for testing). It won't work the way that you think
|
||||
that it will and you will end up confused and believing that Shorewall
|
||||
doesn't work at all.</p>
|
||||
</b></u>Do not connect the internal and external interface to the
|
||||
same hub or switch (even for testing). It won't work the way that you think
|
||||
that it will and you will end up confused and believing that Shorewall
|
||||
doesn't work at all.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
The Shorewall two-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
|
||||
If your configuration is different, you will have to modify the sample
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||||
accordingly. While you are there, you may wish to review the list of options
|
||||
that are specified for the interfaces. Some hints:</p>
|
||||
The Shorewall two-interface sample configuration assumes that
|
||||
the external interface is <b>eth0</b> and the internal interface is
|
||||
<b>eth1</b>. If your configuration is different, you will have to modify
|
||||
the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file accordingly. While you are there, you may wish to review the list
|
||||
of options that are specified for the interfaces. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -277,8 +289,8 @@ doesn't work at all.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
list. </p>
|
||||
or if you have a static IP address, you can remove "dhcp" from the
|
||||
option list. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -286,17 +298,17 @@ doesn't work at all.</p>
|
||||
<h2 align="left">IP Addresses</h2>
|
||||
|
||||
<p align="left">Before going further, we should say a few words about Internet
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
|
||||
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
|
||||
Host Configuration Protocol</i> (DHCP) or as part of establishing your
|
||||
connection when you dial in (standard modem) or establish your PPP connection.
|
||||
In rare cases, your ISP may assign you a<i> static</i> IP address; that
|
||||
means that you configure your firewall's external interface to use that
|
||||
address permanently.<i> </i>However your external address is assigned, it
|
||||
will be shared by all of your systems when you access the Internet. You will
|
||||
have to assign your own addresses in your internal network (the Internal
|
||||
Interface on your firewall plus your other computers). RFC 1918 reserves
|
||||
several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a
|
||||
single <i> Public</i> IP address. This address may be assigned via the<i>
|
||||
Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
|
||||
your connection when you dial in (standard modem) or establish your PPP
|
||||
connection. In rare cases, your ISP may assign you a<i> static</i> IP address;
|
||||
that means that you configure your firewall's external interface to use
|
||||
that address permanently.<i> </i>However your external address is assigned,
|
||||
it will be shared by all of your systems when you access the Internet.
|
||||
You will have to assign your own addresses in your internal network (the
|
||||
Internal Interface on your firewall plus your other computers). RFC 1918
|
||||
reserves several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
@ -306,9 +318,9 @@ several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the external interface's entry
|
||||
in /etc/shorewall/interfaces.</p>
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the external interface's
|
||||
entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -316,12 +328,12 @@ in /etc/shorewall/interfaces.</p>
|
||||
sub-network </i>(<i>subnet)</i>. For our purposes, we can consider a subnet
|
||||
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
|
||||
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
|
||||
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
|
||||
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
|
||||
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
|
||||
notation</a> with consists of the subnet address followed by "/24". The
|
||||
"24" refers to the number of consecutive leading "1" bits from the left
|
||||
of the subnet mask. </p>
|
||||
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
|
||||
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
|
||||
described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
|
||||
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet
|
||||
address followed by "/24". The "24" refers to the number of consecutive
|
||||
leading "1" bits from the left of the subnet mask. </p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -365,15 +377,16 @@ the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is describ
|
||||
<p align="left">One of the purposes of subnetting is to allow all computers
|
||||
in the subnet to understand which other computers can be communicated
|
||||
with directly. To communicate with systems outside of the subnetwork,
|
||||
systems send packets through a<i> gateway</i> (router).</p>
|
||||
systems send packets through a<i> gateway</i> (router).</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
Your local computers (computer 1 and computer 2 in the above
|
||||
diagram) should be configured with their<i> default gateway</i> to be
|
||||
the IP address of the firewall's internal interface.<i> </i> </p>
|
||||
diagram) should be configured with their<i> default gateway</i> to
|
||||
be the IP address of the firewall's internal interface.<i> </i>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<p align="left">The foregoing short discussion barely scratches the surface
|
||||
@ -394,19 +407,19 @@ the IP address of the firewall's internal interface.<i>
|
||||
<h2 align="left">IP Masquerading (SNAT)</h2>
|
||||
|
||||
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't forward
|
||||
packets which have an RFC-1918 destination address. When one of your local
|
||||
systems (let's assume computer 1) sends a connection request to an internet
|
||||
host, the firewall must perform <i>Network Address Translation </i>(NAT).
|
||||
The firewall rewrites the source address in the packet to be the address
|
||||
of the firewall's external interface; in other words, the firewall makes
|
||||
it look as if the firewall itself is initiating the connection. This is
|
||||
necessary so that the destination host will be able to route return packets
|
||||
back to the firewall (remember that packets whose destination address
|
||||
is reserved by RFC 1918 can't be routed across the internet so the remote
|
||||
host can't address its response to computer 1). When the firewall receives
|
||||
a return packet, it rewrites the destination address back to 10.10.10.1
|
||||
and forwards the packet on to computer 1. </p>
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't
|
||||
forward packets which have an RFC-1918 destination address. When one of
|
||||
your local systems (let's assume computer 1) sends a connection request
|
||||
to an internet host, the firewall must perform <i>Network Address Translation
|
||||
</i>(NAT). The firewall rewrites the source address in the packet to
|
||||
be the address of the firewall's external interface; in other words, the
|
||||
firewall makes it look as if the firewall itself is initiating the connection.
|
||||
This is necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed across the internet so
|
||||
the remote host can't address its response to computer 1). When the firewall
|
||||
receives a return packet, it rewrites the destination address back to 10.10.10.1
|
||||
and forwards the packet on to computer 1. </p>
|
||||
|
||||
<p align="left">On Linux systems, the above process is often referred to as<i>
|
||||
IP Masquerading</i> but you will also see the term <i>Source Network Address
|
||||
@ -434,27 +447,40 @@ and forwards the packet on to computer 1. </p>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
If your external firewall interface is <b>eth0</b>, you do not
|
||||
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
|
||||
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
|
||||
and change the first column to the name of your external interface and
|
||||
the second column to the name of your internal interface.</p>
|
||||
the second column to the name of your internal interface.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
If your external IP is static, you can enter it in the third column
|
||||
in the /etc/shorewall/masq entry if you like although your firewall will
|
||||
work fine if you leave that column empty. Entering your static IP in column
|
||||
3 makes processing outgoing packets a little more efficient. </p>
|
||||
If your external IP is static, you can enter it in the third
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static
|
||||
IP in column 3 makes processing outgoing packets a little more efficient.<br>
|
||||
<br>
|
||||
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
|
||||
If you are using the Debian package, please check your shorewall.conf
|
||||
file to ensure that the following are set correctly; if they are not, change
|
||||
them appropriately:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>NAT_ENABLED=Yes</li>
|
||||
<li>IP_FORWARDING=On<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Port Forwarding (DNAT)</h2>
|
||||
|
||||
<p align="left">One of your goals may be to run one or more servers on your
|
||||
local computers. Because these computers have RFC-1918 addresses, it is
|
||||
not possible for clients on the internet to connect directly to them. It
|
||||
is rather necessary for those clients to address their connection requests
|
||||
to the firewall who rewrites the destination address to the address of your
|
||||
server and forwards the packet to that server. When your server responds,
|
||||
local computers. Because these computers have RFC-1918 addresses, it
|
||||
is not possible for clients on the internet to connect directly to them.
|
||||
It is rather necessary for those clients to address their connection requests
|
||||
to the firewall who rewrites the destination address to the address of
|
||||
your server and forwards the packet to that server. When your server responds,
|
||||
the firewall automatically performs SNAT to rewrite the source address
|
||||
in the response.</p>
|
||||
in the response.</p>
|
||||
|
||||
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
|
||||
Destination Network Address Translation</i> (DNAT). You configure port
|
||||
@ -524,14 +550,14 @@ in the response.</p>
|
||||
<p>A couple of important points to keep in mind:</p>
|
||||
|
||||
<ul>
|
||||
<li>You must test the above rule from a client outside of your local
|
||||
network (i.e., don't test from a browser running on computers 1 or 2
|
||||
or on the firewall). If you want to be able to access your web server
|
||||
using the IP address of your external interface, see <a
|
||||
<li>You must test the above rule from a client outside of your
|
||||
local network (i.e., don't test from a browser running on computers
|
||||
1 or 2 or on the firewall). If you want to be able to access your web
|
||||
server using the IP address of your external interface, see <a
|
||||
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80. If you
|
||||
have problems connecting to your web server, try the following rule and
|
||||
try connecting to port 5000.</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80.
|
||||
If you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -563,42 +589,42 @@ using the IP address of your external interface, see <a
|
||||
</blockquote>
|
||||
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
At this point, modify /etc/shorewall/rules to add any DNAT rules
|
||||
that you require.</p>
|
||||
At this point, modify /etc/shorewall/rules to add any DNAT
|
||||
rules that you require.</p>
|
||||
|
||||
<h2 align="left">Domain Name Server (DNS)</h2>
|
||||
|
||||
<p align="left">Normally, when you connect to your ISP, as part of getting
|
||||
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will be
|
||||
written). Alternatively, your ISP may have given you the IP address of
|
||||
a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. Regardless of how DNS gets configured
|
||||
on your firewall, it is <u>your</u> responsibility to configure the resolver
|
||||
in your internal systems. You can take one of two approaches:</p>
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will
|
||||
be written). Alternatively, your ISP may have given you the IP address
|
||||
of a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. Regardless of how DNS gets configured
|
||||
on your firewall, it is <u>your</u> responsibility to configure the resolver
|
||||
in your internal systems. You can take one of two approaches:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">You can configure your internal systems to use your ISP's
|
||||
name servers. If you ISP gave you the addresses of their servers or if
|
||||
those addresses are available on their web site, you can configure your
|
||||
internal systems to use those addresses. If that information isn't available,
|
||||
look in /etc/resolv.conf on your firewall system -- the name servers
|
||||
are given in "nameserver" records in that file. </p>
|
||||
name servers. If you ISP gave you the addresses of their servers or
|
||||
if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information isn't
|
||||
available, look in /etc/resolv.conf on your firewall system -- the name
|
||||
servers are given in "nameserver" records in that file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
You can configure a<i> Caching Name Server </i>on your firewall.<i>
|
||||
</i>Red Hat has an RPM for a caching name server (the RPM also requires
|
||||
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
|
||||
this approach, you configure your internal systems to use the firewall
|
||||
itself as their primary (and only) name server. You use the internal IP
|
||||
address of the firewall (10.10.10.254 in the example above) for the name
|
||||
server address. To allow your local systems to talk to your caching name
|
||||
server, you must open port 53 (both UDP and TCP) from the local network
|
||||
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
|
||||
</p>
|
||||
</i>Red Hat has an RPM for a caching name server (the RPM also
|
||||
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
|
||||
you take this approach, you configure your internal systems to use the
|
||||
firewall itself as their primary (and only) name server. You use the internal
|
||||
IP address of the firewall (10.10.10.254 in the example above) for the
|
||||
name server address. To allow your local systems to talk to your caching
|
||||
name server, you must open port 53 (both UDP and TCP) from the local
|
||||
network to the firewall; you do that by adding the following rules in
|
||||
/etc/shorewall/rules. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -808,7 +834,8 @@ are given in "nameserver" records in that file. </p>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Those two rules would of course be in addition to the rules
|
||||
listed above under "You can configure a Caching Name Server on your firewall"</p>
|
||||
listed above under "You can configure a Caching Name Server on your
|
||||
firewall"</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
Now edit your /etc/shorewall/rules file to add or delete other
|
||||
connections as required.</p>
|
||||
Now edit your /etc/shorewall/rules file to add or delete
|
||||
other connections as required.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -868,8 +895,9 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
The <a href="Install.htm">installation procedure </a> configures
|
||||
your system to start Shorewall at system boot but beginning with Shorewall
|
||||
version 1.3.9 startup is disabled so that your system won't try to start
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file
|
||||
/etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
|
||||
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
The two-interface sample assumes that you want to enable routing
|
||||
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
|
||||
your local network isn't connected to <b>eth1</b> or if you wish to enable
|
||||
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
|
||||
The two-interface sample assumes that you want to enable
|
||||
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
|
||||
If your local network isn't connected to <b>eth1</b> or if you wish to
|
||||
enable access to/from other hosts, change /etc/shorewall/routestopped
|
||||
accordingly.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
try" command</a>.</p>
|
||||
and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/20/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.11a
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -119,6 +119,14 @@ restore_file /etc/shorewall/whitelist
|
||||
|
||||
restore_file /etc/shorewall/rfc1918
|
||||
|
||||
restore_file /etc/shorewall/init
|
||||
|
||||
restore_file /etc/shorewall/start
|
||||
|
||||
restore_file /etc/shorewall/stop
|
||||
|
||||
restore_file /etc/shorewall/stopped
|
||||
|
||||
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
|
||||
restore_file /usr/lib/shorewall/version
|
||||
oldversion="`cat /usr/lib/shorewall/version`"
|
||||
|
568
STABLE/firewall
568
STABLE/firewall
File diff suppressed because it is too large
Load Diff
@ -25,9 +25,22 @@ find_file()
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list()
|
||||
{
|
||||
echo $1 | sed 's/,/ /g'
|
||||
separate_list() {
|
||||
local list
|
||||
local part
|
||||
local newlist
|
||||
|
||||
list="$@"
|
||||
part="${list%%,*}"
|
||||
newlist="$part"
|
||||
|
||||
while [ "x$part" != "x$list" ]; do
|
||||
list="${list#*,}";
|
||||
part="${list%%,*}";
|
||||
newlist="$newlist $part";
|
||||
done
|
||||
|
||||
echo "$newlist"
|
||||
}
|
||||
|
||||
#
|
||||
|
6
STABLE/init
Normal file
6
STABLE/init
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
#
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.11a
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -488,6 +488,46 @@ else
|
||||
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
|
||||
fi
|
||||
#
|
||||
# Install the init file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/init ]; then
|
||||
backup_file /etc/shorewall/init
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
|
||||
echo
|
||||
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
|
||||
fi
|
||||
#
|
||||
# Install the start file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/start ]; then
|
||||
backup_file /etc/shorewall/start
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
|
||||
echo
|
||||
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
|
||||
fi
|
||||
#
|
||||
# Install the stop file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
|
||||
backup_file /etc/shorewall/stop
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
|
||||
echo
|
||||
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
|
||||
fi
|
||||
#
|
||||
# Install the stopped file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
|
||||
backup_file /etc/shorewall/stopped
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
|
||||
echo
|
||||
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
|
||||
fi
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
|
@ -29,6 +29,12 @@
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case). This will
|
||||
# log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "_" here.
|
||||
#
|
||||
|
@ -2,22 +2,39 @@ This is a minor release of Shorewall that has a couple of new features.
|
||||
|
||||
New features include:
|
||||
|
||||
1) A 'tcpflags' option has been added to entries in
|
||||
/etc/shorewall/interfaces. This option causes Shorewall to make a
|
||||
set of sanity check on TCP packet header flags.
|
||||
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).
|
||||
|
||||
2) It is now allowed to use 'all' in the SOURCE or DEST column in a
|
||||
rule. When used, 'all' must appear by itself (in may not be
|
||||
qualified) and it does not enable intra-zone traffic (e.g., the rule
|
||||
"ACCEPT loc all tcp 80" does not enable http traffic from
|
||||
'loc' to 'loc').
|
||||
2) "shorewall debug [re]start" now turns off debugging after an error
|
||||
occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.
|
||||
|
||||
3) Shorewall's use of the 'echo' command is now compatible with bash
|
||||
clones such as ash and dash.
|
||||
3) "shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.
|
||||
|
||||
4) fw->fw policies now generate a startup error. fw->fw rules generate
|
||||
a warning and are ignored.
|
||||
4) A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this
|
||||
command is also added as a separate page in "shorewall monitor"
|
||||
|
||||
5) ULOG (must be all caps) is now accepted as a valid syslog level and
|
||||
causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from
|
||||
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
|
||||
a separate log file.
|
||||
|
||||
6) If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD=Yes in
|
||||
shorewall.conf. This allows for marking inbound packets based on
|
||||
their destination even when you are using Masquerading or SNAT.
|
||||
|
||||
7) I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with
|
||||
one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.
|
||||
|
||||
8) I have added a new RFC1918_LOG_LEVEL variable to
|
||||
shorewall.conf. This variable specifies the syslog level at which
|
||||
packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.
|
||||
|
@ -31,6 +31,13 @@
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case) as a log level.\
|
||||
# This will log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
|
@ -58,6 +58,7 @@
|
||||
# shorewall show nat Display the rules in the nat table
|
||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall show classifiers Display classifiers
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
@ -258,7 +259,8 @@ packet_log() # $1 = number of messages
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
|
||||
sed s/" $host kernel: Shorewall:"/" "/ | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host Shorewall:"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
tail $options
|
||||
@ -294,6 +296,34 @@ show_tc() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Show classifier information
|
||||
#
|
||||
show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device=${1%@*}
|
||||
qdisc=`tc qdisc list dev $device`
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s filter ls dev $device
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
show_one_classifier ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
#
|
||||
# Monitor the Firewall
|
||||
#
|
||||
@ -383,6 +413,15 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
echo
|
||||
echo "Packet Classifiers"
|
||||
echo
|
||||
show_classifiers
|
||||
timed_read
|
||||
done
|
||||
}
|
||||
|
||||
@ -450,7 +489,7 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " show [<chain>|connections|log|nat|tc|tos]"
|
||||
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " reset"
|
||||
@ -629,6 +668,11 @@ case "$1" in
|
||||
echo
|
||||
show_tc
|
||||
;;
|
||||
classifiers)
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
*)
|
||||
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
|
||||
echo
|
||||
@ -658,8 +702,12 @@ case "$1" in
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
|
@ -9,6 +9,35 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
# 6 info
|
||||
# 5 notice
|
||||
# 4 warning
|
||||
# 3 err
|
||||
# 2 crit
|
||||
# 1 alert
|
||||
# 0 emerg
|
||||
#
|
||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
#
|
||||
@ -96,6 +125,8 @@ LOGBURST=
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
@ -191,6 +222,8 @@ BLACKLIST_DISPOSITION=DROP
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
@ -353,6 +386,8 @@ MUTEX_TIMEOUT=60
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
# Example: LOGNEWNOTSYN=debug
|
||||
|
||||
|
||||
@ -401,6 +436,8 @@ MACLIST_DISPOSITION=REJECT
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
@ -421,7 +458,41 @@ TCP_FLAGS_DISPOSITION=DROP
|
||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||
# such packets will not be logged.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# RFC1918 Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail RFC 1918
|
||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||
# RFC1918_LOG_LEVEL=info is assumed.
|
||||
#
|
||||
# See the comment at the top of this file for a description of log levels
|
||||
#
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# Mark Packets in the forward chain
|
||||
#
|
||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||
#
|
||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||
# address rewritten so they can be marked based on their destination. When
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||
# to the firewall's external interface.
|
||||
#
|
||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
||||
# setting this variable to Yes may cause startup problems.
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.11a
|
||||
%define version 1.3.12
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -94,6 +94,10 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /usr/lib/shorewall/functions
|
||||
%attr(0544,root,root) /usr/lib/shorewall/firewall
|
||||
@ -101,6 +105,15 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12
|
||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta3
|
||||
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta2
|
||||
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta1
|
||||
- Add init, start, stop and stopped files.
