mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-21 22:01:57 +01:00
Updated for 2.0.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7c1c39ee1d
commit
43ac5e4799
@ -2385,6 +2385,35 @@ eth0 eth1 206.124.146.176</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>PKTTYPE</term>
|
||||
|
||||
<listitem>
|
||||
<para>(Added at Version 2.0.6) - Normally Shorewall attempts to use
|
||||
the iptables packet type match extension to determine broadcast and
|
||||
multicast packets. </para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>This can cause a message to appear during
|
||||
<command>shorewall start</command> (modprobe: cant locate module
|
||||
ipt_pkttype).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Some users have found problems with the packet match
|
||||
extension with the result that their firewall log is flooded
|
||||
with messages relating to broadcast packets.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If you are experiencing either of these problems, setting
|
||||
PKTTYPE=No will prevent Shorewall from trying to use the packet type
|
||||
match extension and to use IP address matching to determine which
|
||||
packets are broadcasts or multicasts. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>RESTOREFILE</term>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-18</pubdate>
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -224,6 +224,13 @@ DNAT net loc:192.168.3:22 tcp 1022</programlisting>
|
||||
as they go through your firewall and handle them on the firewall box
|
||||
itself; in that case, you use a REDIRECT rule.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>(FAQ 38) Where can I find more information about DNAT?</title>
|
||||
|
||||
<para>Ian Allen has written a <ulink
|
||||
url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and Linux</ulink>.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -1735,7 +1742,8 @@ iptables: Invalid argument
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
|
||||
<para><revhistory><revision><revnumber>1.28</revnumber><date>2004-07-14</date><authorinitials>TE</authorinitials><revremark>Insert
|
||||
link to Ian Allen's DNAT paper (FAQ 38)</revremark></revision><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
|
||||
formatting in H323 quote.</revremark></revision><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
|
||||
obsolete ping information.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Empty
|
||||
/etc/shorewall on Debian.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-08</date><authorinitials>TE</authorinitials><revremark>Update
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-12</pubdate>
|
||||
<pubdate>2004-07-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -109,7 +109,9 @@
|
||||
</important>
|
||||
|
||||
<para>The above diagram should help you understand the output of
|
||||
<quote>shorewall status</quote>.</para>
|
||||
<quote>shorewall status</quote>. You may also wish to refer to <ulink
|
||||
url="PacketHandling.html">this article</ulink> that describes the flow of
|
||||
packets through a Shorewall-generated firewall.</para>
|
||||
|
||||
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
||||
server with one interface (eth0):</para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-10</pubdate>
|
||||
<pubdate>2004-07-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -142,9 +142,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>then the packet is ACCEPTed in the filter table's <emphasis
|
||||
role="bold"><emphasis>interface</emphasis>_in</emphasis> chain (for
|
||||
example, eth0_in).</para>
|
||||
<para>then the packet is ACCEPTed in the <emphasis>filter</emphasis>
|
||||
table's <emphasis role="bold"><emphasis>interface</emphasis>_in</emphasis>
|
||||
chain (for example, eth0_in).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -153,7 +153,8 @@
|
||||
<filename>/etc/shorewall/interfaces</filename>, then the packet is
|
||||
processed against your rfc1918 file (normally <filename>/usr/share/shorewall/rfc1918</filename>
|
||||
but that file may be copied to <filename>/etc/shorewall/rfc1918</filename>
|
||||
and modified). This happens in the filter table's rfc1918 chain.</para>
|
||||
and modified). This happens in the <emphasis>filter</emphasis>
|
||||
table's <emphasis role="bold">norfc1918</emphasis> chain.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -170,7 +171,8 @@
|
||||
the <emphasis>tcpflags</emphasis> option specified in
|
||||
<filename>/etc/shorewall/interfaces</filename> and the packet's
|
||||
protocol is TCP then the TCP flags are checked by the <emphasis
|
||||
role="bold">tcpflags</emphasis> chain (filter table).</para>
|
||||
role="bold">tcpflags</emphasis> chain (<emphasis>filter</emphasis>
|
||||
table).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
@ -203,7 +205,7 @@
|
||||
<listitem>
|
||||
<para>If the packet is part of an established connection or is part of
|
||||
a related connection then no further processing takes place in the
|
||||
filter table (<emphasis>z</emphasis><emphasis role="bold"><emphasis>one1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
||||
filter table (<emphasis><emphasis>zone1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
||||
chain where <emphasis>zone1</emphasis> is the source zone and
|
||||
<emphasis>zone2</emphasis> is the destination zone).</para>
|
||||
</listitem>
|
||||
@ -216,8 +218,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The packet is processed according to your <filename>/etc/shorewall/rules</filename>
|
||||
file. This happens in chains named <emphasis>z</emphasis><emphasis
|
||||
role="bold"><emphasis>one1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
||||
file. This happens in chains named <emphasis><emphasis role="bold"><emphasis>zone1</emphasis>2<emphasis>zone2</emphasis></emphasis></emphasis>
|
||||
chain where <emphasis>zone1</emphasis> is the source zone and
|
||||
<emphasis>zone2</emphasis> is the destination zone. Note that in the
|
||||
presence of <ulink url="Documentation.htm#Nested">nested or
|
||||
@ -246,6 +247,29 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Packets Originating on the Firewall</title>
|
||||
|
||||
<para>Packets that originate on the firewall itself undergo additional
|
||||
processing.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The TOS field in the packet is conditionally altered based on
|
||||
the contents of your <filename>/etc/shorewall/tos</filename> file.
|
||||
This occurs in the <emphasis role="bold">outtos</emphasis> chain of
|
||||
the <emphasis>mangle</emphasis> table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets are marked based on the contents of your
|
||||
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the
|
||||
<emphasis role="bold">tcout</emphasis> chain of the
|
||||
<emphasis>mangle</emphasis> table.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Packets Leaving the Firewall</title>
|
||||
|
||||
@ -290,27 +314,4 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Packets Originating on the Firewall</title>
|
||||
|
||||
<para>Just before being sent, packets that originated on the firewall
|
||||
itself undergo additional processing.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The TOS field in the packet is conditionally altered based on
|
||||
the contents of your <filename>/etc/shorewall/tos</filename> file.