|
||||
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.11a
|
||||
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
6
STABLE/start
Normal file
6
STABLE/start
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
6
STABLE/stop
Normal file
6
STABLE/stop
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
#
|
6
STABLE/stopped
Normal file
6
STABLE/stopped
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.3 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
#
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.11a
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2,17 +2,22 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall FAQ</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -24,16 +29,18 @@
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
|
||||
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
|
||||
looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||||
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
|
||||
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||||
|
||||
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
|
||||
but it doesn't work.<br>
|
||||
@ -43,22 +50,22 @@
|
||||
port forwarding</a></p>
|
||||
|
||||
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
|
||||
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
|
||||
local network. <b>External clients can browse</b> http://www.mydomain.com
|
||||
but <b>internal clients can't</b>.</a></p>
|
||||
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
|
||||
in my local network. <b>External clients can browse</b> http://www.mydomain.com
|
||||
but <b>internal clients can't</b>.</a></p>
|
||||
|
||||
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
|
||||
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
|
||||
to hosts in Z. Hosts in Z cannot communicate with each other using their
|
||||
external (non-RFC1918 addresses) so they <b>can't access each other using
|
||||
their DNS names.</b></a></p>
|
||||
to hosts in Z. Hosts in Z cannot communicate with each other using
|
||||
their external (non-RFC1918 addresses) so they <b>can't access
|
||||
each other using their DNS names.</b></a></p>
|
||||
|
||||
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
|
||||
Messenger </b>with Shorewall. What do I do?</a></p>
|
||||
|
||||
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
|
||||
to check my firewall and it shows <b>some ports as 'closed' rather
|
||||
than 'blocked'.</b> Why?</a></p>
|
||||
to check my firewall and it shows <b>some ports as 'closed'
|
||||
rather than 'blocked'.</b> Why?</a></p>
|
||||
|
||||
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
|
||||
of my firewall and it showed 100s of ports as open!!!!</a></p>
|
||||
@ -73,11 +80,12 @@ than 'blocked'.</b> Why?</a></p>
|
||||
that work with Shorewall?</a></p>
|
||||
|
||||
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
|
||||
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
|
||||
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
|
||||
work?</a></p>
|
||||
|
||||
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
|
||||
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
|
||||
on RedHat</b> I get messages about insmod failing -- what's
|
||||
wrong?</a></p>
|
||||
|
||||
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
|
||||
my interfaces </b>properly?</a></p>
|
||||
@ -86,7 +94,7 @@ than 'blocked'.</b> Why?</a></p>
|
||||
it work with?</a></p>
|
||||
|
||||
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
|
||||
support?</a></p>
|
||||
support?</a></p>
|
||||
|
||||
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
|
||||
|
||||
@ -94,13 +102,13 @@ support?</a></p>
|
||||
|
||||
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
|
||||
and it has an internel web server that allows me to configure/monitor
|
||||
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
|
||||
it also blocks the <b>cable modems web server</b></a>.</p>
|
||||
it but as expected if I enable <b> rfc1918 blocking</b> for my
|
||||
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
|
||||
|
||||
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
|
||||
RFC 1918 filtering on my external interface, <b>my DHCP client cannot
|
||||
renew its lease</b>.</a></p>
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address.
|
||||
If I enable RFC 1918 filtering on my external interface, <b>my
|
||||
DHCP client cannot renew its lease</b>.</a></p>
|
||||
|
||||
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
|
||||
out to the net</b></a></p>
|
||||
@ -108,18 +116,25 @@ support?</a></p>
|
||||
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
|
||||
all over my console</b> making it unusable!<br>
|
||||
</a></p>
|
||||
<b>17</b>. <a href="#faq17">How do I find out <b>why
|
||||
this is</b> getting <b>logged?</b></a><br>
|
||||
<b>17</b>. <a href="#faq17">How do I find
|
||||
out <b>why this traffic is</b> getting <b>logged?</b></a><br>
|
||||
<br>
|
||||
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
|
||||
with Shorewall, and maintain separate rulesets for different IPs?</a><br>
|
||||
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
|
||||
ip addresses</b> with Shorewall, and maintain separate rulesets for
|
||||
different IPs?</a><br>
|
||||
<br>
|
||||
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
|
||||
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
|
||||
<br>
|
||||
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
|
||||
<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
|
||||
</a>
|
||||
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
|
||||
<br>
|
||||
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do
|
||||
I have to change Shorewall to allow access to my server from the internet?<br>
|
||||
<br>
|
||||
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
|
||||
</b>occasionally; what are they?<br>
|
||||
</a><br>
|
||||
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
|
||||
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
|
||||
|
||||
<hr>
|
||||
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
|
||||
my my personal PC with IP address 192.168.1.5. I've looked everywhere
|
||||
@ -129,9 +144,10 @@ but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
|
||||
href="Documentation.htm#PortForward"> first example</a> in the <a
|
||||
href="Documentation.htm#Rules">rules file documentation</a> shows how to
|
||||
do port forwarding under Shorewall. The format of a port-forwarding
|
||||
rule to a local system is as follows:</p>
|
||||
rule to a local system is as follows:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -148,7 +164,7 @@ rule to a local system is as follows:</p>
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><local IP address></i>[:<i><local
|
||||
port</i>>]</td>
|
||||
port</i>>]</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port #></i></td>
|
||||
<td> <br>
|
||||
@ -158,7 +174,9 @@ port</i>>]</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -166,6 +184,7 @@ port</i>>]</td>
|
||||
the rule is:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -191,18 +210,18 @@ port</i>>]</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
|
||||
</div>
|
||||
|
||||
<p align="left">If you want to forward requests directed to a particular
|
||||
address ( <i><external IP></i> ) on your firewall to an internal system:</p>
|
||||
<div align="left"> <font face="Courier"> </font>If
|
||||
you want to forward requests directed to a particular address ( <i><external
|
||||
IP></i> ) on your firewall to an internal system:</div>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -219,7 +238,7 @@ address ( <i><external IP></i> ) on your firewall to an internal system:</
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><local IP address></i>[:<i><local
|
||||
port</i>>]</td>
|
||||
port</i>>]</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port #></i></td>
|
||||
<td>-</td>
|
||||
@ -227,7 +246,9 @@ port</i>>]</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -237,11 +258,11 @@ port</i>>]</td>
|
||||
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
|
||||
|
||||
<ul>
|
||||
<li>You are trying to test from inside your firewall (no,
|
||||
that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||
<li>You have a more basic problem with your local system
|
||||
such as an incorrect default gateway configured (it should be set to
|
||||
the IP address of your firewall's internal interface).</li>
|
||||
<li>You are trying to test from inside your firewall
|
||||
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||
<li>You have a more basic problem with your local
|
||||
system such as an incorrect default gateway configured (it should
|
||||
be set to the IP address of your firewall's internal interface).</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -250,30 +271,31 @@ the IP address of your firewall's internal interface).</li>
|
||||
<b>Answer: </b>To further diagnose this problem:<br>
|
||||
|
||||
<ul>
|
||||
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
|
||||
in the nat table.</li>
|
||||
<li>Try to connect to the redirected port from an external host.</li>
|
||||
<li>As root, type "iptables -t nat -Z". This clears the
|
||||
NetFilter counters in the nat table.</li>
|
||||
<li>Try to connect to the redirected port from an external
|
||||
host.</li>
|
||||
<li>As root type "shorewall show nat"</li>
|
||||
<li>Locate the appropriate DNAT rule. It will be in a chain called
|
||||
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the server
|
||||
('loc' in the above examples).</li>
|
||||
<li>Is the packet count in the first column non-zero? If so, the connection
|
||||
request is reaching the firewall and is being redirected to the server.
|
||||
In this case, the problem is usually a missing or incorrect default gateway
|
||||
setting on the server (the server's default gateway should be the IP address
|
||||
of the firewall's interface to the server).</li>
|
||||
<li>Locate the appropriate DNAT rule. It will be in a chain
|
||||
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes
|
||||
the ('net' in the above examples).</li>
|
||||
<li>Is the packet count in the first column non-zero? If
|
||||
so, the connection request is reaching the firewall and is being redirected
|
||||
to the server. In this case, the problem is usually a missing or incorrect
|
||||
default gateway setting on the server (the server's default gateway
|
||||
should be the IP address of the firewall's interface to the server).</li>
|
||||
<li>If the packet count is zero:</li>
|
||||
|
||||
<ul>
|
||||
<li>the connection request is not reaching your server (possibly
|
||||
it is being blocked by your ISP); or</li>
|
||||
<li>you are trying to connect to a secondary IP address on your firewall
|
||||
and your rule is only redirecting the primary IP address (You need to specify
|
||||
the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
|
||||
or</li>
|
||||
<li>your DNAT rule doesn't match the connection request in some other
|
||||
way. In that case, you may have to use a packet sniffer such as tcpdump
|
||||
or ethereal to further diagnose the problem.<br>
|
||||
<li>the connection request is not reaching your server
|
||||
(possibly it is being blocked by your ISP); or</li>
|
||||
<li>you are trying to connect to a secondary IP address
|
||||
on your firewall and your rule is only redirecting the primary IP address
|
||||
(You need to specify the secondary IP address in the "ORIG. DEST." column
|
||||
in your DNAT rule); or</li>
|
||||
<li>your DNAT rule doesn't match the connection request
|
||||
in some other way. In that case, you may have to use a packet sniffer
|
||||
such as tcpdump or ethereal to further diagnose the problem.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -281,31 +303,34 @@ or ethereal to further diagnose the problem.<br>
|
||||
</ul>
|
||||
|
||||
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
|
||||
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External
|
||||
clients can browse http://www.mydomain.com but internal clients can't.</h4>
|
||||
(IP 130.151.100.69) to system 192.168.1.5 in my local network.
|
||||
External clients can browse http://www.mydomain.com but internal
|
||||
clients can't.</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
|
||||
|
||||
<ul>
|
||||
<li>Having an internet-accessible server in your local network
|
||||
is like raising foxes in the corner of your hen house. If the server
|
||||
is compromised, there's nothing between that server and your other
|
||||
internal systems. For the cost of another NIC and a cross-over cable,
|
||||
you can put your server in a DMZ such that it is isolated from your
|
||||
local systems - assuming that the Server can be located near the Firewall,
|
||||
of course :-)</li>
|
||||
<li>The accessibility problem is best solved using <a
|
||||
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
|
||||
a separate DNS server for local clients) such that www.mydomain.com resolves
|
||||
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
|
||||
I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
<li>Having an internet-accessible server in your
|
||||
local network is like raising foxes in the corner of your hen
|
||||
house. If the server is compromised, there's nothing between that
|
||||
server and your other internal systems. For the cost of another
|
||||
NIC and a cross-over cable, you can put your server in a DMZ
|
||||
such that it is isolated from your local systems - assuming that
|
||||
the Server can be located near the Firewall, of course :-)</li>
|
||||
<li>The accessibility problem is best solved using
|
||||
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
|
||||
(or using a separate DNS server for local clients) such that www.mydomain.com
|
||||
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
|
||||
That's what I do here at shorewall.net for my local systems that use
|
||||
static NAT.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">If you insist on an IP solution to the accessibility problem
|
||||
rather than a DNS solution, then assuming that your external interface
|
||||
is eth0 and your internal interface is eth1 and that eth1 has IP address
|
||||
192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
|
||||
rather than a DNS solution, then assuming that your external
|
||||
interface is eth0 and your internal interface is eth1 and that
|
||||
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
|
||||
the following:</p>
|
||||
|
||||
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
|
||||
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
|
||||
@ -316,6 +341,7 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -339,19 +365,18 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That rule only works of course if you have a static external
|
||||
IP address. If you have a dynamic IP address and are running Shorewall
|
||||
1.3.4 or later then include this in /etc/shorewall/params:</p>
|
||||
IP address. If you have a dynamic IP address and are running
|
||||
Shorewall 1.3.4 or later then include this in /etc/shorewall/params:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -364,6 +389,7 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber1">
|
||||
<tbody>
|
||||
@ -387,34 +413,36 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
|
||||
client to automatically restart Shorewall each time that you get a
|
||||
new IP address.</p>
|
||||
client to automatically restart Shorewall each time that you
|
||||
get a new IP address.</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
|
||||
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
|
||||
in Z. Hosts in Z cannot communicate with each other using their external
|
||||
(non-RFC1918 addresses) so they can't access each other using their DNS
|
||||
names.</h4>
|
||||
subnet and I use static NAT to assign non-RFC1918 addresses to
|
||||
hosts in Z. Hosts in Z cannot communicate with each other using
|
||||
their external (non-RFC1918 addresses) so they can't access each
|
||||
other using their DNS names.</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>This is another problem that is best solved
|
||||
using Bind Version 9 "views". It allows both external and internal clients
|
||||
to access a NATed host using the host's DNS name.</p>
|
||||
using Bind Version 9 "views". It allows both external and internal
|
||||
clients to access a NATed host using the host's DNS name.</p>
|
||||
|
||||
<p align="left">Another good way to approach this problem is to switch from
|
||||
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
|
||||
addresses and can be accessed externally and internally using the same
|
||||
address. </p>
|
||||
addresses and can be accessed externally and internally using the
|
||||
same address. </p>
|
||||
|
||||
<p align="left">If you don't like those solutions and prefer routing all Z->Z
|
||||
traffic through your firewall then:</p>
|
||||
<p align="left">If you don't like those solutions and prefer routing all
|
||||
Z->Z traffic through your firewall then:</p>
|
||||
|
||||
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
|
||||
(If you are running a Shorewall version earlier than 1.3.9).<br>
|
||||
@ -430,6 +458,7 @@ traffic through your firewall then:</p>
|
||||
<p align="left">In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber2">
|
||||
<tbody>
|
||||
@ -447,13 +476,16 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">In /etc/shorewall/policy:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
@ -472,7 +504,9 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -483,6 +517,7 @@ traffic through your firewall then:</p>
|
||||
<p align="left">In /etc/shorewall/masq:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3" width="369">
|
||||
<tbody>
|
||||
@ -499,7 +534,9 @@ traffic through your firewall then:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
@ -508,37 +545,38 @@ traffic through your firewall then:</p>
|
||||
|
||||
<p align="left"><b>Answer: </b>There is an <a
|
||||
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
|
||||
tracking/NAT module</a> that may help. Also check the Netfilter mailing
|
||||
list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
|
||||
tracking/NAT module</a> that may help. Also check the Netfilter
|
||||
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
|
||||
</p>
|
||||
|
||||
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
|
||||
to check my firewall and it shows some ports as 'closed' rather than
|
||||
'blocked'. Why?</h4>
|
||||
to check my firewall and it shows some ports as 'closed' rather
|
||||
than 'blocked'. Why?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
|
||||
always rejects connection requests on TCP port 113 rather than dropping
|
||||
them. This is necessary to prevent outgoing connection problems to
|
||||
services that use the 'Auth' mechanism for identifying requesting
|
||||
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
|
||||
UDP ports 137-139. These are ports that are used by Windows (Windows
|
||||
<u>can</u> be configured to use the DCE cell locator on port 135). Rejecting
|
||||
these connection requests rather than dropping them cuts down slightly
|
||||
on the amount of Windows chatter on LAN segments connected to the Firewall.
|
||||
</p>
|
||||
always rejects connection requests on TCP port 113 rather
|
||||
than dropping them. This is necessary to prevent outgoing connection
|
||||
problems to services that use the 'Auth' mechanism for identifying
|
||||
requesting users. Shorewall also rejects TCP ports 135, 137 and
|
||||
139 as well as UDP ports 137-139. These are ports that are used
|
||||
by Windows (Windows <u>can</u> be configured to use the DCE cell locator
|
||||
on port 135). Rejecting these connection requests rather than dropping
|
||||
them cuts down slightly on the amount of Windows chatter on LAN segments
|
||||
connected to the Firewall. </p>
|
||||
|
||||
<p align="left">If you are seeing port 80 being 'closed', that's probably
|
||||
your ISP preventing you from running a web server in violation of
|
||||
your Service Agreement.</p>
|
||||
your ISP preventing you from running a web server in violation
|
||||
of your Service Agreement.</p>
|
||||
|
||||
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
|
||||
firewall and it showed 100s of ports as open!!!!</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
|
||||
section about UDP scans. If nmap gets <b>nothing</b> back from your
|
||||
firewall then it reports the port as open. If you want to see which
|
||||
UDP ports are really open, temporarily change your net->all policy
|
||||
to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
|
||||
section about UDP scans. If nmap gets <b>nothing</b> back
|
||||
from your firewall then it reports the port as open. If you
|
||||
want to see which UDP ports are really open, temporarily change
|
||||
your net->all policy to REJECT, restart Shorewall and do the
|
||||
nmap UDP scan again.</p>
|
||||
|
||||
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
|
||||
can't ping through the firewall</h4>
|
||||
@ -548,31 +586,37 @@ on the amount of Windows chatter on LAN segments connected to the Firewall.
|
||||
|
||||
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
|
||||
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
|
||||
c) Add the following to /etc/shorewall/icmpdef: </p>
|
||||
c) Add the following to /etc/shorewall/icmpdef:
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
|
||||
-j ACCEPT </p>
|
||||
-j ACCEPT<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
For a complete description of Shorewall 'ping' management, see <a
|
||||
href="ping.html">this page</a>.
|
||||
|
||||
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
|
||||
and how do I change the destination?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
|
||||
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
|
||||
(see "man openlog") and you get to choose the log level (again, see "man
|
||||
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
|
||||
href="Documentation.htm#Rules">rules</a>. The destination for messaged
|
||||
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
|
||||
a RedHat system, "service syslog restart"). </p>
|
||||
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
|
||||
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
|
||||
facility (see "man openlog") and you get to choose the log level (again,
|
||||
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
|
||||
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
|
||||
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
When you have changed /etc/syslog.conf, be sure to restart syslogd
|
||||
(on a RedHat system, "service syslog restart"). </p>
|
||||
|
||||
<p align="left">By default, older versions of Shorewall ratelimited log messages
|
||||
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
|
||||
-- If you want to log all messages, set: </p>
|
||||
|
||||
<div align="left">
|
||||
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
|
||||
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
|
||||
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
|
||||
@ -582,26 +626,29 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p align="left"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
|
||||
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
|
||||
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
|
||||
<a
|
||||
href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
|
||||
href="http://www.logwatch.org"><br>
|
||||
http://www.logwatch.org</a><br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
I personnaly use Logwatch. It emails me a report each day from my various
|
||||
systems with each report summarizing the logged activity on the corresponding
|
||||
system.
|
||||
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
|
||||
stop', I can't connect to anything. Why doesn't that command work?</h4>
|
||||
|
||||
<p align="left">The 'stop' command is intended to place your firewall into
|
||||
a safe state whereby only those interfaces/hosts having the 'routestopped'
|
||||
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
|
||||
If you want to totally open up your firewall, you must use the 'shorewall
|
||||
clear' command. </p>
|
||||
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
|
||||
are activated. If you want to totally open up your firewall, you
|
||||
must use the 'shorewall clear' command. </p>
|
||||
|
||||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
|
||||
7.x, I get messages about insmod failing -- what's wrong?</h4>
|
||||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
|
||||
I get messages about insmod failing -- what's wrong?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>The output you will see looks something like
|
||||
this:</p>
|
||||
@ -617,8 +664,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
|
||||
for problems concerning the version of iptables (v1.2.3) shipped with
|
||||
RH7.2.</p>
|
||||
for problems concerning the version of iptables (v1.2.3) shipped
|
||||
with RH7.2.</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"> </h4>
|
||||
@ -638,9 +685,9 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
|
||||
zone is defined as all hosts that are connected through eth0 and the local
|
||||
zone is defined as all hosts connected through eth1</p>
|
||||
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
|
||||
Net zone is defined as all hosts that are connected through eth0 and the
|
||||
local zone is defined as all hosts connected through eth1</p>
|
||||
</div>
|
||||
|
||||
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
|
||||
@ -656,17 +703,18 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||||
|
||||
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
|
||||
myself doing other things. I guess I just don't care enough if Shorewall
|
||||
has a GUI to invest the effort to create one myself. There are several
|
||||
Shorewall GUI projects underway however and I will publish links to
|
||||
them when the authors feel that they are ready. </p>
|
||||
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
|
||||
find myself doing other things. I guess I just don't care enough if
|
||||
Shorewall has a GUI to invest the effort to create one myself. There
|
||||
are several Shorewall GUI projects underway however and I will publish
|
||||
links to them when the authors feel that they are ready. </p>
|
||||
|
||||
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
|
||||
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
|
||||
and "Fire<u>wall</u>".</p>
|
||||
(<a href="http://www.cityofshoreline.com">the city where
|
||||
I live</a>) and "Fire<u>wall</u>". The full name of the product
|
||||
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
|
||||
|
||||
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
|
||||
and it has an internal web server that allows me to configure/monitor
|
||||
@ -674,11 +722,12 @@ them when the authors feel that they are ready. </p>
|
||||
(the internet one), it also blocks the cable modems web server.</h4>
|
||||
|
||||
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
|
||||
that will let all traffic to and from the 192.168.100.1 address of
|
||||
the modem in/out but still block all other rfc1918 addresses.</p>
|
||||
that will let all traffic to and from the 192.168.100.1 address
|
||||
of the modem in/out but still block all other rfc1918 addresses?</p>
|
||||
|
||||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
|
||||
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
|
||||
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
|
||||
following:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
|
||||
@ -691,6 +740,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
@ -704,7 +754,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
@ -714,13 +766,14 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
</p>
|
||||
|
||||
<p align="left">Note: If you add a second IP address to your external firewall
|
||||
interface to correspond to the modem address, you must also make an entry
|
||||
in /etc/shorewall/rfc1918 for that address. For example, if you configure
|
||||
the address 192.168.100.2 on your firewall, then you would add two entries
|
||||
to /etc/shorewall/rfc1918: <br>
|
||||
interface to correspond to the modem address, you must also make
|
||||
an entry in /etc/shorewall/rfc1918 for that address. For example,
|
||||
if you configure the address 192.168.100.2 on your firewall, then
|
||||
you would add two entries to /etc/shorewall/rfc1918: <br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table cellpadding="2" border="1" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
@ -742,16 +795,18 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
|
||||
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
|
||||
1918 filtering on my external interface, my DHCP client cannot renew its
|
||||
lease.</h4>
|
||||
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
|
||||
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
|
||||
RFC 1918 filtering on my external interface, my DHCP client cannot renew
|
||||
its lease.</h4>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -763,26 +818,29 @@ lease.</h4>
|
||||
the net</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
|
||||
the net", I wonder where the poster bought computers with eyes and
|
||||
what those computers will "see" when things are working properly. That
|
||||
aside, the most common causes of this problem are:</p>
|
||||
the net", I wonder where the poster bought computers with eyes
|
||||
and what those computers will "see" when things are working properly.