|
||||
This occurs in the <emphasis role="bold">outtos</emphasis> chain of
|
||||
the <emphasis>mangle</emphasis> table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets are marked based on the contents of your
|
||||
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the
|
||||
<emphasis role="bold">tcout</emphasis> chain of the
|
||||
<emphasis>mangle</emphasis> table.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-19</pubdate>
|
||||
<pubdate>2004-07-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
@ -33,8 +33,6 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para></para>
|
||||
|
||||
<para>This page covers Shorewall configuration to use with <ulink
|
||||
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
|
||||
Proxy or as a Manual Proxy.</para>
|
||||
@ -109,7 +107,7 @@ MANGLE_ENABLED=Yes</programlisting>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
REDIRECT loc 3228 tcp www - !206.124.146.177
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177
|
||||
ACCEPT fw net tcp www</programlisting>
|
||||
|
||||
<para>There may be a requirement to exclude additional destination hosts
|
||||
@ -122,7 +120,7 @@ ACCEPT fw net tcp www</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||
|
||||
<para>If you are running a Shorewall version earlier than 1.4.5, you
|
||||
must add a manual rule in /etc/shorewall/start:</para>
|
||||
|
Binary file not shown.
@ -1,5 +1,5 @@
|
||||
<?xml version='1.0' encoding='utf-8' ?>
|
||||
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='7FFFD71E985B2EC26C075C7B645086876BCF8593C1531AF84243713B2E33B0E1BB767D5BAB15540F77B203D6763DCEC7B8F1B2A0D15011499EE13ADA8EAD43CD' keystart='261' ?>
|
||||
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='0521AC4BEA80618BB0978E5B7B9EB3C745F7D52F8D1C20BB755782286111C25A4AD1A4735C8175FB7A1E5BC0F3F3C63F5FFC23BB44E7F7DF2FCF1FD158440E55' keystart='261' ?>
|
||||
|
||||
<VisioDocument xmlns='urn:schemas-microsoft-com:office:visio'>
|
||||
<DocumentProperties>
|
||||
@ -1807,10 +1807,10 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////
|
||||
/7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLyQkJANjAwAQAAAAAAAAA
|
||||
AAAAAYGBhISEjhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP/////////
|
||||
//////////////////////////////////////////39/f////39/f////39/f////39/f////39/
|
||||
f////39/f////39/f////39/f////39/f////39/f////39/f////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////f397
|
||||
+/v7+/v7+/v4+PjwwMMAAAhwAAfwAAfwAAfwAAfwAOWAAQQAAQQAAQQAAOQAAEKAAAAAAAABoaGwA
|
||||
//////////////////////////////////////////////////7+/v////7+/v////7+/v////7+/
|
||||
v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
///////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAzwAAtwAAfwAKaAAGQAABCRoaGwA
|
||||
AAFVVVbKysrm5ucDAwHSsdBPiEziwOCnIKSDXIEamRgP6Az2qPRrZGpubm7+/v7i4uLGxsaqqqqOj
|
||||
oyQkK3Nzc4uLiwcHGwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////
|
||||
@ -1818,22 +1818,22 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////
|
||||
//////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLx8f
|
||||
HyoqKiQkJCQkJCQkJCQkJDAwMAwMDDhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7
|
||||
+/v0BAQP///////////////////////////////////////////////39/f////wAAAP///wAAAP/
|
||||
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///5+fn///////
|
||||
/////////////////////////////////////////////////////////8fHxzJAQDBAQBooKAAAA
|
||||
AAAAAAAAAAAAAQICBBAQAwwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMIAAQQAAPUAAAfwAAhw
|
||||
AAvwAAvwAAYBAQEAAAAB4eHi0tLS4uLgwMDDo6Ok+fT293b2GJYWiAaGiAaGGJYW93b0ujSzMzMxI
|
||||
+/v0BAQP///////////////////////////////////////////////////////yAgIP///wAAAP/
|
||||
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///0BAQP//////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////////////////////////////7+/vxAQQAAA1wAAvwAAhwAEeAAQQAAMIAAAAAAAAAAAAAAQOA
|
||||
AHcAAApwAAVBAQEAAAAB4eHi0tLS4uLgwMDDo6Ok+fT293b2GJYWiAaGiAaGGJYW93b0ujSzMzMxI
|
||||
SEi4uLiwsLDU1NVFRURQUFnNzc4aGhgoKGgAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAAvzAwQP////////////////////////////////////////////////////////////////
|
||||
///////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||
//wD//wMgIDY2NkxMTEhISEhISEhISEhISEhISEhISFpaWjA2NmBgYJqammBgYAdbWwD//wD//wD/
|
||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////
|
||||
////////////////7+/v0BAQP///////////////////////////////////////////////////w
|
||||
AAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
||||
//wAAAP////////////////////////////////////////////////////////////////////f3
|
||||
9x8wMACPjwDX1wD39wCHhw5YWBBAQA4oKAAAAAkQEDBAQCQ0NAgIIAAAfwAAtwAAvwAA5wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA7wsLKVBQU56enqysrKysrNjY2Obm5ubm5ubm5ubm5ubm5ubm5u
|
||||
////////////////7+/v0BAQP////////////////////////////////////////////////////
|
||||
///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////+fn57+/v5eXl39/fzBAQBkoKAAAAAAAAAAAAAAAAAAAAAAOKAAMY
|
||||
AAAjwAAxwAA/wAA/wAA/wAA/wAA7wsLKVBQU56enqysrKysrNjY2Obm5ubm5ubm5ubm5ubm5ubm5u
|
||||
bm5ubm5ubm5ubm5tDQ0KysrKysrJ6ennNzc4GBgZKSzoeHhwcHGwAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP///////////////////////////////////////////////
|
||||
@ -1841,10 +1841,10 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
D//wD//wD//wD//wD//wD//wNeXgQEBBIVFRQXFxQXFxQXFxQXFxQXFxQXFxQXFxYZGWZ0dJqammB
|
||||
gYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////
|
||||
/////////////////////////////////7+/v0BAQP///////////////////////////////////
|
||||
////////////////////////////8PDw4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
|
||||
+Pj4+Pj4+Pj9HR0f/////////////////////////////////////////////////////////////
|
||||