|
||||
That aside, the most common causes of this problem are:</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The default gateway on each local system isn't set to
|
||||
the IP address of the local firewall interface.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The entry for the local network in the /etc/shorewall/masq
|
||||
file is wrong or missing.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left">The DNS settings on the local systems are wrong or the
|
||||
user is running a DNS server on the firewall and hasn't enabled UDP
|
||||
and TCP port 53 from the firewall to the internet.</p>
|
||||
user is running a DNS server on the firewall and hasn't enabled
|
||||
UDP and TCP port 53 from the firewall to the internet.</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
@ -791,63 +849,73 @@ aside, the most common causes of this problem are:</p>
|
||||
all over my console making it unusable!</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
|
||||
to your startup scripts or place it in /etc/shorewall/start. Under
|
||||
RedHat, the max log level that is sent to the console is specified
|
||||
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
|
||||
to your startup scripts or place it in /etc/shorewall/start.
|
||||
Under RedHat, the max log level that is sent to the console
|
||||
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
|
||||
</p>
|
||||
|
||||
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
|
||||
<b>Answer: </b>Logging occurs out of a number of chains (as indicated
|
||||
in the log message) in Shorewall:<br>
|
||||
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
|
||||
logged?</h4>
|
||||
<b>Answer: </b>Logging occurs out of a number of chains
|
||||
(as indicated in the log message) in Shorewall:<br>
|
||||
|
||||
<ol>
|
||||
<li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
|
||||
with a <b>logdrop </b>target -- see <a
|
||||
<li><b>man1918 - </b>The destination address is listed
|
||||
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||||
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
|
||||
with a <b>logdrop </b>target -- see <a
|
||||
<li><b>rfc1918</b> - The source address is listed in
|
||||
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||||
<li><b>all2<zone></b>, <b><zone>2all</b> or <b>all2all
|
||||
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
|
||||
specifies a log level and this packet is being logged under that policy.
|
||||
If you intend to ACCEPT this traffic then you need a <a
|
||||
href="Documentation.htm#Rules">rule</a> to that effect.<br>
|
||||
<li><b>all2<zone></b>, <b><zone>2all</b>
|
||||
or <b>all2all </b>- You have a<a
|
||||
href="Documentation.htm#Policy"> policy</a> that specifies a log level
|
||||
and this packet is being logged under that policy. If you intend to
|
||||
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a>
|
||||
to that effect.<br>
|
||||
</li>
|
||||
<li><b><zone1>2<zone2> </b>- Either you have a<a
|
||||
href="Documentation.htm#Policy"> policy</a> for <b><zone1> </b>to
|
||||
<b><zone2></b> that specifies a log level and this packet is being
|
||||
logged under that policy or this packet matches a <a
|
||||
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
|
||||
<li><b><interface>_mac</b> - The packet is being logged under the
|
||||
<b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
<li><b><zone1>2<zone2> </b>- Either you
|
||||
have a<a href="Documentation.htm#Policy"> policy</a> for <b><zone1>
|
||||
</b>to <b><zone2></b> that specifies a log level and this
|
||||
packet is being logged under that policy or this packet matches a
|
||||
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
|
||||
<li><b><interface>_mac</b> - The packet is being logged
|
||||
under the <b>maclist</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
</li>
|
||||
<li><b>logpkt</b> - The packet is being logged under
|
||||
the <b>logunclean</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||
<li><b>badpkt </b>- The packet is being logged under
|
||||
the <b>dropunclean</b> <a
|
||||
href="Documentation.htm#Interfaces">interface option</a> as specified
|
||||
in the <b>LOGUNCLEAN </b>setting in <a
|
||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li><b>blacklst</b> - The packet is being logged because
|
||||
the source IP is blacklisted in the<a
|
||||
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
|
||||
<li><b>newnotsyn </b>- The packet is being logged because
|
||||
it is a TCP packet that is not part of any current connection yet
|
||||
it is not a syn packet. Options affecting the logging of such packets
|
||||
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
|
||||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has
|
||||
a source IP address that isn't in any of your defined zones ("shorewall
|
||||
check" and look at the printed zone definitions) or the chain is FORWARD
|
||||
and the destination IP isn't in any of your defined zones.</li>
|
||||
<li><b>logflags </b>- The packet is being logged because it failed
|
||||
the checks implemented by the <b>tcpflags </b><a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
</li>
|
||||
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
|
||||
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
|
||||
<a href="Documentation.htm#Interfaces">interface option</a> as specified
|
||||
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li><b>blacklst</b> - The packet is being logged because the source
|
||||
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
|
||||
</a>file.</li>
|
||||
<li><b>newnotsyn </b>- The packet is being logged because it is
|
||||
a TCP packet that is not part of any current connection yet it is not
|
||||
a syn packet. Options affecting the logging of such packets include <b>NEWNOTSYN
|
||||
</b>and <b>LOGNEWNOTSYN </b>in <a
|
||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP
|
||||
address that isn't in any of your defined zones ("shorewall check" and
|
||||
look at the printed zone definitions) or the chain is FORWARD and the destination
|
||||
IP isn't in any of your defined zones.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
|
||||
with Shorewall, and maintain separate rulesets for different IPs?</h4>
|
||||
<b>Answer: </b>Yes. You simply use the IP address in your rules (or
|
||||
if you use NAT, use the local IP address in your rules). <b>Note:</b> The
|
||||
":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
|
||||
Neither iproute (ip and tc) nor iptables supports that notation so neither
|
||||
does Shorewall. <br>
|
||||
<b>Answer: </b>Yes. You simply use the IP address in your
|
||||
rules (or if you use NAT, use the local IP address in your rules).
|
||||
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will
|
||||
disappear eventually. Neither iproute (ip and tc) nor iptables supports
|
||||
that notation so neither does Shorewall. <br>
|
||||
<br>
|
||||
<b>Example 1:</b><br>
|
||||
<br>
|
||||
@ -870,27 +938,82 @@ does Shorewall. <br>
|
||||
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
|
||||
|
||||
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
|
||||
but they don't seem to do anything. Why?</h4>
|
||||
but they don't seem to do anything. Why?</h4>
|
||||
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
||||
so the contents of the tcrules file are simply being ignored.<br>
|
||||
so the contents of the tcrules file are simply being ignored.<br>
|
||||
|
||||
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
|
||||
to change Shorewall to allow access to my server from the internet?</b><br>
|
||||
</h4>
|
||||
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
|
||||
that you used during your initial setup for information about how to set
|
||||
up rules for your server.<br>
|
||||
<br>
|
||||
to change Shorewall to allow access to my server from the internet?</b><br>
|
||||
</h4>
|
||||
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
guide</a> that you used during your initial setup for information about
|
||||
how to set up rules for your server.<br>
|
||||
|
||||
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
|
||||
what are they?<br>
|
||||
</h4>
|
||||
|
||||
<blockquote>
|
||||
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
|
||||
</blockquote>
|
||||
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal
|
||||
LAN<br>
|
||||
<br>
|
||||
<b>Answer: </b>While most people associate the Internet Control
|
||||
Message Protocol (ICMP) with 'ping', ICMP is a key piece of the internet.
|
||||
ICMP is used to report problems back to the sender of a packet; this is
|
||||
what is happening here. Unfortunately, where NAT is involved (including
|
||||
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
|
||||
That is what you are seeing with these messages.<br>
|
||||
<br>
|
||||
Here is my interpretation of what is happening -- to confirm this
|
||||
analysis, one would have to have packet sniffers placed a both ends of
|
||||
the connection.<br>
|
||||
<br>
|
||||
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
|
||||
query to 192.0.2.3 and your DNS server tried to send a response (the
|
||||
response information is in the brackets -- note source port 53 which marks
|
||||
this as a DNS reply). When the response was returned to to 206.124.146.179,
|
||||
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to
|
||||
172.16.1.10 who no longer had a connection on UDP port 2857. This causes
|
||||
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
|
||||
As this packet is sent back through 206.124.146.179, that box correctly
|
||||
changes the source address in the packet to 206.124.146.179 but doesn't
|
||||
reset the DST IP in the original DNS response similarly. When the ICMP
|
||||
reaches your firewall (192.0.2.3), your firewall has no record of having
|
||||
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
|
||||
to anything that was sent. The final result is that the packet gets logged
|
||||
and dropped in the all2all chain. I have also seen cases where the source
|
||||
IP in the ICMP itself isn't set back to the external IP of the remote NAT
|
||||
gateway; that causes your firewall to log and drop the packet out of the
|
||||
rfc1918 chain because the source IP is reserved by RFC 1918.<br>
|
||||
|
||||
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
|
||||
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
|
||||
You can place these commands in one of the <a
|
||||
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
|
||||
sure that you look at the contents of the chain(s) that you will be modifying
|
||||
with your commands to be sure that the commands will do what they are intended.
|
||||
Many iptables commands published in HOWTOs and other instructional material
|
||||
use the -A command which adds the rules to the end of the chain. Most chains
|
||||
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
|
||||
rule and any rules that you add after that will be ignored. Check "man iptables"
|
||||
and look at the -I (--insert) command.<br>
|
||||
<br>
|
||||
|
||||
<div align="left"> </div>
|
||||
<font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<font size="2">Last updated 12/13/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -27,35 +27,40 @@
|
||||
</table>
|
||||
<br>
|
||||
Beginning with Shorewall version 1.3.10, all traffic from an interface
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
set of MAC addresses. Furthermore, each MAC address may be optionally associated
|
||||
with one or more IP addresses. There are four components to this facility.<br>
|
||||
with one or more IP addresses. <br>
|
||||
<br>
|
||||
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
|
||||
<ol>
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
|
||||
option is specified, all traffic arriving on the interface is subjet to MAC
|
||||
verification.</li>
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
|
||||
this option is specified, all traffic arriving on the interface is subjet
|
||||
to MAC verification.</li>
|
||||
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||||
When this option is specified for a subnet, all traffic from that subnet
|
||||
is subject to MAC verification.</li>
|
||||
is subject to MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses with
|
||||
MAC addresses.</li>
|
||||
MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
|
||||
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
|
||||
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
|
||||
variable gives the syslogd level at which connection requests that fail verification
|
||||
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
|
||||
then failing connection requests are not logged.<br>
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
|
||||
determines the disposition of connection requests that fail MAC verification.
|
||||
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
|
||||
requests that fail verification are to be logged. If set the the empty value
|
||||
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
|
||||
<ul>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
|
||||
column although you may use that format if you so choose.</li>
|
||||
@ -80,17 +85,17 @@ MAC addresses.</li>
|
||||
<h3>Example 2: Router in Local Zone</h3>
|
||||
Suppose now that I add a second ethernet segment to my local zone and
|
||||
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses
|
||||
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses in
|
||||
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
file:<br>
|
||||
|
||||
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
|
||||
This entry accomodates traffic from the router itself (192.168.1.253)
|
||||
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
and not that of the host sending the traffic.
|
||||
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -49,8 +49,8 @@
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
@ -139,5 +139,6 @@
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,13 +2,17 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
@ -35,7 +39,8 @@
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
@ -43,10 +48,10 @@
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
@ -60,6 +65,7 @@ Guides (HOWTOs)</a><br>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
@ -72,7 +78,7 @@ Guides (HOWTOs)</a><br>
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
@ -89,11 +95,12 @@ State, USA</a><br>
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
@ -101,6 +108,7 @@ State, USA</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -109,6 +117,7 @@ State, USA</a><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
@ -125,12 +134,12 @@ State, USA</a><br>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
|
||||
src="images/shorewall.jpg" width="119" height="38" hspace="0">
|
||||
</a><br>
|
||||
<br>
|
||||
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,40 +1,60 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">VPN</font></h1>
|
||||
<h1 align="center"><font color="#ffffff">VPN</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<p>It is often the case that a system behind the firewall needs to be able to
|
||||
access a remote network through Virtual Private Networking (VPN). The two most
|
||||
common means for doing this are IPSEC and PPTP. The basic setup is shown in the
|
||||
following diagram:</p>
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
|
||||
|
||||
<p>It is often the case that a system behind the firewall needs to be able
|
||||
to access a remote network through Virtual Private Networking (VPN). The
|
||||
two most common means for doing this are IPSEC and PPTP. The basic setup
|
||||
is shown in the following diagram:</p>
|
||||
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568"
|
||||
height="796">
|
||||
</p>
|
||||
|
||||
<p align="left">A system with an RFC 1918 address needs to access a remote
|
||||
network through a remote gateway. For this example, we will assume that the
|
||||
local system has IP address 192.168.1.12 and that the remote gateway has IP
|
||||
address 192.0.2.224.</p>
|
||||
<p align="left">If PPTP is being used, there are no firewall requirements beyond
|
||||
the default loc->net ACCEPT policy. There is one restriction however: Only one
|
||||
local system at a time can be connected to a single remote gateway unless you
|
||||
patch your kernel from the 'Patch-o-matic' patches available at
|
||||
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
<p align="left">If IPSEC is being used then there are firewall configuration
|
||||
requirements as follows:</p>
|
||||
network through a remote gateway. For this example, we will assume that
|
||||
the local system has IP address 192.168.1.12 and that the remote gateway
|
||||
has IP address 192.0.2.224.</p>
|
||||
|
||||
<p align="left">If PPTP is being used, there are no firewall requirements
|
||||
beyond the default loc->net ACCEPT policy. There is one restriction however:
|
||||
Only one local system at a time can be connected to a single remote gateway
|
||||
unless you patch your kernel from the 'Patch-o-matic' patches available
|
||||
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
|
||||
<p align="left">If IPSEC is being used then only one system may connect to
|
||||
the remote gateway and there are firewall configuration requirements as
|
||||
follows:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td height="38"><u><b>ACTION</b></u></td>
|
||||
<td height="38"><u><b>SOURCE</b></u></td>
|
||||
@ -51,9 +71,9 @@ requirements as follows:</p>
|
||||
<td height="19">net:192.0.2.224</td>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">50</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
@ -61,21 +81,24 @@ requirements as follows:</p>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">udp</td>
|
||||
<td height="19">500</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>If you want to be able to give access to all of your local systems to the
|
||||
remote network, you should consider running a VPN client on your firewall. As
|
||||
starting points, see
|
||||
<a href="http://www.shorewall.net/Documentation.htm#Tunnels">
|
||||
http://www.shorewall.net/Documentation.htm#Tunnels</a> or
|
||||
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p> </p>
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to be able to give access to all of your local systems to
|
||||
the remote network, you should consider running a VPN client on your firewall.
|
||||
As starting points, see <a
|
||||
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
|
||||
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p> </p>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
@ -20,6 +20,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -38,46 +39,56 @@
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several firewall
|
||||
parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell variables
|
||||
that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's view of
|
||||
the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell
|
||||
variables that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces on
|
||||
the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in terms of
|
||||
individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where to use
|
||||
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
|
||||
and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to load kernel
|
||||
modules.</li>
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
on the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in
|
||||
terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation (a.k.a.
|
||||
Masquerading) and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to
|
||||
load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions
|
||||
to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
|
||||
- defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets for
|
||||
later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting the TOS
|
||||
field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
|
||||
with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
|
||||
later) - defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
the TOS field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the completion
|
||||
of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
completion of a "shorewall stop".<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at the
|
||||
end of any line, again by delimiting the comment from the rest of
|
||||
the line with a pound sign.</p>
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the rest
|
||||
of the line with a pound sign.</p>
|
||||
|
||||
<p>Examples:</p>
|
||||
|
||||
@ -100,38 +111,41 @@ the line with a pound sign.</p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start as
|
||||
a result of DNS problems then don't say that you were not forewarned. <br>
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified either as IP addresses or as DNS Names.<br>
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they first appear.
|
||||
When a DNS name appears in a rule, the iptables utility resolves the name
|
||||
to one or more IP addresses and inserts those addresses into the rule.
|
||||
So change in the DNS->IP address relationship that occur after the firewall
|
||||
has started have absolutely no effect on the firewall's ruleset. </p>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall won't
|
||||
start.</li>
|
||||
<li>If your startup scripts try to start your firewall before starting
|
||||
your DNS server then your firewall won't start.<br>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router is
|
||||
down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting your
|
||||
firewall.<br>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
is down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -146,7 +160,7 @@ So change in the DNS->IP address relationship that occur after the firewall
|
||||
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net.</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
@ -159,14 +173,14 @@ So change in the DNS->IP address relationship that occur after the firewall
|
||||
DNS names may not be used as:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
These are iptables restrictions and are not simply imposed for your
|
||||
inconvenience by Shorewall. <br>
|
||||
<br>
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2>Complementing an Address or Subnet</h2>
|
||||
|
||||
@ -185,9 +199,10 @@ no white space following the "!".</p>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or there
|
||||
would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in any order.</li>
|
||||
list, the continuation line(s) must begin in column 1 (or there
|
||||
would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in
|
||||
any order.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -218,6 +233,7 @@ would be embedded white space)</li>
|
||||
<p>Example:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -225,7 +241,9 @@ would be embedded white space)</li>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
@ -233,7 +251,9 @@ would be embedded white space)</li>
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
@ -251,50 +271,150 @@ would be embedded white space)</li>
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a series of
|
||||
6 hex numbers separated by colons. Example:<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a
|
||||
series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
|
||||
Mb)<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address fields,
|
||||
Shorewall requires MAC addresses to be written in another way. In
|
||||
Shorewall, MAC addresses begin with a tilde ("~") and consist of
|
||||
6 hex numbers separated by hyphens. In Shorewall, the MAC address
|
||||
in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and
|
||||
consist of 6 hex numbers separated by hyphens. In Shorewall, the
|
||||
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
</p>
|
||||
|
||||
<h2><a name="Levels"></a>Logging</h2>
|
||||
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||||
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
|
||||
the notation <i>facility.priority</i>). <br>
|
||||
<br>
|
||||
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
|
||||
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
|
||||
<i>local7</i>.<br>
|
||||
<br>
|
||||
Throughout the Shorewall documentation, I will use the term <i>level</i>
|
||||
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
|
||||
The syslog documentation uses the term <i>priority</i>.<br>
|
||||
|
||||
<h3>Syslog Levels<br>
|
||||
</h3>
|
||||
Syslog levels are a method of describing to syslog (8) the importance
|
||||
of a message and a number of Shorewall parameters have a syslog level
|
||||
as their value.<br>
|
||||
<br>
|
||||
Valid levels are:<br>
|
||||
<br>
|
||||
7 debug<br>
|
||||
6 info<br>
|
||||
5 notice<br>
|
||||
4 warning<br>
|
||||
3 err<br>
|
||||
2 crit<br>
|
||||
1 alert<br>
|
||||
0 emerg<br>
|
||||
<br>
|
||||
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
log messages are generated by NetFilter and are logged using the <i>kern</i>
|
||||
facility and the level that you specify. If you are unsure of the level
|
||||
to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
number.<br>
|
||||
<br>
|
||||
Syslogd writes log messages to files (typically in /var/log/*) based
|
||||
on their facility and level. The mapping of these facility/level pairs to
|
||||
log files is done in /etc/syslog.conf (5). If you make changes to this file,
|
||||
you must restart syslogd before the changes can take effect.<br>
|
||||
|
||||
<h3>Configuring a Separate Log for Shorewall Messages</h3>
|
||||
There are a couple of limitations to syslogd-based logging:<br>
|
||||
|
||||
<ol>
|
||||
<li>If you give, for example, kern.info it's own log destination then
|
||||
that destination will also receive all kernel messages of levels 5 (notice)
|
||||
through 0 (emerg).</li>
|
||||
<li>All kernel.info messages will go to that destination and not just
|
||||
those from NetFilter.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
|
||||
support (and most vendor-supplied kernels do), you may also specify a log
|
||||
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
|
||||
netfilter to log the related messages via the ULOG target which will send
|
||||
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
|
||||
and can be configured to log all Shorewall message to their own log file.<br>
|
||||
<br>
|
||||
Download the ulod tar file and:<br>
|
||||
|
||||
<ol>
|
||||
<li>cd /usr/local/src (or wherever you do your builds)</li>
|
||||
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
|
||||
<li>cd ulogd-<i>version</i><br>
|
||||
</li>
|
||||
<li>./configure</li>
|
||||
<li>make</li>
|
||||
<li>make install<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
If you are like me and don't have a development environment on your firewall,
|
||||
you can do the first five steps on another system then either NFS mount your
|
||||
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
|
||||
directory and move it to your firewall system.<br>
|
||||
<br>
|
||||
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
|
||||
|
||||
<ol>
|
||||
<li>syslogfile <i><file that you wish to log to></i></li>
|
||||
<li>syslogsync 1</li>
|
||||
|
||||
</ol>
|
||||
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
|
||||
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
|
||||
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
|
||||
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
|
||||
something else done to activate the script.<br>
|
||||
<br>
|
||||
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file that
|
||||
you wish to log to></i>. This tells the /sbin/shorewall program where to
|
||||
look for the log when processing its "show log", "logwatch" and "monitor"
|
||||
commands.<br>
|
||||
|
||||
<h2><a name="Configs"></a>Shorewall Configurations</h2>
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
|
||||
commands allow you to specify an alternate configuration directory
|
||||
and Shorewall will use the files in the alternate directory rather than
|
||||
the corresponding files in /etc/shorewall. The alternate directory need
|
||||
not contain a complete configuration; those files not in the alternate directory
|
||||
will be read from /etc/shorewall.</p>
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
|
||||
restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate directory
|
||||
need not contain a complete configuration; those files not in the alternate
|
||||
directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
by:</p>
|
||||
|
||||
<ol>
|
||||
<li> copying the files that need modification from /etc/shorewall
|
||||
to a separate directory;</li>
|
||||
<li> modify those files in the separate directory; and</li>
|
||||
<li> specifying the separate directory in a shorewall start
|
||||
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
<li> copying the files that need modification from
|
||||
/etc/shorewall to a separate directory;</li>
|
||||
<li> modify those files in the separate directory;
|
||||
and</li>
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> ).</li>
|
||||
|
||||
</ol>
|
||||
@ -302,19 +422,14 @@ will be read from /etc/shorewall.</p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -30,30 +30,41 @@
|
||||
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.</b></p>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>Once you've done that, download <u> one</u> of the modules:</p>
|
||||
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
|
||||
|
||||
<p> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the .tgz
|
||||
packages below.</p>
|
||||
|
||||
<p> Once you've done that, download <u> one</u> of the modules:</p>
|
||||
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with a
|
||||
2.4 kernel, you can use the RPM version (note: the RPM should
|
||||
also work with other distributions that store init scripts
|
||||
in /etc/init.d and that include chkconfig or insserv). If you
|
||||
find that it works in other cases, let <a
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with
|
||||
a 2.4 kernel, you can use the RPM version (note: the RPM
|
||||
should also work with other distributions that store init
|
||||
scripts in /etc/init.d and that include chkconfig or insserv).
|
||||
If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
|
||||
if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you might
|
||||
also want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
also want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is in both the <a
|
||||
href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
and would like a .deb package, Shorewall is included in both the
|
||||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i> module
|
||||
(.tgz)</li>
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -66,10 +77,10 @@ Testing Branch</a> and the <a
|
||||
|
||||
<ul>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
|
||||
contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
|
||||
<downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" </li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" </li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -81,11 +92,12 @@ Testing Branch</a> and the <a
|
||||
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
|
||||
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
|
||||
configuration of your firewall, you can enable startup by removing the
|
||||
file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
configuration of your firewall, you can enable startup by removing the
|
||||
file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3"
|
||||
@ -204,7 +216,7 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
@ -216,18 +228,19 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
@ -274,28 +287,11 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b>Documentation in PDF format:</b><br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
|
||||
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
|
||||
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote><a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
|
||||
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p><b>Browse Download Sites:</b></p>
|
||||
|
||||
<blockquote>
|
||||
@ -334,7 +330,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
@ -357,11 +354,13 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
|
||||
target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
@ -377,19 +376,12 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
|
||||
<p align="left"><font size="2">Last Updated 12/12/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -6,6 +6,7 @@
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall 1.3 Errata</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
@ -32,6 +33,7 @@
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u>
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
@ -39,26 +41,29 @@
|
||||
it to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>If you are installing Shorewall for the
|
||||
first time and plan to use the .tgz and install.sh script, you can
|
||||
untar the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>When the instructions say to install a corrected
|
||||
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
|
||||
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
|
||||
and /var/lib/shorewall/firewall are symbolic links that point
|
||||
to the 'shorewall' file used by your system initialization scripts
|
||||
to start Shorewall during boot. It is that file that must be overwritten
|
||||
with the corrected script.</b></p>
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
|
||||
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
|
||||
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
|
||||
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
|
||||
are symbolic links that point to the 'shorewall' file used by your
|
||||
system initialization scripts to start Shorewall during boot.
|
||||
It is that file that must be overwritten with the corrected
|
||||
script.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
|
||||
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
|
||||
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
@ -66,19 +71,20 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
|
||||
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li> <b><a href="#V1.3">Problems in
|
||||
Version 1.3</a></b></li>
|
||||
<li> <b><a href="errata_2.htm">Problems
|
||||
in Version 1.2</a></b></li>
|
||||
<li> <b><font color="#660066"> <a
|
||||
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><a href="#V1.3">Problems
|
||||
in Version 1.3</a></b></li>
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font color="#660066">
|
||||
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a
|
||||
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems
|
||||
with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
|
||||
and MULTIPORT=Yes</a></b></li>
|
||||
with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM
|
||||
on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version
|
||||
1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
|
||||
</li>
|
||||
|
||||
@ -87,18 +93,51 @@ with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
|
||||
<h3>Version 1.3.11a</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
|
||||
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>Version 1.3.11</h3>
|
||||
|
||||
<ul>
|
||||
<li>When installing/upgrading using the .rpm, you may receive the following
|
||||
warnings:<br>
|
||||
<br>
|
||||
user teastep does not exist - using root<br>
|
||||
group teastep does not exist - using root<br>
|
||||
<br>
|
||||
These warnings are harmless and may be ignored. Users downloading the
|
||||
.rpm from shorewall.net or mirrors should no longer see these warnings as
|
||||
the .rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column contains
|
||||
! followed by a sub-zone list) result in an error message and Shorewall
|
||||
fails to start.<br>
|
||||
<br>
|
||||
Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
|
||||
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
|
||||
<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.10</h3>
|
||||
|
||||
<ul>
|
||||
<li>If you experience problems connecting to a PPTP server running on
|
||||
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
<li>If you experience problems connecting to a PPTP server running
|
||||
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
|
||||
version of the firewall script</a> may help. Please report any cases where
|
||||
installing this script in /usr/lib/shorewall/firewall solved your connection
|
||||
problems. Beginning with version 1.3.10, it is safe to save the old version
|
||||
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
|
||||
is the real script now and not just a symbolic link to the real script.<br>
|
||||
version of the firewall script</a> may help. Please report any cases where
|
||||
installing this script in /usr/lib/shorewall/firewall solved your connection
|
||||
problems. Beginning with version 1.3.10, it is safe to save the old version
|
||||
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
|
||||
is the real script now and not just a symbolic link to the real script.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -106,8 +145,8 @@ is the real script now and not just a symbolic link to the real script.<br>
|
||||
<h3>Version 1.3.9a</h3>
|
||||
|
||||
<ul>
|
||||
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
|
||||
the following message appears during "shorewall [re]start":</li>
|
||||
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
|
||||
then the following message appears during "shorewall [re]start":</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -116,8 +155,8 @@ is the real script now and not just a symbolic link to the real script.<br>
|
||||
<blockquote> The updated firewall script at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
|
||||
above.<br>
|
||||
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
|
||||
described above.<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
|
||||
@ -126,10 +165,10 @@ is the real script now and not just a symbolic link to the real script.<br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>The installer (install.sh) issues a misleading message "Common functions
|
||||
installed in /var/lib/shorewall/functions" whereas the file is installed
|
||||
in /usr/lib/shorewall/functions. The installer also performs incorrectly
|
||||
when updating old configurations that had the file /etc/shorewall/functions.
|
||||
<li>The installer (install.sh) issues a misleading message "Common
|
||||
functions installed in /var/lib/shorewall/functions" whereas the file
|
||||
is installed in /usr/lib/shorewall/functions. The installer also performs
|
||||
incorrectly when updating old configurations that had the file /etc/shorewall/functions.
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
|
||||
is an updated version that corrects these problems.<br>
|
||||
@ -147,10 +186,10 @@ when updating old configurations that had the file /etc/shorewall/functions.
|
||||
Version 1.3.8
|
||||
<ul>
|
||||
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
|
||||
of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP addresses but
|
||||
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
tcp 25 - 10.1.1.1")<br>
|
||||
of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP addresses
|
||||
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
tcp 25 - 10.1.1.1")<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -190,15 +229,15 @@ tcp 25 - 10.1.1.1")<br>
|
||||
has two problems:</p>
|
||||
|
||||
<ol>
|
||||
<li>If the firewall is running a
|
||||
DHCP server, the client won't be able
|
||||
to obtain an IP address lease from that
|
||||
server.</li>
|
||||
<li>If the firewall is running
|
||||
a DHCP server, the client won't be able
|
||||
to obtain an IP address lease from
|
||||
that server.</li>
|
||||
<li>With this order of checking,
|
||||
the "dhcp" option cannot be used as a
|
||||
noise-reduction measure where there are
|
||||
both dynamic and static clients on a LAN
|
||||
segment.</li>
|
||||
the "dhcp" option cannot be used as
|
||||
a noise-reduction measure where there
|
||||
are both dynamic and static clients on
|
||||
a LAN segment.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -229,8 +268,8 @@ segment.</li>
|
||||
<li>
|
||||
|
||||
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
|
||||
an error occurs when the firewall script attempts to add an
|
||||
SNAT alias. </p>
|
||||
an error occurs when the firewall script attempts to add
|
||||
an SNAT alias. </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
@ -277,8 +316,8 @@ segment.</li>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
||||
possible to include a single host specification on each line. This
|
||||
problem is corrected by <a
|
||||
possible to include a single host specification on each line.
|
||||
This problem is corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
||||
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
||||
as instructed above.</p>
|
||||
@ -295,7 +334,7 @@ segment.</li>
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
||||
as instructed above. This problem is corrected in version
|
||||
1.3.5a.</p>
|
||||
1.3.5a.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 4</h3>
|
||||
|
||||
@ -314,7 +353,7 @@ so it's a good idea to run that command after you have made configura
|
||||
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
|
||||
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
|
||||
Shorewall 1.3.3 and later versions produce a clearer error
|
||||
message in this case.</p>
|
||||
message in this case.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.2</h3>
|
||||
|
||||
@ -324,11 +363,11 @@ message in this case.</p>
|
||||
version has a size of 38126 bytes.</p>
|
||||
|
||||
<ul>
|
||||
<li>The code to detect a duplicate interface entry in
|
||||
/etc/shorewall/interfaces contained a typo that prevented it
|
||||
from working correctly. </li>
|
||||
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
|
||||
like "NAT_BEFORE_RULES=Yes".</li>
|
||||
<li>The code to detect a duplicate interface entry
|
||||
in /etc/shorewall/interfaces contained a typo that prevented
|
||||
it from working correctly. </li>
|
||||
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
|
||||
just like "NAT_BEFORE_RULES=Yes".</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -352,28 +391,28 @@ from working correctly. </li>
|
||||
|
||||
<ul>
|
||||
<li>TCP SYN packets may be double counted when
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
|
||||
packet is sent through the limit chain twice).</li>
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
|
||||
each packet is sent through the limit chain twice).</li>
|
||||
<li>An unnecessary jump to the policy chain is sometimes
|
||||
generated for a CONTINUE policy.</li>
|
||||
<li>When an option is given for more than one interface
|
||||
in /etc/shorewall/interfaces then depending on the option,
|
||||
Shorewall may ignore all but the first appearence of the
|
||||
option. For example:<br>
|
||||
option. For example:<br>
|
||||
<br>
|
||||
net eth0 dhcp<br>
|
||||
loc eth1 dhcp<br>
|
||||
<br>
|
||||
Shorewall will ignore the 'dhcp' on eth1.</li>
|
||||
<li>Update 17 June 2002 - The bug described in the prior
|
||||
bullet affects the following options: dhcp, dropunclean, logunclean,
|
||||
norfc1918, routefilter, multi, filterping and noping. An
|
||||
additional bug has been found that affects only the 'routestopped'
|
||||
option.<br>
|
||||
<li>Update 17 June 2002 - The bug described in the
|
||||
prior bullet affects the following options: dhcp, dropunclean,
|
||||
logunclean, norfc1918, routefilter, multi, filterping and
|
||||
noping. An additional bug has been found that affects only
|
||||
the 'routestopped' option.<br>
|
||||
<br>
|
||||
Users who downloaded the corrected script prior to 1850
|
||||
GMT today should download and install the corrected script
|
||||
again to ensure that this second problem is corrected.</li>
|
||||
Users who downloaded the corrected script prior
|
||||
to 1850 GMT today should download and install the corrected
|
||||
script again to ensure that this second problem is corrected.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -385,10 +424,10 @@ option.<br>
|
||||
<h3 align="left">Version 1.3.0</h3>
|
||||
|
||||
<ul>
|
||||
<li>Folks who downloaded 1.3.0 from the links on the
|
||||
download page before 23:40 GMT, 29 May 2002 may have downloaded
|
||||
1.2.13 rather than 1.3.0. The "shorewall version" command
|
||||
will tell you which version that you have installed.</li>
|
||||
<li>Folks who downloaded 1.3.0 from the links on
|
||||
the download page before 23:40 GMT, 29 May 2002 may have
|
||||
downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
|
||||
command will tell you which version that you have installed.</li>
|
||||
<li>The documentation NAT.htm file uses non-existent
|
||||
wallpaper and bullet graphic files. The <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
||||
@ -408,17 +447,17 @@ will tell you which version that you have installed.</li>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||||
prevent it from working with Shorewall. Regrettably, RedHat released
|
||||
this buggy iptables in RedHat 7.2. </p>
|
||||
prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||
built an <a
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you upgrade to RedHat 7.2.</p>
|
||||
running RedHat 7.1, you can install either of these RPMs
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
@ -451,6 +490,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
may experience the following:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
|
||||
@ -459,9 +499,9 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
||||
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
@ -490,7 +530,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
<li>set MULTIPORT=No in
|
||||
/etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall
|
||||
1.3.6 you may install
|
||||
1.3.6 you may install
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this firewall script</a> in /var/lib/shorewall/firewall
|
||||
@ -508,22 +548,17 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
Error message is:<br>
|
||||
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
|
||||
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
|
||||
contains corrected support under a new kernel configuraiton option; see
|
||||
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||
2.4.19 kernel contains corrected support under a new kernel configuraiton
|
||||
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
|
||||
<p><font size="2"> Last updated 11/24/2002 -
|
||||
<p><font size="2"> Last updated 12/3/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
BIN
Shorewall-docs/images/MDKlinux.jpg
Normal file
BIN
Shorewall-docs/images/MDKlinux.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 15 KiB |
BIN
Shorewall-docs/images/courier-imap.png
Normal file
BIN
Shorewall-docs/images/courier-imap.png
Normal file
Binary file not shown.
BIN
Shorewall-docs/images/logo2.png
Normal file
BIN
Shorewall-docs/images/logo2.png
Normal file
Binary file not shown.
BIN
Shorewall-docs/images/medbutton.png
Normal file
BIN
Shorewall-docs/images/medbutton.png
Normal file
Binary file not shown.