//////////////////9/f3xUwMADv7wD39xI4OHh4eL+/v9fX1////////////7+/vxAQQAAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xQUTqCgpubm5ubm5ubm5ubm5ubm5
|
||||
////////////////////8fHx////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
|
||||
+/v////7+/v////8/Pz//////////////////////////////////////////////////////////
|
||||
//////////////+/v77+/v5+fn39/f0FQUCg4OAAAAAoYGBBAQAQoKAAICAQYGAAAAAEICQAQSAAA
|
||||
fwAAvwAA7wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xQUTqCgpubm5ubm5ubm5ubm5ubm5
|
||||
ubm5ubm5ubm5ubm
|
||||
5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5oCAtAcHGwAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
@ -1853,9 +1853,9 @@ AA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////////////////////////////
|
||||
/wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm5ubm5ubm5ubm5qCmpnWFh
|
||||
WBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////
|
||||
///////////////////////////////////7+/v0BAQP/////////////////////////////////
|
||||
//////////////////////////9HR0QQEBA0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
|
||||
DQ0NDQ0NDQcHBxISEt/f3////////////////////////////////////////////////////////
|
||||
////////////////////////6qvrxJQUAD//wDf3x44OOfn5////////////////7+/vxAQQAAA/w
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////////////////3d/fwUQEAxgYAB/fwCvrwBoaApoaBA4OAAAADBAQHR4eKenp6enpxAQQAAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xAQRgAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYGLQAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
@ -1864,9 +1864,9 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////////////////////////////
|
||||
AQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm
|
||||
5ubm5ubm5ubm5qCmpklTUwdYWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP////////////////
|
||||
///////////////////////////////////////////zAwMD09PcDAwK6uipCQMJCQMJCQMJCQMJC
|
||||
QMJCQMJCQMJCQMJCQMK6uisDAwCQkJG1tbTMzM9/f3///////////////////////////////////
|
||||
/////////////////////////9/f37+/v6+vr39/f39/fwoQEASPjwD//wC/vzBAQP///////////
|
||||
///////////////////////////////39/f////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
||||
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///5+fn///////////////////////////////
|
||||
/////////////////////////////////////05gYAqfnwD//wDn5w0gIHh4eMfHx////////////
|
||||
////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wwMfwQECAUFnwAA/wAA/wAA/wAA/wAA/wA
|
||||
A9wQEhwAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
@ -1875,10 +1875,10 @@ A9wQEhwAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
///////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgwA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARHRwD//wD//wD//wD//wD//wD//wD//wD//wD/
|
||||
/wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQ
|
||||
P///////////////////////////////////////////////////////////wwMDImJieLi4sfPc2
|
||||
zcGJCQYJCQYGxsiJ3FKn7WHH5+dJ2tQmzcGNvbsdTU1BISEpWVlYeHhzMzM9/f3//////////////
|
||||
//////9/f37+/v6+vr39/f39/fzBAQDBAQAkQEAAAAAwgIAQQEAMQEABAQABAQAB/fwCPjwB/fwB/
|
||||
fwQoKGl4eP///////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
P///////////////////////////////////////////////////wAAAP///wAAAP///wAAAP///w
|
||||
AAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////
|
||||
//////////////////////////////////////////////////////////0dYWAWnpwD//wDPzyhA
|
||||
QO/v7////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wUFpwQECBAQSA
|
||||
AA5wAA/wAA/wAA/wAA3wUFCBQUQAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
@ -1886,10 +1886,10 @@ vzAwQP///////////////////////////////////////////////////////////////////////
|
||||
////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
|
||||
/////////7+/v0BAQP///////////////////////////////////////////////////////////
|
||||
3h4eBQUFKysrKysoqiogaiogaiogaiogaiogaiogaiogaiogaiogaqql6ysrD8/P1hYWJqamoeHhy
|
||||
MjI29vbzBAQDBAQAkQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEwMDBAQDBAQDB
|
||||
AQDBAQFRgYH9/f39/f39/f7+/v////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/////////7+/v0BAQP///////////////////////////////////////////////7+/v////39/f
|
||||
////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////8
|
||||
/Pz////////////////////////////////////////////////////////////////////////+/
|
||||
v7x0oKAa3twD//wDPzyhAQO/v7////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAAzwwMGAgIEAAAtwAA/wAA/wAA3xQUIMfHxxoaOAAAzwAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
@ -1897,11 +1897,11 @@ A/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
|
||||
//////////////////////////8fHxxAQEEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
|
||||
QEBAQEBAQEBAQEBAQEBAQAkJCSUlJTs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O
|
||||
zs7O3V1dZqampqa
|
||||
mmBgYDExMX9/f39/f39/f4+Pj7+/v7+/v7+/v7+/v7+/v////////////////////////////////
|
||||
////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
//////////////////////////7+/v0BAQP//////////////////////////////////////////
|
||||
/////////////////////y8vLw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PD
|
||||
w8PD0pKSv//////
|
||||
/////////////////////////////////////////////////////////////7+/v4+Pj0pYWBooK
|
||||
AQICBBAQACvrwDHxwC3twJAQDRISPf39////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
A/wAA/wAA/wAA/wAA5xISOAAAAA8PYAAA7wAA3xQUIP///9/f3yUlOAUFrwAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
@ -1909,10 +1909,10 @@ wAA/wAA/wAA/wAA/wAAvzAwQP////////////////////////////////////////////////////
|
||||
///////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD
|
||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
|
||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////
|
||||