BIN
Shorewall-docs/images/obrasinf.gif
Normal file
BIN
Shorewall-docs/images/obrasinf.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 7.1 KiB |
@ -33,10 +33,18 @@
|
||||
</a><a href="http://www.postfix.org/"> <img
|
||||
src="images/small-picture.gif" align="right" border="0" width="115"
|
||||
height="45">
|
||||
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
|
||||
</a><font color="#ffffff">Shorewall Mailing Lists<a
|
||||
href="http://www.inter7.com/courierimap/"><img
|
||||
src="images/courier-imap.png" alt="Courier-Imap" width="100"
|
||||
height="38" align="right">
|
||||
</a></font></h1>
|
||||
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
Powered by Postfix </b></font> </p>
|
||||
</b></font></p>
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
Powered by Postfix </b></font> </p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -71,10 +79,27 @@ Powered by Postfix
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command is a valid
|
||||
fully-qualified DNS name.<br>
|
||||
</li>
|
||||
fully-qualified DNS name.</li>
|
||||
|
||||
</ol>
|
||||
<h2>Please post in plain text</h2>
|
||||
While the list server here at shorewall.net accepts and distributes HTML
|
||||
posts, a growing number of MTAs serving list subscribers are rejecting this
|
||||
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse"!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a rather draconian way to control spam
|
||||
and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
|
||||
can help by restricting your list posts to plain text.<br>
|
||||
<br>
|
||||
And as a bonus, subscribers who use email clients like pine and mutt will
|
||||
be able to read your plain text posts whereas they are most likely simply
|
||||
ignoring your HTML posts.<br>
|
||||
<br>
|
||||
A final bonus for the use of HTML is that it cuts down the size of messages
|
||||
by a large percentage -- that is important when the same message must be
|
||||
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
|
||||
|
||||
<h2></h2>
|
||||
|
||||
@ -110,14 +135,19 @@ fully-qualified DNS name.<br>
|
||||
type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
|
||||
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
|
||||
stand the traffic. If I catch you, you'll be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
<h2 align="left">Shorewall CA Certificate</h2>
|
||||
If you want to trust X.509 certificates issued by Shoreline Firewall
|
||||
(such as the one used on my web site), you may <a
|
||||
(such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then you can
|
||||
either use unencrypted access when subscribing to Shorewall mailing lists
|
||||
or you can use secure access (SSL) and accept the server's certificate when
|
||||
prompted by your browser.<br>
|
||||
in your browser. If you don't wish to trust my certificates then you
|
||||
can either use unencrypted access when subscribing to Shorewall mailing
|
||||
lists or you can use secure access (SSL) and accept the server's certificate
|
||||
when prompted by your browser.<br>
|
||||
|
||||
<h2 align="left">Shorewall Users Mailing List</h2>
|
||||
|
||||
@ -187,10 +217,10 @@ list may be found at <a
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
"To change your subscription (set options like digest and delivery modes,
|
||||
get a reminder of your password, <b>or unsubscribe</b> from <name
|
||||
of list>), enter your subscription email address:". Enter your email
|
||||
address in the box and click on the "Edit Options" button.</p>
|
||||
"To change your subscription (set options like digest and delivery
|
||||
modes, get a reminder of your password, <b>or unsubscribe</b> from
|
||||
<name of list>), enter your subscription email address:". Enter
|
||||
your email address in the box and click on the "Edit Options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
@ -205,17 +235,12 @@ address in the box and click on the "Edit Options" button.</p>
|
||||
|
||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/22/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/27/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -33,11 +33,11 @@
|
||||
|
||||
<blockquote>
|
||||
<div align="left">
|
||||
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
|
||||
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
|
||||
</div>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
|
||||
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
|
||||
@ -53,5 +53,8 @@
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
90
Shorewall-docs/ping.html
Normal file
90
Shorewall-docs/ping.html
Normal file
@ -0,0 +1,90 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>ICMP Echo-request (Ping)</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Shorewall 'Ping' management has evolved over time in a less than consistant
|
||||
way. This page describes how it now works.<br>
|
||||
<br>
|
||||
There are several aspects to Shorewall Ping management:<br>
|
||||
<ol>
|
||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>The <b>FORWARDPING</b> option in<a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li>Explicit rules in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
</ol>
|
||||
There are two cases to consider:<br>
|
||||
<ol>
|
||||
<li>Ping requests addressed to the firewall itself; and</li>
|
||||
<li>Ping requests being forwarded to another system. Included here are
|
||||
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
|
||||
routing.</li>
|
||||
</ol>
|
||||
These cases will be covered separately.<br>
|
||||
<h2>Ping Requests Addressed to the Firewall Itself</h2>
|
||||
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
||||
<ol>
|
||||
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
|
||||
interface that receives the ping request then the request will be responded
|
||||
to with an ICMP echo-reply.</li>
|
||||
<li>If <b>noping</b> is specified for the interface that receives the ping
|
||||
request then the request is ignored.</li>
|
||||
<li>If <b>filterping </b>is specified for the interface then the request
|
||||
is passed to the rules/policy evaluation.</li>
|
||||
</ol>
|
||||
<h2>Ping Requests Forwarded by the Firewall</h2>
|
||||
These requests are <b>always</b> passed to rules/policy evaluation.<br>
|
||||
<h2>Rules Evaluation</h2>
|
||||
Ping requests are ICMP type 8. So the general rule format is:<br>
|
||||
<br>
|
||||
<i>Target Source Destination
|
||||
</i>icmp 8<br>
|
||||
<br>
|
||||
Example 1. Accept pings from the net to the dmz (pings are responded to with
|
||||
an ICMP echo-reply):<br>
|
||||
<br>
|
||||
ACCEPT net dmz
|
||||
icmp 8<br>
|
||||
<br>
|
||||
Example 2. Drop pings from the net to the firewall<br>
|
||||
<br>
|
||||
DROP net fw
|
||||
icmp 8<br>
|
||||
<h2>Policy Evaluation</h2>
|
||||
If no applicable rule is found, then the policy for the source to the destination
|
||||
is applied.<br>
|
||||
<ol>
|
||||
<li>If the relevant policy is ACCEPT then the request is responded to with
|
||||
an ICMP echo-reply.</li>
|
||||
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
||||
then the request is responded to with an ICMP echo-reply.</li>
|
||||
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
|
||||
is either rejected or simply ignored.</li>
|
||||
</ol>
|
||||
<p><font size="2">Updated 12/13/2002 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -11,6 +11,7 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
@ -20,10 +21,13 @@
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" height="90">
|
||||
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -33,9 +37,10 @@
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font></h1>
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3 -
|
||||
<font size="4">"<i>iptables made easy"</i></font></font></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -47,12 +52,16 @@
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
@ -60,12 +69,16 @@
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="90%">
|
||||
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -79,9 +92,11 @@
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||
that can be used on a dedicated firewall system, a multi-function
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
@ -90,22 +105,29 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
||||
Public License</a> as published by the Free Software Foundation.<br>
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
This program
|
||||
is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty
|
||||
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
See the GNU General Public License for more details.<br>
|
||||
|
||||
This program is distributed in the hope that it
|
||||
will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.<br>
|
||||
|
||||
<br>
|
||||
You should
|
||||
have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
||||
USA</p>
|
||||
|
||||
You should have received a copy of the GNU General
|
||||
Public License along with this program; if not,
|
||||
write to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -121,22 +143,28 @@ Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
</a>Jacques
|
||||
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution called
|
||||
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||||
You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have a LEAF
|
||||
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features Shorewall-1.3.10
|
||||
and Kernel-2.4.18. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
||||
1.0 Final!!! </b><br>
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.0 Final!!! </b><br>
|
||||
</p>
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -154,256 +182,187 @@ Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2></h2>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
|
||||
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible with
|
||||
bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error. fw->fw rules
|
||||
generate a warning and are ignored</li>
|
||||
</ul>
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
|
||||
</b></p>
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after an
|
||||
error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog level
|
||||
and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from <a
|
||||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the mangle table),
|
||||
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with one
|
||||
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
|
||||
at the 'info' level.<br>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
|
||||
was set to anything but ULOG, the firewall would fail to start and "shorewall
|
||||
refresh" would also fail.<br>
|
||||
|
||||
<p>The main Shorewall web site is now back at SourceForge at <a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a href="IPSEC.htm#Dynamic">define the
|
||||
contents of a zone dynamically</a> with the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
||||
delete" commands</a>. These commands are expected to be used primarily
|
||||
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
|
||||
updown scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment and
|
||||
you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running on the firewall
|
||||
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
||||
file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported for use
|
||||
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
|
||||
a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now be specified in
|
||||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
||||
to do the real work. This change makes custom distributions such as
|
||||
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
||||
that tends to have distribution-dependent code.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
|
||||
to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
||||
1 was made available to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
|
||||
href="http://www.gentoo.org"><br>
|
||||
</a></p>
|
||||
Alexandru Hartmann reports that his Shorewall package
|
||||
is now a part of <a href="http://www.gentoo.org">the Gentoo
|
||||
Linux distribution</a>. Thanks Alex!<br>
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40%
|
||||
with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in
|
||||
the mangle table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even when
|
||||
you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
||||
with one of these names, don't worry -- the upgrade process won't overwrite
|
||||
your file.</li>
|
||||
|
||||
|
||||
|
||||
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
|
||||
In this version:<br>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a href="IPSEC.htm#Dynamic">define
|
||||
the contents of a zone dynamically</a> with the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
||||
delete" commands</a>. These commands are expected to be used primarily
|
||||
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
|
||||
updown scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment and
|
||||
you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running on the
|
||||
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
||||
file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported
|
||||
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
|
||||
is behind a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now be specified
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
||||
to do the real work. This change makes custom distributions such
|
||||
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
||||
that tends to have distribution-dependent code.</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSoft's recently-announced <a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
|
||||
<li><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</li>
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in
|
||||
a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
|
||||
</b><br>
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
This release rolls up fixes to the installer
|
||||
and to the firewall script.<br>
|
||||
<b><br>
|
||||
10/6/2002 - Shorewall.net now running on RH8.0
|
||||
</b><b><img border="0" src="images/new10.gif" width="28"
|
||||
height="12" alt="(New)">
|
||||
</b><br>
|
||||
<br>
|
||||
The firewall and server here at shorewall.net
|
||||
are now running RedHat release 8.0.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
|
||||
</b></p>
|
||||
Roles up the fix for broken tunnels.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
|
||||
</b></p>
|
||||
<img src="images/j0233056.gif"
|
||||
alt="Brown Paper Bag" width="50" height="86" align="left">
|
||||
There is an updated firewall script at
|
||||
<a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
-- copy that file to /usr/lib/shorewall/firewall.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
<p><b><br>
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p><b><br>
|
||||
9/28/2002 - Shorewall 1.3.9 </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>In this version:<br>
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
|
||||
allowed in Shorewall config files (although I recommend against
|
||||
using them).</li>
|
||||
<li>The connection SOURCE
|
||||
may now be qualified by both interface and IP address in
|
||||
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
|
||||
<li>Shorewall startup is
|
||||
now disabled after initial installation until the file
|
||||
/etc/shorewall/startup_disabled is removed. This avoids nasty
|
||||
surprises at reboot for users who install Shorewall but don't
|
||||
configure it.</li>
|
||||
<li>The 'functions' and 'version'
|
||||
files and the 'firewall' symbolic link have been moved
|
||||
from /var/lib/shorewall to /usr/lib/shorewall to appease
|
||||
the LFS police at Debian.<br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or
|
||||
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible
|
||||
with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
</ul>
|
||||
@ -411,13 +370,11 @@ the LFS police at Debian.<br>
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -426,27 +383,34 @@ the LFS police at Debian.<br>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
<td
|
||||
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
|
||||
href="http://sourceforge.net">M</a></td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <a href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" style="margin-top: 1px;">
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -455,32 +419,38 @@ the LFS police at Debian.<br>
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
</a></p>
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a href="http://www.starlight.org"><font
|
||||
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -37,16 +37,17 @@
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
|
||||
State</a> .</li>
|
||||
<li>Born 1945 in <a
|
||||
href="http://www.experiencewashington.com">Washington State</a> .</li>
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a href="http://www.washington.edu">University
|
||||
of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
|
||||
) 1969 - 1980</li>
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a
|
||||
href="http://www.washington.edu">University of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a
|
||||
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
</ul>
|
||||
@ -56,8 +57,8 @@ State University</a> 1967</li>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known as <a
|
||||
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and wrote
|
||||
Shorewall. </p>
|
||||
|
||||
@ -67,24 +68,26 @@ ipchains and developed the scripts which are now collectively known as <a
|
||||
<p>Our current home network consists of: </p>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE
|
||||
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
|
||||
RedHat 8.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
|
||||
- My personal Linux System which runs Samba configured as a WINS server.
|
||||
This system also has <a href="http://www.vmware.com/">VMware</a> installed
|
||||
and can run both <a href="http://www.debian.org">Debian Woody</a>
|
||||
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC - Mail
|
||||
(Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
|
||||
(Bind).</li>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
|
||||
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a WINS
|
||||
server. This system also has <a href="http://www.vmware.com/">VMware</a>
|
||||
installed and can run both <a href="http://www.debian.org">Debian
|
||||
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
||||
machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC -
|
||||
Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
|
||||
server (Bind).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.9a and a DHCP
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.11 and a DHCP
|
||||
server. Also runs PoPToP for road warrior access.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
|
||||
personal system.</li>
|
||||
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
|
||||
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
|
||||
wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -101,17 +104,20 @@ and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
src="images/pure.jpg" width="88" height="31">
|
||||
</a><font size="4"><a href="http://www.apache.org"><img border="0"
|
||||
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
|
||||
</a> </font></p>
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
|
||||
height="20">
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
|
||||
height="32">
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
width="125" height="40" hspace="4">
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
|
||||
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -1,113 +1,133 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p>
|
||||
Extension scripts are user-provided
|
||||
scripts that are invoked at various points during firewall start, restart,
|
||||
stop and clear. The scripts are placed in /etc/shorewall and are processed
|
||||
using the Bourne shell "source" mechanism. The following scripts can be
|
||||
supplied:</p>
|
||||
<ul>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p> Extension scripts are user-provided scripts that are invoked at various
|
||||
points during firewall start, restart, stop and clear. The scripts are
|
||||
placed in /etc/shorewall and are processed using the Bourne shell "source"
|
||||
mechanism. The following scripts can be supplied:</p>
|
||||
|
||||
<ul>
|
||||
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
|
||||
<li>start -- invoked after the firewall has been started or restarted.</li>
|
||||
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
|
||||
<li>stopped -- invoked after the firewall has been stopped.</li>
|
||||
<li>clear -- invoked after the firewall has been cleared.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but before the
|
||||
common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
|
||||
has been created but before any rules have been added to it.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but before
|
||||
the common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
|
||||
chain has been created but before any rules have been added to it.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
You can also supply a script with the same name as any of the filter
|
||||
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
||||
file has been processed but before the /etc/shorewall/policy file has
|
||||
been processed.</p>
|
||||
|
||||
<p><u><b>If your version of Shorewall doesn't have the file that you want
|
||||
to use from the above list, you can simply create the file yourself.</b></u></p>
|
||||
<p> You can also supply a script with the same name as any of the filter
|
||||
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
||||
file has been processed but before the /etc/shorewall/policy file has been
|
||||
processed.</p>
|
||||
|
||||
|
||||
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
|
||||
defines will totally replace the default rules in the common chain. These
|
||||
default rules are contained in the file /etc/shorewall/common.def which
|
||||
may be used as a starting point for making your own customized file.</p>
|
||||
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file
|
||||
is present, the rules that it defines will totally replace the default
|
||||
rules in the common chain. These default rules are contained in the
|
||||
file /etc/shorewall/common.def which may be used as a starting point
|
||||
for making your own customized file.</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
Rather than running iptables directly, you should run it using the function
|
||||
run_iptables. Similarly, rather than running "ip" directly, you should
|
||||
use run_ip. These functions accept the same arguments as the underlying
|
||||
command but cause the firewall to be stopped if an error occurs during
|
||||
processing of the command.</p>
|
||||
|
||||
<p> Rather than running iptables directly, you should run it using the
|
||||
function run_iptables. Similarly, rather than running "ip" directly,
|
||||
you should use run_ip. These functions accept the same arguments as the
|
||||
underlying command but cause the firewall to be stopped if an error occurs
|
||||
during processing of the command.</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
If you decide to create /etc/shorewall/common it is a good idea to use the
|
||||
following technique</p>
|
||||
|
||||
<p> If you decide to create /etc/shorewall/common it is a good idea to
|
||||
use the following technique</p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
/etc/shorewall/common:</p>
|
||||
|
||||
<p> /etc/shorewall/common:</p>
|
||||
|
||||
|
||||
|
||||
<blockquote>
|
||||
<pre>. /etc/shorewall/common.def
|
||||
<add your rules here></pre>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>. /etc/shorewall/common.def<br><add your rules here></pre>
|
||||
</blockquote>
|
||||
<p>If you need to supercede a rule in the released common.def file, you can add
|
||||
the superceding rule before the '.' command. Using this technique allows
|
||||
|
||||
<p>If you need to supercede a rule in the released common.def file, you can
|
||||
add the superceding rule before the '.' command. Using this technique allows
|
||||
you to add new rules while still getting the benefit of the latest common.def
|
||||
file.</p>
|
||||
|
||||
|
||||
|
||||
<p>Remember that /etc/shorewall/common defines rules
|
||||
that are only applied if the applicable policy is DROP or REJECT. These rules
|
||||
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
|
||||
<p>Remember that /etc/shorewall/common defines rules that are only applied
|
||||
if the applicable policy is DROP or REJECT. These rules are NOT applied
|
||||
if the policy is ACCEPT or CONTINUE.</p>
|
||||
|
||||
|
||||
|
||||
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
|
||||
rejected by the firewall. It is recommended with this setting that you create
|
||||
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
|
||||
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
|
||||
be rejected by the firewall. It is recommended with this setting that you
|
||||
create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
|
||||
|
||||
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
|
||||
</pre>
|
||||
<p align="left"><font size="2">Last updated
|
||||
8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/22/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
M. Eastep</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
@ -12,6 +12,7 @@
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -31,8 +32,8 @@
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="center">With thanks to Richard who reminded me once again that we
|
||||
must all first walk before we can run.</p>
|
||||
<p align="center">With thanks to Richard who reminded me once again that
|
||||
we must all first walk before we can run.</p>
|
||||
|
||||
<h2>The Guides</h2>
|
||||
|
||||
@ -44,9 +45,10 @@ must all first walk before we can run.</p>
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux System
|
||||
acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux System
|
||||
acting as a firewall/router for a small local network and a DMZ.</li>
|
||||
acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network and
|
||||
a DMZ.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -54,72 +56,84 @@ acting as a firewall/router for a small local network</li>
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple public
|
||||
IP addresses involved or if you want to learn more about Shorewall than
|
||||
is explained in the single-address guides above.</b></p>
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
|
||||
Concepts</a></li>
|
||||
Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
|
||||
Interfaces</a></li>
|
||||
Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
|
||||
Subnets and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
|
||||
<li><br>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||
Addresses</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
|
||||
Protocol</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
|
||||
1918</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
|
||||
your Network</a>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
|
||||
ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
|
||||
NAT</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
|
||||
and Ends</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
|
||||
Odds and Ends</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
|
||||
Starting and Stopping the Firewall</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
|
||||
above</b>. Please review the appropriate guide before trying to use this
|
||||
documentation directly.</p>
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
@ -128,10 +142,12 @@ Starting and Stopping the Firewall</a></li>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
<ul>
|
||||
<li>Comments in configuration files</li>
|
||||
<li>Line Continuation</li>
|
||||
@ -143,85 +159,111 @@ Starting and Stopping the Firewall</a></li>
|
||||
<li>Complementing an IP address or Subnet</li>
|
||||
<li>Shorewall Configurations (making a test configuration)</li>
|
||||
<li>Using MAC Addresses in Shorewall</li>
|
||||
<li>Logging<br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
|
||||
(How to extend Shorewall without modifying Shorewall code)</li>
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
|
||||
to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
|
||||
use Shorewall)</li>
|
||||
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How
|
||||
I personally use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
<ul>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
||||
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
|
||||
<li>VPN
|
||||
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
|
||||
firewall to a remote network.</li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
|
||||
your firewall to a remote network.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List
|
||||
Creation</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 11/19/2002 - <a
|
||||
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
|
||||
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -5,12 +5,14 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
@ -20,10 +22,14 @@
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td
|
||||
width="100%" height="90">
|
||||
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -34,10 +40,12 @@
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font><a href="http://www.sf.net">
|
||||
</a></h1>
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3
|
||||
- <font size="4">"<i>iptables made easy"</i></font></font><a
|
||||
href="http://www.sf.net"> </a></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -50,7 +58,9 @@
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
@ -61,7 +71,9 @@
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
@ -71,6 +83,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
@ -80,9 +94,11 @@
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||
that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
@ -92,23 +108,29 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
||||
Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
This
|
||||
program is distributed in the hope that it will be
|
||||
useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
PURPOSE. See the GNU General Public License for
|
||||
more details.<br>
|
||||
|
||||
This program is distributed in the hope
|
||||
that it will be useful, but WITHOUT ANY WARRANTY;
|
||||
without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
You
|
||||
should have received a copy of the GNU General Public
|
||||
License along with this program; if not, write to
|
||||
the Free Software Foundation, Inc., 675 Mass Ave,
|
||||
Cambridge, MA 02139, USA</p>
|
||||
|
||||
You should have received a copy of the GNU
|
||||
General Public License along with this program;
|
||||
if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -126,17 +148,22 @@ Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
</a>Jacques
|
||||
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution called
|
||||
<i>Bering</i> that features Shorewall-1.3.10 and
|
||||
Kernel-2.4.18. You can find their work at: <a
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have
|
||||
a LEAF (router/firewall/gateway on a floppy, CD or compact
|
||||
flash) distribution called <i>Bering</i> that
|
||||
features Shorewall-1.3.10 and Kernel-2.4.18. You
|
||||
can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations to Jacques and Eric on the recent release of Bering
|
||||
1.0 Final!!! <br>
|
||||
<b>Congratulations to Jacques and Eric on the recent
|
||||
release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -148,271 +175,213 @@ Kernel-2.4.18. You can find their work at: <a
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
|
||||
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible with
|
||||
bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error. fw->fw rules
|
||||
generate a warning and are ignored</li>
|
||||
</ul>
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after an
|
||||
error occurs. This places the point of the failure near the end of the trace
|
||||
rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog level
|
||||
and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from <a
|
||||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the
|
||||
mangle table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
||||
with one of these names, don't worry -- the upgrade process won't overwrite
|
||||
your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
|
||||
at the 'info' level.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>The main Shorewall web site is now at SourceForge at <a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if
|
||||
BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail
|
||||
to start and "shorewall refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a href="IPSEC.htm#Dynamic">define
|
||||
the contents of a zone dynamically</a> with the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
||||
delete" commands</a>. These commands are expected to be used primarily
|
||||
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
|
||||
updown scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment
|
||||
and you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running on the firewall
|
||||
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
||||
file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported
|
||||
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
|
||||
is behind a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now be specified
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
||||
to do the real work. This change makes custom distributions such
|
||||
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
||||
that tends to have distribution-dependent code.</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now
|
||||
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available
|
||||
(Beta 1 was made available only to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than
|
||||
40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in
|
||||
the mangle table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even when
|
||||
you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
||||
with one of these names, don't worry -- the upgrade process won't overwrite
|
||||
your file.</li>
|
||||
|
||||
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
|
||||
href="http://www.gentoo.org"><br>
|
||||
</a></p>
|
||||
Alexandru Hartmann reports that his Shorewall package
|
||||
is now a part of <a href="http://www.gentoo.org">the Gentoo
|
||||
Linux distribution</a>. Thanks Alex!<br>
|
||||
|
||||
|
||||
|
||||
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
|
||||
In this version:<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You may now <a
|
||||
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
|
||||
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
|
||||
and "shorewall delete" commands</a>. These commands are expected
|
||||
to be used primarily within <a
|
||||
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
|
||||
scripts.</li>
|
||||
<li>Shorewall can now do<a
|
||||
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
||||
You can specify the set of allowed MAC addresses on the segment
|
||||
and you can optionally tie each MAC address to one or more IP addresses.</li>
|
||||
<li>PPTP Servers and Clients running
|
||||
on the firewall system may now be defined in the<a
|
||||
href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
|
||||
<li>A new 'ipsecnat' tunnel type is supported
|
||||
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
|
||||
is behind a NAT gateway</a>.</li>
|
||||
<li>The PATH used by Shorewall may now
|
||||
be specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
||||
The script in /etc/init.d/shorewall is very small and uses
|
||||
/sbin/shorewall to do the real work. This change makes custom
|
||||
distributions such as for Debian and for Gentoo easier to manage
|
||||
since it is /etc/init.d/shorewall that tends to have distribution-dependent
|
||||
code.</li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSofts's recently-announced
|
||||
<a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
|
||||
<li><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</li>
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in
|
||||
a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
|
||||
</b><br>
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><b></b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
This release rolls up fixes to the installer
|
||||
and to the firewall script.<br>
|
||||
<b><br>
|
||||
10/6/2002 - Shorewall.net now running
|
||||
on RH8.0 </b><b><img border="0" src="images/new10.gif"
|
||||
width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
<br>
|
||||
The firewall and server here at shorewall.net
|
||||
are now running RedHat release 8.0.<br>
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
|
||||
</b></p>
|
||||
Roles up the fix for broken tunnels.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
|
||||
</b></p>
|
||||
<img
|
||||
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
|
||||
align="left">
|
||||
There is an updated firewall script
|
||||
at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
-- copy that file to /usr/lib/shorewall/firewall.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
</b></p>
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b><br>
|
||||
9/28/2002 - Shorewall 1.3.9 </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>In this version:<br>
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
|
||||
allowed in Shorewall config files (although I recommend
|
||||
against using them).</li>
|
||||
<li>The connection
|
||||
SOURCE may now be qualified by both interface and IP
|
||||
address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
|
||||
<li>Shorewall startup
|
||||
is now disabled after initial installation until the
|
||||
file /etc/shorewall/startup_disabled is removed. This avoids
|
||||
nasty surprises at reboot for users who install Shorewall
|
||||
but don't configure it.</li>
|
||||
<li>The 'functions'
|
||||
and 'version' files and the 'firewall' symbolic link
|
||||
have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
to appease the LFS police at Debian.<br>
|
||||
</li>
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE
|
||||
or DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it
|
||||
does not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now
|
||||
compatible with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b></b></p>
|
||||
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -423,13 +392,11 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -439,33 +406,44 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
<h4> </h4>
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top" align="center">
|
||||
<br>
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
@ -473,10 +451,14 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td
|
||||
width="100%" style="margin-top: 1px;">
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -486,6 +468,7 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
@ -494,28 +477,33 @@ have been moved from /var/lib/shorewall to /usr/lib/shorewall
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -34,7 +34,7 @@
|
||||
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||||
Shorewall. It rather focuses on what is required to configure Shorewall
|
||||
in one of its most common configurations:</p>
|
||||
in one of its most common configurations:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system</li>
|
||||
@ -44,10 +44,10 @@ in one of its most common configurations:</p>
|
||||
</ul>
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
|
||||
this package is installed by the presence of an <b>ip</b> program on your
|
||||
firewall system. As root, you can use the 'which' command to check for
|
||||
this program:</p>
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
@ -61,27 +61,29 @@ this program:</p>
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you copy
|
||||
a configuration file from your Windows hard drive to a floppy disk, you
|
||||
must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
a configuration file from your Windows hard drive to a floppy disk, you must
|
||||
run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
these as described in this guide. After you have <a href="Install.htm">installed
|
||||
Shorewall</a>, download the <a
|
||||
Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
|
||||
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
|
||||
(they will replace files with the same names that were placed in /etc/shorewall
|
||||
during Shorewall installation).</p>
|
||||
during Shorewall installation)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -115,8 +117,8 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone to
|
||||
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
@ -124,14 +126,14 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
|
||||
</ul>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file matches
|
||||
the connection request then the first policy in /etc/shorewall/policy that
|
||||
matches the request is applied. If that policy is REJECT or DROP the
|
||||
request is first checked against the rules in /etc/shorewall/common (the
|
||||
samples provide that file for you).</p>
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample has
|
||||
the following policies:</p>
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample
|
||||
has the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
@ -177,9 +179,9 @@ the following policies:</p>
|
||||
<ol>
|
||||
<li>allow all connection requests from the firewall to the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
firewall</li>
|
||||
<li>reject all other connection requests (Shorewall requires this catchall
|
||||
policy).</li>
|
||||
firewall</li>
|
||||
<li>reject all other connection requests (Shorewall requires this
|
||||
catchall policy).</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -201,10 +203,10 @@ a <b>ppp0</b>. If you connect via a regular modem, your External Interface
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
The Shorewall one-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b>. If your configuration is different, you
|
||||
will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interface. Some hints:</p>
|
||||
external interface is <b>eth0</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interface. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -239,9 +241,9 @@ specified for the interface. Some hints:</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
Before starting Shorewall, you should look at the IP address of
|
||||
your external interface and if it is one of the above ranges, you should
|
||||
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -283,8 +285,8 @@ specified for the interface. Some hints:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server on
|
||||
your firewall system:</p>
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server
|
||||
on your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -326,8 +328,8 @@ your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular application
|
||||
uses, see <a href="ports.htm">here</a>.</p>
|
||||
<p align="left">If you don't know what port and protocol a particular
|
||||
application uses, see <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -408,15 +410,15 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
try" command</a>.</p>
|
||||
try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/9/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -425,5 +427,6 @@ try" command</a>.</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,78 +0,0 @@
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Subnet Masks</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<p align="left">IP addresses and subnet masks are 32-bit numbers. The notation
|
||||
w.x.y.z refers to an address where the high-order byte has value "w", the next
|
||||
byte has value "x", etc. If we take 255.255.255.0 and express it in
|
||||
hexadecimal,
|
||||
we get:</p>
|
||||
<blockquote>
|
||||
<p align="left">FF.FF.FF.00</p>
|
||||
</blockquote>
|
||||
<p align="left">or looking at it as a 32-bit integer</p>
|
||||
<blockquote>
|
||||
<p align="left">FFFFFF00</p>
|
||||
</blockquote>
|
||||
<p align="left">Each "F" represents the bit pattern "1111" so if we look at the
|
||||
number in binary, we have:</p>
|
||||
<blockquote>
|
||||
<p align="left">11111111111111111111111100000000</p>
|
||||
</blockquote>
|
||||
<p align="left">Counting the leading "1" bits, we see that there are 24 -- /24
|
||||
in VLSM notation.</p>
|
||||
<p align="left">It is handy to remember that the size of the subnet can be
|
||||
obtained by subtracting the number of consecutive leading "1" bits from 32 and
|
||||
raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256
|
||||
addresses. Remember that the number of usable addresses is two less than that
|
||||
(254) because the first and last address in the subnet are reserved as the
|
||||
sub-network and broadcast addresses respectively.</p>
|
||||
<p align="left">The size of a subnet can be any power of two so long as the
|
||||
address of the subnet is a multiple of it's size. For example, if you want a
|
||||
subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29).
|
||||
The subnet mask would be:</p>
|
||||
<blockquote>
|
||||
<p align="left">11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.</p>
|
||||
</blockquote>
|
||||
<p align="left">This subnet would have 6 usable addresses: 192.168.12.9 -
|
||||
192.168.12.14.</p>
|
||||
<p align="left">You will still hear the terms "Class A network", "Class B
|
||||
network" and "Class C network". In the early days of IP, sub-networks only came
|
||||
in three sizes:</p>
|
||||
<blockquote>
|
||||
<p align="left">Class A - Subnet mask 255.0.0.0, size = 2 ** 24</p>
|
||||
<p align="left">Class B - Subnet mask 255.255.0.0, size = 2 ** 16</p>
|
||||
<p align="left">Class C - Subnet mask 255.255.255.0, size = 256</p>
|
||||
</blockquote>
|
||||
<p align="left">The class of a network was determined by the value of the high
|
||||
order byte of its address so you could look at an IP address and immediately
|
||||
determine the associated subnet mask. </p>
|
||||
<p align="left">As the internet grew, it became clear that such a gross
|
||||
partitioning of the 32-bit address space was going to be very limiting (early
|
||||
on, large corporations and universities were assigned their own class A
|
||||
network!). It was then that VLSM was devised -- today, any system that you are
|
||||
likely to work with understands VLSM and Class-based subnetworking is largely a
|
||||
thing of the past.</p>
|
||||
<p align="left"><font size="2">Last updated
|
||||
7/15/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -2,16 +2,22 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Support</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -23,63 +29,94 @@
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
|
||||
easier to post a problem than to use your own brain" </font>-- </i> <font
|
||||
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
|
||||
<p> <br>
|
||||
<span style="font-weight: 400;"></span></p>
|
||||
|
||||
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
|
||||
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
|
||||
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
|
||||
but I try to spend some amount of time each day responding to problems
|
||||
posted on the Shorewall mailing list.</b></font></big></h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
|
||||
|
||||
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
|
||||
free software comes at no cost. The cost is incredibly high."</i>
|
||||
- <font size="2"> Wietse Venem<br>
|
||||
</font></span></p>
|
||||
<h2>Before Reporting a Problem</h2>
|
||||
|
||||
<h3 align="left">Before Reporting a Problem</h3>
|
||||
<b><i>"Reading the documentation fully is a prerequisite to getting help
|
||||
for your particular situation. I know it's harsh but you will have to get
|
||||
so far on your own before you can get reasonable help from a list full of
|
||||
busy people. A mailing list is not a tool to speed up your day by being spoon
|
||||
fed</i></b><i><b>".</b> </i>-- Simon White<br>
|
||||
<h3>T<b>here are a number of sources for problem solution information. Please
|
||||
try these before you post.</b></h3>
|
||||
|
||||
<p>There are also a number of sources for problem solution information.</p>
|
||||
<h3> </h3>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
|
||||
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
|
||||
contains a number of tips to help you solve common problems.</li>
|
||||
<li>The <a href="errata.htm"> Errata</a> has links to download
|
||||
updated components.</li>
|
||||
<li>The Mailing List Archives search facility can locate posts
|
||||
about similar problems:</li>
|
||||
<li>
|
||||
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
|
||||
problems.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h4>Mailing List Archive Search</h4>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
|
||||
contains a number of tips to help you solve common problems.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
|
||||
updated components.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The Mailing List Archives search facility can locate posts
|
||||
about similar problems:</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
<h2>Mailing List Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -88,76 +125,163 @@ about similar problems:</li>
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config" value="htdig"> <input
|
||||
type="hidden" name="restrict"
|
||||
</font> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30" name="words" value=""> <input
|
||||
type="submit" value="Search"> </p>
|
||||
Search: <input type="text" size="30" name="words"
|
||||
value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h3 align="left">Problem Reporting Guideline</h3>
|
||||
<h2>Problem Reporting Guidelines</h2>
|
||||
<i>"Let me see if I can translate your message into a real-world example.
|
||||
It would be like saying that you have three rooms at home, and when you
|
||||
walk into one of the rooms, you detect this strange smell. Can anyone tell
|
||||
you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the smell and even
|
||||
what's causing it. You would be absolutely amazed at the range and variety
|
||||
of smells we could come up with. Even more amazing is that all of the explanations
|
||||
for the smells would be completely plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - Russell Mosemann<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>When reporting a problem, give as much information as you can.
|
||||
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
|
||||
<li>Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your questions
|
||||
but we can't do your job for you.</li>
|
||||
<li>Do you see any "Shorewall" messages in /var/log/messages
|
||||
when you exercise the function that is giving you problems?</li>
|
||||
<li>Have you looked at the packet flow with a tool like tcpdump
|
||||
to try to understand what is going on?</li>
|
||||
<li>Have you tried using the diagnostic capabilities of the
|
||||
application that isn't working? For example, if "ssh" isn't able
|
||||
to connect, using the "-v" option gives you a lot of valuable diagnostic
|
||||
information.</li>
|
||||
<li>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file) that you
|
||||
think are relevant. If an error occurs when you try to "shorewall start",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions).</li>
|
||||
<li>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc to the Mailing List -- your post will
|
||||
be rejected.</li>
|
||||
<li>
|
||||
<h3><b>When reporting a problem, give as much information as you can.
|
||||
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Where to Send your Problem Report or to Ask for Help</h3>
|
||||
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
|
||||
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
|
||||
on October 3, 2002; MandrakeSoft issued a charge against my credit card
|
||||
on October 4, 2002 (they are really effecient at that part of the order
|
||||
process) and I haven't heard a word from them since (although their news
|
||||
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
|
||||
If they can't fill my 9.0 order within <u>6 weeks after they have billed
|
||||
my credit card</u> then I refuse to spend my free time supporting of their
|
||||
product for them.<br>
|
||||
<h3> </h3>
|
||||
|
||||
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
|
||||
post your question or problem to the <a
|
||||
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.</b></h3>
|
||||
</li>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
|
||||
there are lots of folks there who are willing to help you. Your question/problem
|
||||
description and their responses will be placed in the mailing list archives
|
||||
to help people who have a similar question or problem in the future.</p>
|
||||
</ul>
|
||||
|
||||
<p>I don't look at problems sent to me directly but I try to spend some amount
|
||||
of time each day responding to problems posted on the mailing list.</p>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
|
||||
when you exercise the function that is giving you problems?</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you looked at the packet flow with a tool like tcpdump
|
||||
to try to understand what is going on?</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you tried using the diagnostic capabilities of the
|
||||
application that isn't working? For example, if "ssh" isn't able
|
||||
to connect, using the "-v" option gives you a lot of valuable diagnostic
|
||||
information.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file)
|
||||
that you think are relevant.</b></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3><b>If an error occurs when you try to "shorewall start", include
|
||||
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
|
||||
for instructions).</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc to the Mailing List -- your post
|
||||
will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
<blockquote>
|
||||
<h3><b> While the list server here at shorewall.net accepts and distributes
|
||||
HTML posts, a growing number of MTAs serving list subscribers are rejecting
|
||||
this HTML list traffic. At least one MTA has gone so far as to blacklist
|
||||
shorewall.net "for continuous abuse"!!</b></h3>
|
||||
<h3><b> I think that blocking all HTML is a rather draconian way to control
|
||||
spam and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
|
||||
help by restricting your list posts to plain text.</b></h3>
|
||||
<h3><b> And as a bonus, subscribers who use email clients like pine and
|
||||
mutt will be able to read your plain text posts whereas they are most likely
|
||||
simply ignoring your HTML posts.</b></h3>
|
||||
<h3><b> A final bonus for the use of HTML is that it cuts down the size
|
||||
of messages by a large percentage -- that is important when the same message
|
||||
must be sent 500 times over the slow DSL line connecting the list server
|
||||
to the internet.</b> </h3>
|
||||
</blockquote>
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<h3></h3>
|
||||
|
||||
<blockquote>
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
|
||||
list</a>.</span></h4>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
|
||||
|
||||
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -39,11 +39,12 @@
|
||||
in one of its more popular configurations:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Linux system used as a firewall/router for a small local
|
||||
network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li>DMZ connected to a separate ethernet interface.</li>
|
||||
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
|
||||
...</li>
|
||||
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
|
||||
dial-up, ...</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -55,43 +56,47 @@
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
if this package is installed by the presence of an <b>ip</b> program
|
||||
on your firewall system. As root, you can use the 'which' command to
|
||||
check for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>I recommend that you first read through the guide to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
changes. Points at which configuration changes are recommended are
|
||||
flagged with <img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
If you edit your configuration files on a Windows system, you
|
||||
must save them as Unix files if your editor supports that option or you
|
||||
must run them through dos2unix before trying to use them. Similarly, if
|
||||
you copy a configuration file from your Windows hard drive to a floppy disk,
|
||||
you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
If you edit your configuration files on a Windows system,
|
||||
you must save them as Unix files if your editor supports that option
|
||||
or you must run them through dos2unix before trying to use them. Similarly,
|
||||
if you copy a configuration file from your Windows hard drive to a floppy
|
||||
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
|
||||
Version of dos2unix</a></li>
|
||||
<li><a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
|
||||
of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a few
|
||||
of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, download the <a
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a
|
||||
few of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
|
||||
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the
|
||||
files to /etc/shorewall (the files will replace files with the same names
|
||||
that were placed in /etc/shorewall when Shorewall was installed).</p>
|
||||
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
|
||||
the files to /etc/shorewall (the files will replace files with the same
|
||||
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -99,7 +104,7 @@ of these as described in this guide. After you have <a
|
||||
|
||||
<p>Shorewall views the network where it is running as being composed of a
|
||||
set of <i>zones.</i> In the three-interface sample configuration, the
|
||||
following zone names are used:</p>
|
||||
following zone names are used:</p>
|
||||
|
||||
<table border="0" style="border-collapse: collapse;" cellpadding="3"
|
||||
cellspacing="0" id="AutoNumber2">
|
||||
@ -133,11 +138,11 @@ following zone names are used:</p>
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one
|
||||
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
<li>You define exceptions to those default policies in the
|
||||
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -146,7 +151,7 @@ following zone names are used:</p>
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the three-interface sample
|
||||
has the following policies:</p>
|
||||
@ -190,8 +195,8 @@ following zone names are used:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>In the three-interface sample, the line below is included but commented
|
||||
out. If you want your firewall system to have full access to servers on
|
||||
the internet, uncomment that line.</p>
|
||||
out. If you want your firewall system to have full access to servers
|
||||
on the internet, uncomment that line.</p>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
@ -218,19 +223,19 @@ following zone names are used:</p>
|
||||
<p>The above policy will:</p>
|
||||
|
||||
<ol>
|
||||
<li>allow all connection requests from your local network to the
|
||||
internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to
|
||||
your firewall or local network</li>
|
||||
<li>allow all connection requests from your local network to
|
||||
the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet
|
||||
to your firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
<li>reject all other connection requests.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
|
||||
At this point, edit your /etc/shorewall/policy file and make
|
||||
any changes that you wish.</p>
|
||||
any changes that you wish.</p>
|
||||
|
||||
<h2 align="left">Network Interfaces</h2>
|
||||
|
||||
@ -241,12 +246,12 @@ any changes that you wish.</p>
|
||||
<p align="left">The firewall has three network interfaces. Where Internet
|
||||
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter that is connected to that "Modem" (e.g.,
|
||||
<b>eth0</b>) <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
|
||||
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular
|
||||
modem, your External Interface will also be <b>ppp0</b>. If you connect
|
||||
using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
<b>eth0</b>) <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
|
||||
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
|
||||
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect via
|
||||
a regular modem, your External Interface will also be <b>ppp0</b>. If you
|
||||
connect using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
@ -255,32 +260,32 @@ using ISDN, you external interface will be <b>ippp0.</b></p>
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
|
||||
|
||||
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
|
||||
eth1 or eth2) and will be connected to a hub or switch. Your local computers
|
||||
will be connected to the same switch (note: If you have only a single
|
||||
local system, you can connect the firewall directly to the computer using
|
||||
a <i>cross-over </i> cable).</p>
|
||||
eth1 or eth2) and will be connected to a hub or switch. Your local
|
||||
computers will be connected to the same switch (note: If you have only
|
||||
a single local system, you can connect the firewall directly to the
|
||||
computer using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
|
||||
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
|
||||
computers will be connected to the same switch (note: If you have only
|
||||
a single DMZ system, you can connect the firewall directly to the computer
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
|
||||
DMZ computers will be connected to the same switch (note: If you have
|
||||
only a single DMZ system, you can connect the firewall directly to the
|
||||
computer using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
|
||||
width="60" height="60">
|
||||
</b></u>Do not connect more than one interface to the same hub or
|
||||
switch (even for testing). It won't work the way that you expect it to
|
||||
and you will end up confused and believing that Shorewall doesn't work
|
||||
at all.</p>
|
||||
</b></u>Do not connect more than one interface to the same hub
|
||||
or switch (even for testing). It won't work the way that you expect it
|
||||
to and you will end up confused and believing that Shorewall doesn't
|
||||
work at all.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
The Shorewall three-interface sample configuration assumes that
|
||||
the external interface is <b>eth0, </b>the local interface is <b>eth1
|
||||
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
|
||||
The Shorewall three-interface sample configuration assumes
|
||||
that the external interface is <b>eth0, </b>the local interface is <b>eth1
|
||||
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interfaces. Some hints:</p>
|
||||
While you are there, you may wish to review the list of options that
|
||||
are specified for the interfaces. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -289,8 +294,8 @@ at all.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
list. </p>
|
||||
or if you have a static IP address, you can remove "dhcp" from the
|
||||
option list. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -298,17 +303,18 @@ at all.</p>
|
||||
<h2 align="left">IP Addresses</h2>
|
||||
|
||||
<p align="left">Before going further, we should say a few words about Internet
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
|
||||
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
|
||||
Host Configuration Protocol</i> (DHCP) or as part of establishing your
|
||||
connection when you dial in (standard modem) or establish your PPP connection.
|
||||
In rare cases, your ISP may assign you a<i> static</i> IP address; that
|
||||
means that you configure your firewall's external interface to use that
|
||||
address permanently.<i> </i>Regardless of how the address is assigned,
|
||||
it will be shared by all of your systems when you access the Internet.