////////////////////////////////8fHx7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7
|
||||
+/v7+/v7+/v7+/v7+/v7+/v9fX115eXpGRkebm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ub
|
||||
m5ubm5ubm5tDQ0JqammBgYFtbW///////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/
|
||||
////////////////////////////7+/v0BAQP////////////////////////////////////////
|
||||
///////////////////3h4eBAQEGxsbGpqZWNjUWNjUWNjUWNjUWNjUWNjUWNjUWNjUWNjUWdnXmx
|
||||
sbCgoKC0tLXl5ef///////////////////////////////////////////8/Pz5+fn15oaCg4OAAA
|
||||
AAQQEAMwMAAoKAVISBBAQAoYGAAAACg4ODhISH9/f5+fn////////////7+/vxAQQAAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xERWBQUGBUVMAAApxQUIP///4+PjzIyQCwsOAw
|
||||
MfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
@ -1920,10 +1920,10 @@ MfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
////////////////////////////////////////////////////////////////7+/vxBAQAD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxg
|
||||
YJ+fn////////////////////////////////////////////////////////////////////////
|
||||
////////////////////////////////////////////////15eXpGRkebm5ubm5ubm5ubm5ubm5u
|
||||
bm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5tDQ0GBgYFtbW//////////////////////////////////
|
||||
//////////////////////////////////////////////////////////////////////////7+/
|
||||
YJ+fn////////////////////////////////////////7+/v0BAQP///////////////////////
|
||||
////////////////////////////////////wwMDH5+fs7OzrGxbJSUJ5SUJ5SUJ5SUJ5SUJ5SUJ5
|
||||
SUJ5SUJ5SUJ8DAosHBwRISEpWVlVNTU3l5ef///////////////////9/f36+vr3R4eDBAQAQICAA
|
||||
AAAAAAAAAAAAAAAAAACEwMDBAQH9/f4+Pj7+/v+fn5////////////////////////////////7+/
|
||||
vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w0NhyUlMCIiMBcXIP
|
||||
///39/fwAASBMTKCoqMBERWAAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
@ -1931,10 +1931,10 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||
//wD//wD//wD//wxgYJ+fn///////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////15eXoKCg
|
||||
qysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrGJiYltbW/////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP//////
|
||||
/////////////////////////////////////////////////////zExMUlJSebm5tnhoHjoIaCga
|
||||
6Cga3h4ka/XNozkJoyMfq+/TnjoIeDgpebm5igoKH19fZqamlNTU3Jycre3t39/fzhISA8YGAAAAA
|
||||
AAAAAAABooKDBAQH9/f4+Pj7+/v9/f3//////////////////////////////////////////////
|
||||
//////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wUFryUlOLe3t////39/fwAAfwAA7xISUAYGCBERMAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
@ -1943,9 +1943,9 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/
|
||||
/////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////29vbz4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pra2t
|
||||
v////////////////////////////////////////////////////////////////////////////
|
||||
//7+/vzAwML+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v52dnQMD
|
||||
Azc3Nzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ox4eHkJCQpqampqamjs7OxgaG
|
||||
jBAQHR4eIeHh7+/v9fX1/////////////////////////////////////////////////////////
|
||||
///////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAAzxUVMMfHx1RUYAAAnwAA/wAA/wUFnwgIEAwMGAAAzwAA/wAA/
|
||||
@ -1955,9 +1955,9 @@ AA/wAA/wAAvzAwQP/////////////////////////////////////////////////////////////
|
||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD/
|
||||
/wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////+fn50hISEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE
|
||||
RERC0tLaGhoaysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrM7OzqysrJqammBgYFt
|
||||
bW///////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA7xQUQBoaIAAAnwAA/wAA/wAA/wAA5xAQQAQECAUFpwA
|
||||
@ -1967,8 +1967,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////////////////////8/Pzzw8PNjY2Obm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5u
|
||||
bm5uPj46ysrGBgYFtbW//////////////////////////////////////////////////////////
|
||||
//////////////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9w0NaAAAxwAA/wAA/wAA/w
|
||||
@ -1978,8 +1978,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////
|
||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////8/Pzzw8PNjY2Obm5ubm5ubm5ubm5ubm5ubm5
|
||||
ubm5ubm5ubm5ubm5ubm5ubm5uPj42tra1tbW/////////////////////////////////////////
|
||||
///////////////////////////////////////////////////////////////////7+/vxAQQAA
|
||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||
@ -1989,8 +1989,8 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////////
|
||||
vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||
D//wD//wxgYJ+fn//////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
//////////////////////////////////////////////////////////////8/Pzy0tLTs7Ozs7
|
||||
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OyUlJW1tbf///////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
///////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||
@ -2001,7 +2001,7 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////////
|
||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||
wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
//////9/f37+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v/f39///////
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||
@ -3206,8 +3206,8 @@ f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
/////////////w4AAAAUAAAAAAAAABAAAAAUAAAA</PreviewPicture>
|
||||
<TimeCreated>2002-08-11T08:58:32</TimeCreated>
|
||||
<TimeSaved>2004-03-16T15:13:54</TimeSaved>
|
||||
<TimeEdited>2004-03-16T15:13:48</TimeEdited>
|
||||
<TimeSaved>2004-07-13T11:44:37</TimeSaved>
|
||||
<TimeEdited>2004-07-13T11:38:59</TimeEdited>
|
||||
<TimePrinted>2002-08-11T08:58:32</TimePrinted>