|
||||
You will have to assign your own addresses for your internal network (the
|
||||
local and DMZ Interfaces on your firewall plus your other computers). RFC
|
||||
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
|
||||
a single <i> Public</i> IP address. This address may be assigned via
|
||||
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
|
||||
establishing your connection when you dial in (standard modem) or establish
|
||||
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
|
||||
IP address; that means that you configure your firewall's external interface
|
||||
to use that address permanently.<i> </i>Regardless of how the address is
|
||||
assigned, it will be shared by all of your systems when you access the
|
||||
Internet. You will have to assign your own addresses for your internal
|
||||
network (the local and DMZ Interfaces on your firewall plus your other
|
||||
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
|
||||
this purpose:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
@ -330,11 +336,11 @@ entry in /etc/shorewall/interfaces.</p>
|
||||
range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
|
||||
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
|
||||
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
|
||||
<i>Address</i>. In Shorewall, a subnet is described using <a
|
||||
href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)</a>
|
||||
notation with consists of the subnet address followed by "/24". The "24"
|
||||
refers to the number of consecutive "1" bits from the left of the subnet
|
||||
mask. </p>
|
||||
<i>Address</i>. In Shorewall, a subnet is described using <a
|
||||
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
|
||||
</i>(CIDR)</a> notation with consists of the subnet address followed
|
||||
by "/24". The "24" refers to the number of consecutive "1" bits from
|
||||
the left of the subnet mask. </p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -384,16 +390,16 @@ mask. </p>
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
Your local computers (Local Computers 1 & 2) should be
|
||||
configured with their<i> default gateway</i> set to the IP address of
|
||||
the firewall's internal interface and your DMZ computers ( DMZ Computers
|
||||
1 & 2) should be configured with their default gateway set to the
|
||||
IP address of the firewall's DMZ interface. </p>
|
||||
Your local computers (Local Computers 1 & 2) should
|
||||
be configured with their<i> default gateway</i> set to the IP address
|
||||
of the firewall's internal interface and your DMZ computers ( DMZ
|
||||
Computers 1 & 2) should be configured with their default gateway
|
||||
set to the IP address of the firewall's DMZ interface. </p>
|
||||
</div>
|
||||
|
||||
<p align="left">The foregoing short discussion barely scratches the surface
|
||||
regarding subnetting and routing. If you are interested in learning more
|
||||
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
|
||||
regarding subnetting and routing. If you are interested in learning
|
||||
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
|
||||
What Everyone Needs to Know about Addressing & Routing",</i> Thomas
|
||||
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
|
||||
|
||||
@ -410,24 +416,24 @@ IP address of the firewall's DMZ interface.
|
||||
<h2 align="left">IP Masquerading (SNAT)</h2>
|
||||
|
||||
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't forward
|
||||
packets which have an RFC-1918 destination address. When one of your
|
||||
local systems (let's assume local computer 1) sends a connection request
|
||||
to an internet host, the firewall must perform <i>Network Address Translation
|
||||
</i>(NAT). The firewall rewrites the source address in the packet to be
|
||||
the address of the firewall's external interface; in other words, the firewall
|
||||
makes it look as if the firewall itself is initiating the connection.
|
||||
This is necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed accross the internet).
|
||||
When the firewall receives a return packet, it rewrites the destination
|
||||
address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
1. </p>
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't
|
||||
forward packets which have an RFC-1918 destination address. When one
|
||||
of your local systems (let's assume local computer 1) sends a connection
|
||||
request to an internet host, the firewall must perform <i>Network Address
|
||||
Translation </i>(NAT). The firewall rewrites the source address in the
|
||||
packet to be the address of the firewall's external interface; in other
|
||||
words, the firewall makes it look as if the firewall itself is initiating
|
||||
the connection. This is necessary so that the destination host will be
|
||||
able to route return packets back to the firewall (remember that packets
|
||||
whose destination address is reserved by RFC 1918 can't be routed accross
|
||||
the internet). When the firewall receives a return packet, it rewrites
|
||||
the destination address back to 10.10.10.1 and forwards the packet on
|
||||
to local computer 1. </p>
|
||||
|
||||
<p align="left">On Linux systems, the above process is often referred to as<i>
|
||||
IP Masquerading</i> and you will also see the term <i>Source Network Address
|
||||
Translation </i>(SNAT) used. Shorewall follows the convention used with
|
||||
Netfilter:</p>
|
||||
<p align="left">On Linux systems, the above process is often referred to
|
||||
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
|
||||
Address Translation </i>(SNAT) used. Shorewall follows the convention used
|
||||
with Netfilter:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -437,8 +443,8 @@ address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
|
||||
the source address that you want outbound packets from your local network
|
||||
to use. </p>
|
||||
the source address that you want outbound packets from your local
|
||||
network to use. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -449,28 +455,43 @@ address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
If your external firewall interface is <b>eth0</b>, your local
|
||||
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
|
||||
not need to modify the file provided with the sample. Otherwise, edit
|
||||
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
|
||||
do not need to modify the file provided with the sample. Otherwise, edit
|
||||
/etc/shorewall/masq and change it to match your configuration.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
If your external IP is static, you can enter it in the third
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static IP
|
||||
in column 3 makes processing outgoing packets a little more efficient.
|
||||
</p>
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static IP
|
||||
in column 3 makes <br>
|
||||
processing outgoing packets a little more efficient.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13" alt="">
|
||||
If you are using the Debian package, please check your shorewall.conf
|
||||
file to ensure that the following are set correctly; if they are not, change
|
||||
them appropriately:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>NAT_ENABLED=Yes</li>
|
||||
<li>IP_FORWARDING=On<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Port Forwarding (DNAT)</h2>
|
||||
|
||||
<p align="left">One of your goals will be to run one or more servers on your
|
||||
DMZ computers. Because these computers have RFC-1918 addresses, it is not
|
||||
possible for clients on the internet to connect directly to them. It
|
||||
is rather necessary for those clients to address their connection requests
|
||||
to your firewall who rewrites the destination address to the address of
|
||||
your server and forwards the packet to that server. When your server responds,
|
||||
the firewall automatically performs SNAT to rewrite the source address
|
||||
in the response.</p>
|
||||
DMZ computers. Because these computers have RFC-1918 addresses, it is
|
||||
not possible for clients on the internet to connect directly to them.
|
||||
It is rather necessary for those clients to address their connection
|
||||
requests to your firewall who rewrites the destination address to the
|
||||
address of your server and forwards the packet to that server. When your
|
||||
server responds, the firewall automatically performs SNAT to rewrite
|
||||
the source address in the response.</p>
|
||||
|
||||
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
|
||||
Destination Network Address Translation</i> (DNAT). You configure port
|
||||
@ -507,8 +528,8 @@ in the response.</p>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>If you don't specify the <i><server port></i>, it is assumed to be
|
||||
the same as <i><port></i>.</p>
|
||||
<p>If you don't specify the <i><server port></i>, it is assumed to
|
||||
be the same as <i><port></i>.</p>
|
||||
|
||||
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
|
||||
TCP port 80 to that system:</p>
|
||||
@ -554,9 +575,9 @@ the same as <i><port></i>.</p>
|
||||
<ul>
|
||||
<li>When you are connecting to your server from your local systems,
|
||||
you must use the server's internal IP address (10.10.11.2).</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80. If
|
||||
you have problems connecting to your web server, try the following rule
|
||||
and try connecting to port 5000 (e.g., connect to <a
|
||||
<li>Many ISPs block incoming connection requests to port 80.
|
||||
If you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000 (e.g., connect to <a
|
||||
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
|
||||
external IP).</li>
|
||||
|
||||
@ -590,8 +611,8 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to be able to access your server from the local network using
|
||||
your external address, then if you have a static external IP you can replace
|
||||
the loc->dmz rule above with:</p>
|
||||
your external address, then if you have a static external IP you can
|
||||
replace the loc->dmz rule above with:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
@ -621,8 +642,8 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you have a dynamic ip then you must ensure that your external interface
|
||||
is up before starting Shorewall and you must take steps as follows (assume
|
||||
that your external interface is <b>eth0</b>):</p>
|
||||
is up before starting Shorewall and you must take steps as follows
|
||||
(assume that your external interface is <b>eth0</b>):</p>
|
||||
|
||||
<ol>
|
||||
<li>Include the following in /etc/shorewall/params:<br>
|
||||
@ -662,7 +683,7 @@ and try connecting to port 5000 (e.g., connect to <a
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to access your server from the DMZ using your external IP
|
||||
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
|
||||
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
|
||||
At this point, add the DNAT and ACCEPT rules for your servers.
|
||||
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
|
||||
<p align="left">Normally, when you connect to your ISP, as part of getting
|
||||
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will
|
||||
be written). Alternatively, your ISP may have given you the IP address of
|
||||
a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. It is <u>your</u> responsibility to
|
||||
configure the resolver in your internal systems. You can take one of two
|
||||
approaches:</p>
|
||||
be written). Alternatively, your ISP may have given you the IP address
|
||||
of a pair of DNS <i> name servers</i> for you to manually configure as
|
||||
your primary and secondary name servers. It is <u>your</u> responsibility
|
||||
to configure the resolver in your internal systems. You can take one
|
||||
of two approaches:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">You can configure your internal systems to use your ISP's
|
||||
name servers. If you ISP gave you the addresses of their servers or
|
||||
if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information isn't
|
||||
available, look in /etc/resolv.conf on your firewall system -- the name
|
||||
servers are given in "nameserver" records in that file. </p>
|
||||
name servers. If you ISP gave you the addresses of their servers
|
||||
or if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information
|
||||
isn't available, look in /etc/resolv.conf on your firewall system
|
||||
-- the name servers are given in "nameserver" records in that file.
|
||||
</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif"
|
||||
width="13" height="13">
|
||||
You can configure a<i> Caching Name Server </i>on your firewall
|
||||
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
|
||||
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
|
||||
If you take this approach, you configure your internal systems to use
|
||||
the caching name server as their primary (and only) name server. You use
|
||||
the internal IP address of the firewall (10.10.10.254 in the example above)
|
||||
for the name server address if you choose to run the name server on
|
||||
your firewall. To allow your local systems to talk to your caching name
|
||||
server, you must open port 53 (both UDP and TCP) from the local network
|
||||
to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
</p>
|
||||
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
|
||||
(which also requires the 'bind' RPM) and for Bering users, there
|
||||
is dnscache.lrp. If you take this approach, you configure your internal
|
||||
systems to use the caching name server as their primary (and only)
|
||||
name server. You use the internal IP address of the firewall (10.10.10.254
|
||||
in the example above) for the name server address if you choose to
|
||||
run the name server on your firewall. To allow your local systems to talk
|
||||
to your caching name server, you must open port 53 (both UDP and TCP)
|
||||
from the local network to the server; you do that by adding the rules
|
||||
in /etc/shorewall/rules. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -917,8 +939,8 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That rule allows you to run an SSH server on your firewall
|
||||
and in each of your DMZ systems and to connect to those servers from
|
||||
your local systems.</p>
|
||||
and in each of your DMZ systems and to connect to those servers
|
||||
from your local systems.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -1004,14 +1026,14 @@ to the server; you do that by adding the rules in /etc/shorewall/rules.
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular application
|
||||
uses, look <a href="ports.htm">here</a>.</p>
|
||||
<p align="left">If you don't know what port and protocol a particular
|
||||
application uses, look <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
|
||||
the internet because it uses clear text (even for login!). If you want
|
||||
shell access to your firewall from the internet, use SSH:</p>
|
||||
the internet because it uses clear text (even for login!). If you
|
||||
want shell access to your firewall from the internet, use SSH:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">The firewall is started using the "shorewall start" command
|
||||
and stopped using "shorewall stop". When the firewall is stopped, routing
|
||||
is enabled on those hosts that have an entry in <a
|
||||
and stopped using "shorewall stop". When the firewall is stopped,
|
||||
routing is enabled on those hosts that have an entry in <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
|
||||
running firewall may be restarted using the "shorewall restart" command.
|
||||
If you want to totally remove any trace of Shorewall from your Netfilter
|
||||
@ -1085,24 +1107,24 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13">
|
||||
The three-interface sample assumes that you want to enable
|
||||
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
|
||||
when Shorewall is stopped. If these two interfaces don't connect to
|
||||
your local network and DMZ or if you want to enable a different set
|
||||
of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
|
||||
when Shorewall is stopped. If these two interfaces don't connect to
|
||||
your local network and DMZ or if you want to enable a different set
|
||||
of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
the internet, do not issue a "shorewall stop" command unless you
|
||||
have added an entry for the IP address that you are connected from
|
||||
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/20/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped accordingly.</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -20,6 +20,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -28,42 +29,53 @@
|
||||
</table>
|
||||
|
||||
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<ul>
|
||||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
|
||||
also requires that you enable packet mangling.<br>
|
||||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
|
||||
Shaping also requires that you enable packet mangling.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcrules - A file where you can specify firewall
|
||||
marking of packets. The firewall mark value may be used to classify packets
|
||||
for traffic shaping/control.<br>
|
||||
marking of packets. The firewall mark value may be used to classify
|
||||
packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
|
||||
by Shorewall during "shorewall start" and which you can use to define
|
||||
your traffic shaping disciplines and classes. I have provided a <a
|
||||
by Shorewall during "shorewall start" and which you can use to define
|
||||
your traffic shaping disciplines and classes. I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections of
|
||||
the HOWTO mentioned above, you can probably code your own faster than
|
||||
you can learn how to use my sample. I personally use <a
|
||||
the HOWTO mentioned above, you can probably code your own faster than
|
||||
you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||
support may eventually become an integral part of Shorewall since HTB
|
||||
is a lot simpler and better-documented than CBQ. HTB is currently not
|
||||
a standard part of either the kernel or iproute2 so both must be patched
|
||||
in order to use it.<br>
|
||||
support may eventually become an integral part of Shorewall since
|
||||
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the run_tc function
|
||||
supplied by shorewall. <br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the run_tc
|
||||
function supplied by shorewall if you want tc errors to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply copying
|
||||
them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
|
||||
use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been applied
|
||||
so when traffic shaping happens, all outbound traffic will have as a source
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
|
||||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||||
is pretty general.</li>
|
||||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||||
is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -78,46 +90,54 @@ is pretty general.</li>
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
|
||||
means for specifying these marks in a tabular fashion.</p>
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
|
||||
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
|
||||
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in case of
|
||||
a match. This is an integer in the range 1-255.<br>
|
||||
a match. This is an integer in the range 1-255.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates on
|
||||
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
|
||||
list of interface names, IP addresses, MAC addresses in <a
|
||||
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses in
|
||||
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||||
addresses and/or subnets.<br>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of
|
||||
IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
|
||||
a number or "all"<br>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||||
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||||
protocol is "icmp", this column is interpreted as the destination icmp
|
||||
type(s).<br>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
|
||||
if the protocol is "icmp", this column is interpreted as the destination
|
||||
icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
|
||||
any source port is acceptable. Specified as a comma-separate list of port
|
||||
names, port numbers or port ranges.</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 should be marked with 2. All packets
|
||||
originating on the firewall itself should be marked with 3.</p>
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
|
||||
All packets originating on the firewall itself should be marked with 3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -183,7 +218,7 @@ on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>Hierarchical Token Bucket</h3>
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
|
||||
<p>I personally use HTB. I have found a couple of things that may be of use
|
||||
to others.</p>
|
||||
|
||||
<ul>
|
||||
<li>The gzipped tc binary at the <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
|
||||
for me -- I had to download the lastest version of the <a
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
|
||||
them for HTB.</li>
|
||||
<li>I'm currently running with this set of shaping rules in my tcstart
|
||||
file. I recently changed from using a ceiling of 10Mbit (interface speed)
|
||||
to 384kbit (DSP Uplink speed).<br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
|
||||
README), I have also run with the following set of hand-crafted rules in
|
||||
my tcstart file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500</pre>
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
|
||||
<pre>echo " Enabled SFQ on Second Level Classes"</pre>
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
|
||||
<p>My tcrules file is shown in Example 1 above. You can look at my <a
|
||||
href="myfiles.htm">network configuration</a> to get an idea of why I want
|
||||
these particular rules.<font face="Courier" size="2"><br>
|
||||
</font></p>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at my <a href="myfiles.htm">network configuration</a>
|
||||
to get an idea of why I wanted these particular rules.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
can use all available bandwidth if there is no traffic from the local systems
|
||||
or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -18,7 +18,11 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
|
||||
src="images/obrasinf.gif" alt="Beating head on table" width="90"
|
||||
height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -29,7 +33,7 @@
|
||||
|
||||
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
|
||||
sure that there isn't an update that you are missing for your version
|
||||
of the firewall.</p>
|
||||
of the firewall.</p>
|
||||
|
||||
<h3 align="left">Check the FAQs</h3>
|
||||
|
||||
@ -37,32 +41,50 @@ of the firewall.</p>
|
||||
problems.</p>
|
||||
|
||||
<h3 align="left">If the firewall fails to start</h3>
|
||||
If you receive an error message when starting or restarting the firewall
|
||||
and you can't determine the cause, then do the following:
|
||||
If you receive an error message when starting or restarting the
|
||||
firewall and you can't determine the cause, then do the following:
|
||||
|
||||
<ul>
|
||||
<li>Make a note of the error message that you see.<br>
|
||||
</li>
|
||||
<li>shorewall debug start 2> /tmp/trace</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you determine
|
||||
what the problem is.</li>
|
||||
<li>If you still can't determine what's wrong then see the <a
|
||||
href="support.htm">support page</a>.</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you
|
||||
determine what the problem is. Be sure you find the place in the log where
|
||||
the error message you saw is generated -- in 99.9% of the cases, it will
|
||||
not be near the end of the log because after startup errors, Shorewall goes
|
||||
through a "shorewall stop" phase which will also be traced.</li>
|
||||
<li>If you still can't determine what's wrong then see the
|
||||
<a href="support.htm">support page</a>.</li>
|
||||
|
||||
</ul>
|
||||
Here's an example. During startup, a user sees the following:<br>
|
||||
<blockquote>
|
||||
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
|
||||
</blockquote>
|
||||
A search through the trace for "No chain/target/match by that name" turned
|
||||
up the following:
|
||||
<blockquote>
|
||||
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
|
||||
</blockquote>
|
||||
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
|
||||
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
|
||||
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
|
||||
|
||||
<h3>Your network environment</h3>
|
||||
|
||||
<p>Many times when people have problems with Shorewall, the problem is
|
||||
actually an ill-conceived network setup. Here are several popular snafus:
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Port Forwarding where client and server are in the same
|
||||
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
<li>Port Forwarding where client and server are in the
|
||||
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
<li>Changing the IP address of a local system to be in the external
|
||||
subnet, thinking that Shorewall will suddenly believe that the system
|
||||
is in the 'net' zone.</li>
|
||||
<li>Multiple interfaces connected to the same HUB or Switch. Given
|
||||
the way that the Linux kernel respond to ARP "who-has" requests, this
|
||||
type of setup does NOT work the way that you expect it to.</li>
|
||||
the way that the Linux kernel respond to ARP "who-has" requests, this
|
||||
type of setup does NOT work the way that you expect it to.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -71,8 +93,8 @@ type of setup does NOT work the way that you expect it to.</li>
|
||||
<p align="left">If the appropriate policy for the connection that you are
|
||||
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
|
||||
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
|
||||
clutter to your rule set and they represent a big security hole in the event
|
||||
that you forget to remove them later.</p>
|
||||
clutter to your rule set and they represent a big security hole in the event
|
||||
that you forget to remove them later.</p>
|
||||
|
||||
<p align="left">I also recommend against setting all of your policies to
|
||||
ACCEPT in an effort to make something work. That robs you of one of
|
||||
@ -80,10 +102,10 @@ that you forget to remove them later.</p>
|
||||
will generate when you try to connect in a way that isn't permitted
|
||||
by your rule set.</p>
|
||||
|
||||
<p align="left">Check your log. If you don't see Shorewall messages, then
|
||||
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
|
||||
it may be an indication that you are missing one or more rules -- see <a
|
||||
href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
|
||||
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
|
||||
If you DO see packet messages, it may be an indication that you are missing
|
||||
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
|
||||
<p align="left">While you are troubleshooting, it is a good idea to clear
|
||||
two variables in /etc/shorewall/shorewall.conf:</p>
|
||||
@ -96,16 +118,18 @@ that you forget to remove them later.</p>
|
||||
|
||||
<p align="left">Example:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
|
||||
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
|
||||
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
|
||||
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
|
||||
LEN=47</font></p>
|
||||
</font>
|
||||
<p align="left">Let's look at the important parts of this message:</p>
|
||||
|
||||
<ul>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
|
||||
-- the packet was rejected under the "all"->"all" REJECT policy (see
|
||||
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||
chain -- the packet was rejected under the "all"->"all" REJECT policy
|
||||
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
<li>IN=eth2 - the packet entered the firewall via eth2</li>
|
||||
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
|
||||
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
||||
@ -122,70 +146,70 @@ that you forget to remove them later.</p>
|
||||
</p>
|
||||
|
||||
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
|
||||
about how to interpret the chain name appearing in a Shorewall log message.<br>
|
||||
about how to interpret the chain name appearing in a Shorewall log message.<br>
|
||||
</p>
|
||||
|
||||
<h3 align="left">Other Gotchas</h3>
|
||||
|
||||
<ul>
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
|
||||
chains? This means that:
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or
|
||||
FORWARD chains? This means that:
|
||||
<ol>
|
||||
<li>your zone definitions are screwed up and the host that is sending
|
||||
the packets or the destination host isn't in any zone (using an
|
||||
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
|
||||
you?); or</li>
|
||||
<li>the source and destination hosts are both connected to the same
|
||||
interface and that interface doesn't have the 'multi' option specified
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>your zone definitions are screwed up and the host that is
|
||||
sending the packets or the destination host isn't in any zone (using
|
||||
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
|
||||
are you?); or</li>
|
||||
<li>the source and destination hosts are both connected to the
|
||||
same interface and that interface doesn't have the 'multi' option
|
||||
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
|
||||
</ol>
|
||||
</li>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP type
|
||||
8 ("ping") requests to be sent between zones. If you want pings to be
|
||||
allowed between zones, you need a rule of the form:<br>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP
|
||||
type 8 ("ping") requests to be sent between zones. If you want pings
|
||||
to be allowed between zones, you need a rule of the form:<br>
|
||||
<br>
|
||||
ACCEPT <source zone> <destination zone>
|
||||
icmp echo-request<br>
|
||||
<br>
|
||||
The ramifications of this can be subtle. For example, if you have
|
||||
the following in /etc/shorewall/nat:<br>
|
||||
The ramifications of this can be subtle. For example, if you
|
||||
have the following in /etc/shorewall/nat:<br>
|
||||
<br>
|
||||
10.1.1.2 eth0 130.252.100.18<br>
|
||||
<br>
|
||||
and you ping 130.252.100.18, unless you have allowed icmp type 8
|
||||
between the zone containing the system you are pinging from and the
|
||||
zone containing 10.1.1.2, the ping requests will be dropped. This is
|
||||
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
and you ping 130.252.100.18, unless you have allowed icmp type
|
||||
8 between the zone containing the system you are pinging from and
|
||||
the zone containing 10.1.1.2, the ping requests will be dropped. This
|
||||
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
<li>If you specify "routefilter" for an interface, that interface
|
||||
must be up prior to starting the firewall.</li>
|
||||
<li>Is your routing correct? For example, internal systems usually
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect of routing
|
||||
is that in order for two hosts to communicate, the routing between them
|
||||
must be set up <u>in both directions.</u> So when setting up routing
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect of
|
||||
routing is that in order for two hosts to communicate, the routing between
|
||||
them must be set up <u>in both directions.</u> So when setting up routing
|
||||
between <b>A</b> and<b> B</b>, be sure to verify that the route from
|
||||
<b>B</b> back to <b>A</b> is defined.</li>
|
||||
<li>Some versions of LRP (EigerStein2Beta for example) have a
|
||||
shell with broken variable expansion. <a
|
||||
shell with broken variable expansion. <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
|
||||
shell from the Shorewall Errata download site.</a> </li>
|
||||
<li>Do you have your kernel properly configured? <a
|
||||
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
|
||||
<li>Some features require the "ip" program. That program is generally
|
||||
included in the "iproute" package which should be included with your
|
||||
distribution (though many distributions don't install iproute by
|
||||
default). You may also download the latest source tarball from <a
|
||||
<li>Some features require the "ip" program. That program is
|
||||
generally included in the "iproute" package which should be included
|
||||
with your distribution (though many distributions don't install iproute
|
||||
by default). You may also download the latest source tarball from <a
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
|
||||
.</li>
|
||||
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
|
||||
then the zone must be entirely defined in /etc/shorewall/hosts unless
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has an
|
||||
entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
will <u>not</u> be considered part of the zone.</li>
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has
|
||||
an entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
will <u>not</u> be considered part of the zone.</li>
|
||||
<li>Problems with NAT? Be sure that you let Shorewall add all
|
||||
external addresses to be use with NAT unless you have set <a
|
||||
external addresses to be use with NAT unless you have set <a
|
||||
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
|
||||
|
||||
</ul>
|
||||
@ -194,12 +218,17 @@ external addresses to be use with NAT unless you have set <a
|
||||
|
||||
<p>See the<a href="support.htm"> support page.</a></p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</font>
|
||||
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
|
||||
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -22,6 +22,7 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
@ -38,10 +39,11 @@
|
||||
in its most common configuration:</p>
|
||||
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Linux system used as a firewall/router for a small local
|
||||
network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
|
||||
dial-up ...</li>
|
||||
<li>Internet connection through cable modem, DSL, ISDN, Frame
|
||||
Relay, dial-up ...</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -51,44 +53,54 @@
|
||||
height="635">
|
||||
</p>
|
||||
|
||||
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
|
||||
configure the above setup using the Mandrake "Internet Connection Sharing"
|
||||
applet. From the Mandrake Control Center, select "Network & Internet"
|
||||
then "Connection Sharing". You should not need to refer to this guide.</b><br>
|
||||
</p>
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>I recommend that you first read through the guide to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
with <img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
.</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you
|
||||
copy a configuration file from your Windows hard drive to a floppy disk,
|
||||
you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
If you edit your configuration files on a Windows system, you
|
||||
must save them as Unix files if your editor supports that option or you
|
||||
must run them through dos2unix before trying to use them. Similarly, if
|
||||
you copy a configuration file from your Windows hard drive to a floppy
|
||||
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
|
||||
Version of dos2unix</a></li>
|
||||
<li><a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a few
|
||||
of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, download the <a
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a
|
||||
few of these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
|
||||
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
|
||||
(these files will replace files with the same name).</p>
|
||||
(these files will replace files with the same name).</b></p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
@ -127,20 +139,20 @@ of these as described in this guide. After you have <a
|
||||
in terms of zones.</p>
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
<li>You express your default policy for connections from one
|
||||
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
<li>You define exceptions to those default policies in the
|
||||
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common (the
|
||||
samples provide that file for you).</p>
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the two-interface sample has
|
||||
the following policies:</p>
|
||||
@ -184,8 +196,8 @@ the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>In the two-interface sample, the line below is included but commented
|
||||
out. If you want your firewall system to have full access to servers on
|
||||
the internet, uncomment that line.</p>
|
||||
out. If you want your firewall system to have full access to servers
|
||||
on the internet, uncomment that line.</p>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
@ -212,19 +224,19 @@ the following policies:</p>
|
||||
<p>The above policy will:</p>
|
||||
|
||||
<ol>
|
||||
<li>allow all connection requests from your local network to the
|
||||
internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall to
|
||||
the internet (if you uncomment the additional policy)</li>
|
||||
<li>allow all connection requests from your local network to
|
||||
the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to
|
||||
your firewall or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall
|
||||
to the internet (if you uncomment the additional policy)</li>
|
||||
<li>reject all other connection requests.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
At this point, edit your /etc/shorewall/policy and make any changes
|
||||
that you wish.</p>
|
||||
At this point, edit your /etc/shorewall/policy and make any
|
||||
changes that you wish.</p>
|
||||
|
||||
<h2 align="left">Network Interfaces</h2>
|
||||
|
||||
@ -237,38 +249,38 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)
|
||||
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
|
||||
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
|
||||
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will
|
||||
be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
|
||||
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
|
||||
your external interface will be <b>ippp0.</b></p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
If your external interface is <b>ppp0</b> or<b> ippp0</b> then
|
||||
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
|
||||
/etc/shorewall/shorewall.conf.</a></p>
|
||||
If your external interface is <b>ppp0</b> or<b> ippp0</b>
|
||||
then you will want to set CLAMPMSS=yes in <a
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
|
||||
|
||||
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
|
||||
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
|
||||
will be connected to the same hub/switch (note: If you have only a single
|
||||
internal system, you can connect the firewall directly to the computer
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
using a <i>cross-over </i> cable).</p>
|
||||
|
||||
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
|
||||
width="60" height="60">
|
||||
</b></u>Do not connect the internal and external interface to the same
|
||||
hub or switch (even for testing). It won't work the way that you think
|
||||
that it will and you will end up confused and believing that Shorewall
|
||||
doesn't work at all.</p>
|
||||
</b></u>Do not connect the internal and external interface to the
|
||||
same hub or switch (even for testing). It won't work the way that you think
|
||||
that it will and you will end up confused and believing that Shorewall
|
||||
doesn't work at all.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
The Shorewall two-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
|
||||
If your configuration is different, you will have to modify the sample
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||||
accordingly. While you are there, you may wish to review the list of options
|
||||
that are specified for the interfaces. Some hints:</p>
|
||||
The Shorewall two-interface sample configuration assumes that
|
||||
the external interface is <b>eth0</b> and the internal interface is
|
||||
<b>eth1</b>. If your configuration is different, you will have to modify
|
||||
the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file accordingly. While you are there, you may wish to review the list
|
||||
of options that are specified for the interfaces. Some hints:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
@ -277,8 +289,8 @@ doesn't work at all.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
list. </p>
|
||||
or if you have a static IP address, you can remove "dhcp" from the
|
||||
option list. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -286,17 +298,17 @@ doesn't work at all.</p>
|
||||
<h2 align="left">IP Addresses</h2>
|
||||
|
||||
<p align="left">Before going further, we should say a few words about Internet
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
|
||||
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
|
||||
Host Configuration Protocol</i> (DHCP) or as part of establishing your
|
||||
connection when you dial in (standard modem) or establish your PPP connection.
|
||||
In rare cases, your ISP may assign you a<i> static</i> IP address; that
|
||||
means that you configure your firewall's external interface to use that
|
||||
address permanently.<i> </i>However your external address is assigned, it
|
||||
will be shared by all of your systems when you access the Internet. You will
|
||||
have to assign your own addresses in your internal network (the Internal
|
||||
Interface on your firewall plus your other computers). RFC 1918 reserves
|
||||
several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a
|
||||
single <i> Public</i> IP address. This address may be assigned via the<i>
|
||||
Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
|
||||
your connection when you dial in (standard modem) or establish your PPP
|
||||
connection. In rare cases, your ISP may assign you a<i> static</i> IP address;
|
||||
that means that you configure your firewall's external interface to use
|
||||
that address permanently.<i> </i>However your external address is assigned,
|
||||
it will be shared by all of your systems when you access the Internet.
|
||||
You will have to assign your own addresses in your internal network (the
|
||||
Internal Interface on your firewall plus your other computers). RFC 1918
|
||||
reserves several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
@ -306,9 +318,9 @@ several <i>Private </i>IP address ranges for this purpose:</p>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the external interface's entry
|
||||
in /etc/shorewall/interfaces.</p>
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the external interface's
|
||||
entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -316,12 +328,12 @@ in /etc/shorewall/interfaces.</p>
|
||||
sub-network </i>(<i>subnet)</i>. For our purposes, we can consider a subnet
|
||||
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
|
||||
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
|
||||
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
|
||||
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
|
||||
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
|
||||
notation</a> with consists of the subnet address followed by "/24". The
|
||||
"24" refers to the number of consecutive leading "1" bits from the left
|
||||
of the subnet mask. </p>
|
||||
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
|
||||
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
|
||||
described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
|
||||
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet
|
||||
address followed by "/24". The "24" refers to the number of consecutive
|
||||
leading "1" bits from the left of the subnet mask. </p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -365,15 +377,16 @@ the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is describ
|
||||
<p align="left">One of the purposes of subnetting is to allow all computers
|
||||
in the subnet to understand which other computers can be communicated
|
||||
with directly. To communicate with systems outside of the subnetwork,
|
||||
systems send packets through a<i> gateway</i> (router).</p>
|
||||
systems send packets through a<i> gateway</i> (router).</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||||
height="13">
|
||||
Your local computers (computer 1 and computer 2 in the above
|
||||
diagram) should be configured with their<i> default gateway</i> to be
|
||||
the IP address of the firewall's internal interface.<i> </i> </p>
|
||||
diagram) should be configured with their<i> default gateway</i> to
|
||||
be the IP address of the firewall's internal interface.<i> </i>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<p align="left">The foregoing short discussion barely scratches the surface
|
||||
@ -394,19 +407,19 @@ the IP address of the firewall's internal interface.<i>
|
||||
<h2 align="left">IP Masquerading (SNAT)</h2>
|
||||
|
||||
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't forward
|
||||
packets which have an RFC-1918 destination address. When one of your local
|
||||
systems (let's assume computer 1) sends a connection request to an internet
|
||||
host, the firewall must perform <i>Network Address Translation </i>(NAT).
|
||||
The firewall rewrites the source address in the packet to be the address
|
||||
of the firewall's external interface; in other words, the firewall makes
|
||||
it look as if the firewall itself is initiating the connection. This is
|
||||
necessary so that the destination host will be able to route return packets
|
||||
back to the firewall (remember that packets whose destination address
|
||||
is reserved by RFC 1918 can't be routed across the internet so the remote
|
||||
host can't address its response to computer 1). When the firewall receives
|
||||
a return packet, it rewrites the destination address back to 10.10.10.1
|
||||
and forwards the packet on to computer 1. </p>
|
||||
to as <i>non-routable</i> because the Internet backbone routers don't
|
||||
forward packets which have an RFC-1918 destination address. When one of
|
||||
your local systems (let's assume computer 1) sends a connection request
|
||||
to an internet host, the firewall must perform <i>Network Address Translation
|
||||
</i>(NAT). The firewall rewrites the source address in the packet to
|
||||
be the address of the firewall's external interface; in other words, the
|
||||
firewall makes it look as if the firewall itself is initiating the connection.
|
||||
This is necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed across the internet so
|
||||
the remote host can't address its response to computer 1). When the firewall
|
||||
receives a return packet, it rewrites the destination address back to 10.10.10.1
|
||||
and forwards the packet on to computer 1. </p>
|
||||
|
||||
<p align="left">On Linux systems, the above process is often referred to as<i>
|
||||
IP Masquerading</i> but you will also see the term <i>Source Network Address
|
||||
@ -434,27 +447,40 @@ and forwards the packet on to computer 1. </p>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
If your external firewall interface is <b>eth0</b>, you do not
|
||||
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
|
||||
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
|
||||
and change the first column to the name of your external interface and
|
||||
the second column to the name of your internal interface.</p>
|
||||
the second column to the name of your internal interface.</p>
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
If your external IP is static, you can enter it in the third column
|
||||
in the /etc/shorewall/masq entry if you like although your firewall will
|
||||
work fine if you leave that column empty. Entering your static IP in column
|
||||
3 makes processing outgoing packets a little more efficient. </p>
|
||||
If your external IP is static, you can enter it in the third
|
||||
column in the /etc/shorewall/masq entry if you like although your firewall
|
||||
will work fine if you leave that column empty. Entering your static
|
||||
IP in column 3 makes processing outgoing packets a little more efficient.<br>
|
||||
<br>
|
||||
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
|
||||
If you are using the Debian package, please check your shorewall.conf
|
||||
file to ensure that the following are set correctly; if they are not, change
|
||||
them appropriately:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>NAT_ENABLED=Yes</li>
|
||||
<li>IP_FORWARDING=On<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Port Forwarding (DNAT)</h2>
|
||||
|
||||
<p align="left">One of your goals may be to run one or more servers on your
|
||||
local computers. Because these computers have RFC-1918 addresses, it is
|
||||
not possible for clients on the internet to connect directly to them. It
|
||||
is rather necessary for those clients to address their connection requests
|
||||
to the firewall who rewrites the destination address to the address of your
|
||||
server and forwards the packet to that server. When your server responds,
|
||||
local computers. Because these computers have RFC-1918 addresses, it
|
||||
is not possible for clients on the internet to connect directly to them.
|
||||
It is rather necessary for those clients to address their connection requests
|
||||
to the firewall who rewrites the destination address to the address of
|
||||
your server and forwards the packet to that server. When your server responds,
|
||||
the firewall automatically performs SNAT to rewrite the source address
|
||||
in the response.</p>
|
||||
in the response.</p>
|
||||
|
||||
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
|
||||
Destination Network Address Translation</i> (DNAT). You configure port
|
||||
@ -524,14 +550,14 @@ in the response.</p>
|
||||
<p>A couple of important points to keep in mind:</p>
|
||||
|
||||
<ul>
|
||||
<li>You must test the above rule from a client outside of your local
|
||||
network (i.e., don't test from a browser running on computers 1 or 2
|
||||
or on the firewall). If you want to be able to access your web server
|
||||
using the IP address of your external interface, see <a
|
||||
<li>You must test the above rule from a client outside of your
|
||||
local network (i.e., don't test from a browser running on computers
|
||||
1 or 2 or on the firewall). If you want to be able to access your web
|
||||
server using the IP address of your external interface, see <a
|
||||
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80. If you
|
||||
have problems connecting to your web server, try the following rule and
|
||||
try connecting to port 5000.</li>
|
||||
<li>Many ISPs block incoming connection requests to port 80.
|
||||
If you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -563,42 +589,42 @@ using the IP address of your external interface, see <a
|
||||
</blockquote>
|
||||
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
At this point, modify /etc/shorewall/rules to add any DNAT rules
|
||||
that you require.</p>
|
||||
At this point, modify /etc/shorewall/rules to add any DNAT
|
||||
rules that you require.</p>
|
||||
|
||||
<h2 align="left">Domain Name Server (DNS)</h2>
|
||||
|
||||
<p align="left">Normally, when you connect to your ISP, as part of getting
|
||||
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will be
|
||||
written). Alternatively, your ISP may have given you the IP address of
|
||||
a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. Regardless of how DNS gets configured
|
||||
on your firewall, it is <u>your</u> responsibility to configure the resolver
|
||||
in your internal systems. You can take one of two approaches:</p>
|
||||
will be automatically configured (e.g., the /etc/resolv.conf file will
|
||||
be written). Alternatively, your ISP may have given you the IP address
|
||||
of a pair of DNS <i> name servers</i> for you to manually configure as your
|
||||
primary and secondary name servers. Regardless of how DNS gets configured
|
||||
on your firewall, it is <u>your</u> responsibility to configure the resolver
|
||||
in your internal systems. You can take one of two approaches:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">You can configure your internal systems to use your ISP's
|
||||
name servers. If you ISP gave you the addresses of their servers or if
|
||||
those addresses are available on their web site, you can configure your
|
||||
internal systems to use those addresses. If that information isn't available,
|
||||
look in /etc/resolv.conf on your firewall system -- the name servers
|
||||
are given in "nameserver" records in that file. </p>
|
||||
name servers. If you ISP gave you the addresses of their servers or
|
||||
if those addresses are available on their web site, you can configure
|
||||
your internal systems to use those addresses. If that information isn't
|
||||
available, look in /etc/resolv.conf on your firewall system -- the name
|
||||
servers are given in "nameserver" records in that file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
You can configure a<i> Caching Name Server </i>on your firewall.<i>
|
||||
</i>Red Hat has an RPM for a caching name server (the RPM also requires
|
||||
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
|
||||
this approach, you configure your internal systems to use the firewall
|
||||
itself as their primary (and only) name server. You use the internal IP
|
||||
address of the firewall (10.10.10.254 in the example above) for the name
|
||||
server address. To allow your local systems to talk to your caching name
|
||||
server, you must open port 53 (both UDP and TCP) from the local network
|
||||
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
|
||||
</p>
|
||||
</i>Red Hat has an RPM for a caching name server (the RPM also
|
||||
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
|
||||
you take this approach, you configure your internal systems to use the
|
||||
firewall itself as their primary (and only) name server. You use the internal
|
||||
IP address of the firewall (10.10.10.254 in the example above) for the
|
||||
name server address. To allow your local systems to talk to your caching
|
||||
name server, you must open port 53 (both UDP and TCP) from the local
|
||||
network to the firewall; you do that by adding the following rules in
|
||||
/etc/shorewall/rules. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -808,7 +834,8 @@ are given in "nameserver" records in that file. </p>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Those two rules would of course be in addition to the rules
|
||||
listed above under "You can configure a Caching Name Server on your firewall"</p>
|
||||
listed above under "You can configure a Caching Name Server on your
|
||||
firewall"</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
Now edit your /etc/shorewall/rules file to add or delete other
|
||||
connections as required.</p>
|
||||
Now edit your /etc/shorewall/rules file to add or delete
|
||||
other connections as required.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -868,8 +895,9 @@ uses, look <a href="ports.htm">here</a>.</p>
|
||||
The <a href="Install.htm">installation procedure </a> configures
|
||||
your system to start Shorewall at system boot but beginning with Shorewall
|
||||
version 1.3.9 startup is disabled so that your system won't try to start
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file
|
||||
/etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
|
||||
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||||
height="13">
|
||||
The two-interface sample assumes that you want to enable routing
|
||||
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
|
||||
your local network isn't connected to <b>eth1</b> or if you wish to enable
|
||||
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
|
||||
The two-interface sample assumes that you want to enable
|
||||
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
|
||||
If your local network isn't connected to <b>eth1</b> or if you wish to
|
||||
enable access to/from other hosts, change /etc/shorewall/routestopped
|
||||
accordingly.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
try" command</a>.</p>
|
||||
and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/21/2002 - <a
|
||||
<p align="left"><font size="2">Last updated 12/20/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.12-Beta3
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.12-Beta3
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.12
|
||||
%define release 0Beta3
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -105,6 +105,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12
|
||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta3
|
||||
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.12-Beta3
|
||||
VERSION=1.3.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
x
Reference in New Issue
Block a user