|
||||
</DocumentProperties>
|
||||
<DocumentSettings TopPage='0' DefaultTextStyle='3' DefaultLineStyle='3' DefaultFillStyle='3' DefaultGuideStyle='4'>
|
||||
@ -40781,7 +40781,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
</Master>
|
||||
</Masters>
|
||||
<Pages>
|
||||
<Page ID='0' NameU='Page-1' ViewScale='1.5' ViewCenterX='61.571428571429' ViewCenterY='26.607142857143'>
|
||||
<Page ID='0' NameU='Page-1' ViewScale='1.5' ViewCenterX='84.428571428571' ViewCenterY='71.607142857143'>
|
||||
<PageSheet LineStyle='0' FillStyle='0' TextStyle='0'>
|
||||
<PageProps>
|
||||
<PageWidth Unit='IN'>85</PageWidth>
|
||||
@ -41197,11 +41197,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
<Shape ID='18' Type='Shape' Master='7'>
|
||||
<XForm>
|
||||
<PinX F='Inh'>36.817303557046</PinX>
|
||||
<PinY F='Inh'>58.396443645478</PinY>
|
||||
<Width F='Guard(EndX-BeginX)'>3.2357053859082</Width>
|
||||
<Height F='Guard(EndY-BeginY)'>-13.207112709043</Height>
|
||||
<PinY F='Inh'>59.283146921411</PinY>
|
||||
<Width F='Guard(EndX-BeginX)'>3.2357053859085</Width>
|
||||
<Height F='Guard(EndY-BeginY)'>-14.980519260909</Height>
|
||||
<LocPinX F='Inh'>1.6178526929541</LocPinX>
|
||||
<LocPinY F='Inh'>-6.6035563545217</LocPinY>
|
||||
<LocPinY F='Inh'>-7.4902596304544</LocPinY>
|
||||
<Angle F='Inh'>0</Angle>
|
||||
<FlipX F='Inh'>0</FlipX>
|
||||
<FlipY F='Inh'>0</FlipY>
|
||||
@ -41209,7 +41209,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
</XForm>
|
||||
<XForm1D>
|
||||
<BeginX F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>35.199450864092</BeginX>
|
||||
<BeginY F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>65</BeginY>
|
||||
<BeginY F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>66.773406551866</BeginY>
|
||||
<EndX F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>38.43515625</EndX>
|
||||
<EndY F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>51.792887290957</EndY>
|
||||
</XForm1D>
|
||||
@ -41241,8 +41241,8 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
<NoLiveDynamics F='Inh'>1</NoLiveDynamics>
|
||||
</Misc>
|
||||
<TextXForm>
|
||||
<TxtPinX>-6.8244508640918</TxtPinX>
|
||||
<TxtPinY>-8.0339090474758</TxtPinY>
|
||||
<TxtPinX>-6.824450864092</TxtPinX>
|
||||
<TxtPinY>-8.9206123234091</TxtPinY>
|
||||
<TxtWidth F='Inh'>1.1111111111111</TxtWidth>
|
||||
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
||||
<TxtLocPinX F='Inh'>0.55555555555556</TxtLocPinX>
|
||||
@ -41275,19 +41275,19 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
</MoveTo>
|
||||
<LineTo IX='2'>
|
||||
<X>0</X>
|
||||
<Y>0.1875</Y>
|
||||
<Y>0.18749999999973</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='3'>
|
||||
<X>-6.8244508640918</X>
|
||||
<Y>0.1875</Y>
|
||||
<X>-6.824450864092</X>
|
||||
<Y>0.18749999999973</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='4'>
|
||||
<X>-6.8244508640918</X>
|
||||
<Y>-13.207112709043</Y>
|
||||
<X>-6.824450864092</X>
|
||||
<Y>-14.980519260909</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='5'>
|
||||
<X>3.2357053859082</X>
|
||||
<Y>-13.207112709043</Y>
|
||||
<X>3.2357053859079</X>
|
||||
<Y>-14.980519260909</Y>
|
||||
</LineTo>
|
||||
</Geom>
|
||||
</Shape>
|
||||
@ -41711,19 +41711,19 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
<Shape ID='44' NameU='Comm-link' Type='Shape' Master='12'>
|
||||
<XForm>
|
||||
<PinX F='Inh'>50.636703275727</PinX>
|
||||
<PinY F='Inh'>63.484375</PinY>
|
||||
<Width F='Inh'>17.983898127284</Width>
|
||||
<PinY F='Inh'>64.371078275933</PinY>
|
||||
<Width F='Inh'>18.366187407064</Width>
|
||||
<Height>2.5</Height>
|
||||
<LocPinX F='Inh'>8.9919490636419</LocPinX>
|
||||
<LocPinX F='Inh'>9.1830937035322</LocPinX>
|
||||
<LocPinY F='Inh'>1.25</LocPinY>
|
||||
<Angle F='Inh'>-0.16936204617136</Angle>
|
||||
<Angle F='Inh'>-0.26468305291974</Angle>
|
||||
<FlipX F='Inh'>0</FlipX>
|
||||
<FlipY F='Inh'>0</FlipY>
|
||||
<ResizeMode F='Inh'>0</ResizeMode>
|
||||
</XForm>
|
||||
<XForm1D>
|
||||
<BeginX F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>41.773406551454</BeginX>
|
||||
<BeginY F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>65</BeginY>
|
||||
<BeginY F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>66.773406551866</BeginY>
|
||||
<EndX F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>59.5</EndX>
|
||||
<EndY F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>61.96875</EndY>
|
||||
</XForm1D>
|
||||
@ -41738,11 +41738,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
<LayerMember>0</LayerMember>
|
||||
</LayerMem>
|
||||
<TextXForm>
|
||||
<TxtPinX F='Inh'>8.9919490636419</TxtPinX>
|
||||
<TxtPinX F='Inh'>9.1830937035322</TxtPinX>
|
||||
<TxtPinY F='Inh'>-1.2222222222222</TxtPinY>
|
||||
<TxtWidth F='Inh'>17.983898127284</TxtWidth>
|
||||
<TxtWidth F='Inh'>18.366187407064</TxtWidth>
|
||||
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
||||
<TxtLocPinX F='Inh'>8.9919490636419</TxtLocPinX>
|
||||
<TxtLocPinX F='Inh'>9.1830937035322</TxtLocPinX>
|
||||
<TxtLocPinY F='Inh'>1.2222222222222</TxtLocPinY>
|
||||
<TxtAngle F='Inh'>0</TxtAngle>
|
||||
</TextXForm>
|
||||
@ -41756,23 +41756,23 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
||||
<Y F='Inh'>1.25</Y>
|
||||
</MoveTo>
|
||||
<LineTo IX='2'>
|
||||
<X F='Inh'>10.241949063642</X>
|
||||
<X F='Inh'>10.433093703532</X>
|
||||
<Y F='Inh'>2.5</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='3'>
|
||||
<X F='Inh'>9.3044490636419</X>
|
||||
<X F='Inh'>9.4955937035322</X>
|
||||
<Y F='Inh'>0.75</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='4'>
|
||||
<X F='Inh'>17.983898127284</X>
|
||||
<X F='Inh'>18.366187407064</X>
|
||||
<Y F='Inh'>1.25</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='5'>
|
||||
<X F='Inh'>7.7419490636419</X>
|
||||
<X F='Inh'>7.9330937035322</X>
|
||||
<Y F='Inh'>0</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='6'>
|
||||
<X F='Inh'>8.6794490636419</X>
|
||||
<X F='Inh'>8.8705937035322</X>
|
||||
<Y F='Inh'>1.75</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='7'>
|
||||
@ -67146,7 +67146,7 @@ www.xxx.yyy.zzz/
|
||||
<Shape ID='1' NameU='Modem' Type='Group' Master='21'>
|
||||
<XForm>
|
||||
<PinX>37.906373794182</PinX>
|
||||
<PinY>64.226593448134</PinY>
|
||||
<PinY>66</PinY>
|
||||
<Width>6.1872524116354</Width>
|
||||
<Height>1.5468131037315</Height>
|
||||
<LocPinX F='Inh'>3.0936262058177</LocPinX>
|
||||
@ -67185,7 +67185,7 @@ www.xxx.yyy.zzz/
|
||||
</Misc>
|
||||
<Control IX='0'>
|
||||
<X F='Inh'>3.0936262058177</X>
|
||||
<Y F='Inh'>-1.1111111111111</Y>
|
||||
<Y F='Inh'>-1.9444444444445</Y>
|
||||
<XDyn F='Inh'>3.0936262058177</XDyn>
|
||||
<YDyn F='Inh'>0.77340655186576</YDyn>
|
||||
<XCon F='Inh'>3</XCon>
|
||||
@ -68106,9 +68106,9 @@ www.xxx.yyy.zzz/
|
||||
<PinX F='Inh'>0</PinX>
|
||||
<PinY F='Inh'>0</PinY>
|
||||
<Width F='Inh'>9.1994900183611</Width>
|
||||
<Height F='Inh'>2.2222222222222</Height>
|
||||
<Height F='Inh'>3.8888888888889</Height>
|
||||
<LocPinX F='Inh'>1.5061188033628</LocPinX>
|
||||
<LocPinY F='Inh'>2.2222222222222</LocPinY>
|
||||
<LocPinY F='Inh'>3.8888888888889</LocPinY>
|
||||
<Angle F='Inh'>0</Angle>
|
||||
<FlipX F='Inh'>0</FlipX>
|
||||
<FlipY F='Inh'>0</FlipY>
|
||||
@ -68144,11 +68144,11 @@ www.xxx.yyy.zzz/
|
||||
</Protection>
|
||||
<TextXForm>
|
||||
<TxtPinX F='Inh'>4.5997450091806</TxtPinX>
|
||||
<TxtPinY F='Inh'>1.1111111111111</TxtPinY>
|
||||
<TxtPinY F='Inh'>1.9444444444445</TxtPinY>
|
||||
<TxtWidth F='Inh'>9.1994900183612</TxtWidth>
|
||||
<TxtHeight F='Inh'>2.2222222222222</TxtHeight>
|
||||
<TxtHeight F='Inh'>3.8888888888889</TxtHeight>
|
||||
<TxtLocPinX F='Inh'>4.5997450091806</TxtLocPinX>
|
||||
<TxtLocPinY F='Inh'>1.1111111111111</TxtLocPinY>
|
||||
<TxtLocPinY F='Inh'>1.9444444444445</TxtLocPinY>
|
||||
<TxtAngle F='Inh'>0</TxtAngle>
|
||||
</TextXForm>
|
||||
<Char IX='0'>
|
||||
@ -68182,18 +68182,19 @@ www.xxx.yyy.zzz/
|
||||
</LineTo>
|
||||
<LineTo IX='3'>
|
||||
<X F='Inh'>9.1994900183611</X>
|
||||
<Y F='Inh'>2.2222222222222</Y>
|
||||
<Y F='Inh'>3.8888888888889</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='4'>
|
||||
<X F='Inh'>0</X>
|
||||
<Y F='Inh'>2.2222222222222</Y>
|
||||
<Y F='Inh'>3.8888888888889</Y>
|
||||
</LineTo>
|
||||
<LineTo IX='5'>
|
||||
<X F='Inh'>0</X>
|
||||
<Y F='Inh'>0</Y>
|
||||
</LineTo>
|
||||
</Geom>
|
||||
<Text><cp IX='0'/>DSL “Modem”</Text>
|
||||
<Text><cp IX='0'/>DSL “Modem”
|
||||
192.168.1.1</Text>
|
||||
</Shape>
|
||||
</Shapes>
|
||||
</Shape>
|
||||
@ -71283,7 +71284,7 @@ www.xxx.yyy.zzz/
|
||||
</Page>
|
||||
</Pages>
|
||||
<Windows ClientWidth='1280' ClientHeight='850'>
|
||||
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1.5' ViewCenterX='61.571428571429' ViewCenterY='26.607142857143'>
|
||||
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1.5' ViewCenterX='84.428571428571' ViewCenterY='71.607142857143'>
|
||||
<ShowRulers>1</ShowRulers>
|
||||
<ShowGrid>1</ShowGrid>
|
||||
<ShowPageBreaks>0</ShowPageBreaks>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-04</pubdate>
|
||||
<pubdate>2004-07-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -47,16 +47,17 @@
|
||||
|
||||
<caution>
|
||||
<para>The configuration shown here corresponds to Shorewall version
|
||||
2.0.3. My configuration uses features not available in earlier Shorewall
|
||||
2.1.1. My configuration uses features not available in earlier Shorewall
|
||||
releases.</para>
|
||||
</caution>
|
||||
|
||||
<para>I have DSL service and have 5 static IP addresses
|
||||
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
|
||||
connected to eth0. I have a local network connected to eth2 (subnet
|
||||
192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
|
||||
that I configure the same IP address on both <filename class="devicefile">eth0</filename>
|
||||
and <filename class="devicefile">eth1</filename>.</para>
|
||||
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
|
||||
connected to eth0 and has IP address 192.168.1.1 (factory default). I have
|
||||
a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ
|
||||
connected to eth1 (206.124.146.176/32). Note that I configure the same IP
|
||||
address on both <filename class="devicefile">eth0</filename> and <filename
|
||||
class="devicefile">eth1</filename>.</para>
|
||||
|
||||
<para>In this configuration:</para>
|
||||
|
||||
@ -217,7 +218,7 @@ tx Texas Peer Network in Plano
|
||||
|
||||
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
||||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||
loc eth2 192.168.1.255 dhcp,detectnets
|
||||
loc eth2 192.168.1.255 dhcp
|
||||
dmz eth1 -
|
||||
- texas 192.168.9.255
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
@ -259,6 +260,25 @@ eth2 -
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>RFC1918 File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
|
||||
is connected to eth0, I need to make an exception for that address in
|
||||
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
|
||||
/etc/shorewall/rfc1918 and changed it as follows:</para>
|
||||
|
||||
<programlisting>#SUBNET TARGET
|
||||
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Policy File</title>
|
||||
|
||||
@ -286,7 +306,15 @@ all all REJECT $LOG # Reje
|
||||
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
||||
visitors with laptops.</para>
|
||||
|
||||
<para>The first entry allows access to the DSL modem and uses features
|
||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_")
|
||||
causes the rule to be placed before rules generated by the
|
||||
/etc/shorewall/nat file below. The double colons ("::") causes
|
||||
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
|
||||
file above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
eth0:2 eth2 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
@ -300,13 +328,6 @@ eth0:2 eth2 206.124.146.179
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
206.124.146.178 eth0:0 192.168.1.5 No No
|
||||
206.124.146.180 eth0:1 192.168.1.7 No No
|
||||
#
|
||||
# The following entry allows the server to be accessed through an address in
|
||||
# the local network. This is convenient when I'm on the road and connected
|
||||
# to the PPTP server. By doing this, I don't need to set my client's default
|
||||
# gateway to route through the tunnel.
|
||||
#
|
||||
192.168.1.193 eth2:0 206.124.146.177 No No
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -317,6 +338,7 @@ eth0:2 eth2 206.124.146.179
|
||||
<blockquote>
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
206.124.146.177 eth1 eth0 Yes
|
||||
192.168.1.1 eth0 eth2 yes # Allow access to DSL modem from the local zone
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -371,7 +393,7 @@ AllowPing
|
||||
dropBcast
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
dropNotSyn
|
||||
DropDNSrep</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -392,7 +414,7 @@ AllowPing
|
||||
dropBcast
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||||
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
||||
@ -405,115 +427,136 @@ DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP sy
|
||||
|
||||
<blockquote>
|
||||
<programlisting>###############################################################################################################################################################################
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
||||
# PORT(S) DEST:SNAT SET
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
||||
# PORT(S) DEST:SNAT SET
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Internet - Reject attempts by Trojans to call home
|
||||
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
|
||||
#
|
||||
REJECT:$LOG loc net tcp 6667
|
||||
RejectSMTP loc net tcp 25
|
||||
REJECT:$LOG loc net tcp 6667,25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
#
|
||||
# Stop NETBIOS crap since our policy is ACCEPT
|
||||
#
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
#
|
||||
QUEUE loc net udp
|
||||
QUEUE loc fw udp
|
||||
QUEUE loc net tcp
|
||||
DROP loc:!192.168.1.0/24 net
|
||||
|
||||
#QUEUE loc net udp
|
||||
#QUEUE loc fw udp
|
||||
#QUEUE loc net tcp
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Firewall
|
||||
# Local Network to Firewall
|
||||
#
|
||||
ACCEPT loc fw tcp ssh,time
|
||||
ACCEPT loc fw udp snmp,ntp
|
||||
DROP loc:!192.168.1.0/24 fw
|
||||
ACCEPT loc fw tcp ssh,time
|
||||
ACCEPT loc fw udp 161,ntp
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to DMZ
|
||||
#
|
||||
REJECT loc dmz tcp 465
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
|
||||
DROP loc:!192.168.1.0/24 dmz
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3 -
|
||||
###############################################################################################################################################################################
|
||||
# Internet to DMZ
|
||||
# Internet to ALL -- drop NewNotSyn packets
|
||||
#
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||||
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
|
||||
ACCEPT net dmz udp domain
|
||||
ACCEPT net dmz udp 33434:33436
|
||||
Mirrors net dmz tcp rsync
|
||||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||||
dropNotSyn net fw tcp
|
||||
dropNotSyn net loc tcp
|
||||
dropNotSyn net dmz tcp
|
||||
###############################################################################################################################################################################
|
||||
# Internet to DMZ
|
||||
#
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||||
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
||||
ACCEPT net dmz udp domain
|
||||
ACCEPT net dmz udp 33434:33436
|
||||
Mirrors net dmz tcp rsync
|
||||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||||
###############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
#
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||
#
|
||||
DNAT net loc:192.168.1.4 tcp 1723
|
||||
DNAT net loc:192.168.1.4 gre
|
||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
|
||||
ACCEPT net loc:192.168.1.5 tcp 22
|
||||
#
|
||||
# ICQ
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||
#
|
||||
# Real Audio
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||||
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||||
#
|
||||
# Overnet
|
||||
#
|
||||
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||||
#ACCEPT net loc:192.168.1.5 udp 12112
|
||||
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||||
#ACCEPT net loc:192.168.1.5 udp 12112
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
REJECT net loc tcp www,ftp,https
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Internet
|
||||
#
|
||||
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
||||
ACCEPT dmz net udp domain
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
|
||||
ACCEPT dmz net udp domain
|
||||
REJECT:$LOG dmz net udp 1025:1031
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||
#
|
||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||
# the following works around the problem.
|
||||
#
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT dmz fw udp ntp ntp
|
||||
ACCEPT dmz fw tcp snmp,ssh
|
||||
ACCEPT dmz fw udp snmp
|
||||
REJECT dmz fw tcp auth
|
||||
ACCEPT dmz fw udp ntp ntp
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
ACCEPT dmz fw udp 161
|
||||
REJECT dmz fw tcp auth
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local Network
|
||||
# DMZ to Local Network
|
||||
#
|
||||
ACCEPT dmz loc tcp smtp,6001:6010
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
||||
ACCEPT dmz loc tcp smtp,6001:6010
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
REJECT net fw tcp www
|
||||
ACCEPT net dmz udp 33434:33435
|
||||
|
||||
REJECT net fw tcp www,ftp,https
|
||||
ACCEPT net dmz udp 33434:33435
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to Internet
|
||||
#
|
||||
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||||
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||||
ACCEPT fw net udp domain
|
||||
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||||
ACCEPT fw net udp 33435:33535
|
||||
ACCEPT fw net icmp
|
||||
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||||
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||||
ACCEPT fw net udp domain
|
||||
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||||
ACCEPT fw net udp 33435:33535
|
||||
ACCEPT fw net icmp
|
||||
REJECT:$LOG fw net udp 1025:1031
|
||||
DROP fw net udp ntp
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to DMZ
|
||||
#
|
||||
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
###############################################################################################################################################################################
|
||||
# Ping
|
||||
#
|
||||
ACCEPT all all icmp 8
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
ACCEPT all all icmp 8
|
||||
###############################################################################################################################################################################
|
||||
ACCEPT tx loc:192.168.1.5 all
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -521,14 +564,23 @@ ACCEPT all all icmp
|
||||
<title>/etc/network/interfaces</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This file is Debian specific. My additional entry (which is
|
||||
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
|
||||
to my DMZ server when eth1 is brought up. It allows me to enter
|
||||
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
|
||||
Proxy ARP file</link>.</para>
|
||||
<para>This file is Debian specific. My additional entries(which is
|
||||
displayed in <emphasis role="bold">bold type</emphasis>) add a route
|
||||
to my DSL modem when eth0 is brought up and a route to my DMZ server
|
||||
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
|
||||
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
|
||||
|
||||
<programlisting>...
|
||||
auto eth1
|
||||
auto auto eth0
|
||||
iface eth0 inet static
|
||||
address 206.124.146.176
|
||||
netmask 255.255.255.0
|
||||
network 206.124.146.0
|
||||
broadcast 206.124.146.255
|
||||
gateway 206.124.146.254
|
||||
<emphasis role="bold">up ip route add 192.168.1.1 dev eth0</emphasis>
|
||||
|
||||
eth1
|
||||
iface eth1 inet static
|
||||
address 206.124.146.176
|
||||
netmask 255.255.255.255
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -317,7 +317,7 @@ all all REJECT info</programlisting>
|
||||
<para>Shorewall 2.0.0 and later include a collection of actions that can
|
||||
be used to quickly allow or deny services. You can find a list of the
|
||||
actions included in your version of Shorewall in the file
|
||||
<filename>/etc/shorewall/actions.std</filename>.</para>
|
||||
<filename>/usr/share/shorewall/actions.std</filename>.</para>
|
||||
|
||||
<para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
|
||||
|
||||
|
@ -27,7 +27,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-16</pubdate>
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -41,22 +41,20 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<note>
|
||||
<para><emphasis role="underline">Notes du traducteur :</emphasis> Le guide
|
||||
initial a été traduit par <ulink
|
||||
url="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</ulink> que je
|
||||
remercie. J'en ai assuré la révision pour l'adapter à la version 2 de
|
||||
Shorewall. J'espère vous faciliter l'accès et la prise en main d'un
|
||||
firewall performant, efficace, adaptable et facile d'utilisation. Donc
|
||||
félicitations pour la qualité du travail et la disponibilité offerte par
|
||||
Thomas M. Eastep. Si vous trouvez des erreurs ou des améliorations à
|
||||
apporter vous pouvez me contacter <ulink
|
||||
url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
|
||||
initial a été traduit par <ulink url="mailto:vetsel.patrice@wanadoo.fr">VETSEL
|
||||
Patrice</ulink> que je remercie. J'en ai assuré la révision pour
|
||||
l'adapter à la version 2 de Shorewall. J'espère vous faciliter
|
||||
l'accès et la prise en main d'un firewall performant, efficace,
|
||||
adaptable et facile d'utilisation. Donc félicitations pour la qualité
|
||||
du travail et la disponibilité offerte par Thomas M. Eastep. Si vous
|
||||
trouvez des erreurs ou des améliorations à apporter vous pouvez me
|
||||
contacter <ulink url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
@ -87,12 +85,11 @@
|
||||
<section>
|
||||
<title>Pré-requis</title>
|
||||
|
||||
<para>Shorewall a besoin que le package
|
||||
<command>iproute</command>/<command>iproute2</command> soit installé
|
||||
(avec la distribution <trademark>RedHat</trademark>, le package
|
||||
s'appelle <command>iproute</command>). Vous pouvez vérifier si le
|
||||
package est installé par la présence du programme <command>ip</command>
|
||||
sur votre firewall. En tant que <systemitem
|
||||
<para>Shorewall a besoin que le package <command>iproute</command>/<command>iproute2</command>
|
||||
soit installé (avec la distribution <trademark>RedHat</trademark>, le
|
||||
package s'appelle <command>iproute</command>). Vous pouvez vérifier
|
||||
si le package est installé par la présence du programme
|
||||
<command>ip</command> sur votre firewall. En tant que <systemitem
|
||||
class="username">root</systemitem>, vous pouvez utiliser la commande
|
||||
<command>which</command> pour cela:</para>
|
||||
|
||||
@ -113,22 +110,20 @@
|
||||
<trademark>Windows</trademark>, vous devez les sauver comme des
|
||||
fichiers <trademark>Unix</trademark> si votre éditeur supporte cette
|
||||
option sinon vous devez les convertir avec <command>dos2unix</command>
|
||||
avant d'essayer de les utiliser. De la même manière, si vous copiez un
|
||||
fichier de configuration depuis votre disque dur
|
||||
avant d'essayer de les utiliser. De la même manière, si vous
|
||||
copiez un fichier de configuration depuis votre disque dur
|
||||
<trademark>Windows</trademark> vers une disquette, vous devez lancer
|
||||
<command>dos2unix</command> sur la copie avant de l'utiliser avec
|
||||
<command>dos2unix</command> sur la copie avant de l'utiliser avec
|
||||
Shorewall.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
|
||||
<para><ulink url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
|
||||
Version of <command>dos2unix</command></ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
<para><ulink url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of <command>dos2unix</command></ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -138,7 +133,7 @@
|
||||
<section>
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Les points ou les modifications s'imposent sont indiqués par
|
||||
<para>Les points ou les modifications s'imposent sont indiqués par
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
|
||||
</section>
|
||||
</section>
|
||||
@ -148,12 +143,12 @@
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et utilisez
|
||||
<acronym>PPTP</acronym> pour communiquer avec un serveur à travers ce
|
||||
modem, vous devez faire le changement <ulink
|
||||
<para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et
|
||||
utilisez <acronym>PPTP</acronym> pour communiquer avec un serveur à
|
||||
travers ce modem, vous devez faire le changement <ulink
|
||||
url="PPTP.htm#PPTP_ADSL">suivant</ulink> en plus de ceux ci-dessous.
|
||||
<acronym>ADSL</acronym> avec <acronym>PPTP</acronym> est commun en Europe,
|
||||
ainsi qu'en Australie.</para>
|
||||
ainsi qu'en Australie.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -162,21 +157,17 @@
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Les fichiers de configuration pour Shorewall sont situés dans le
|
||||
répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez à
|
||||
faire qu'avec quelques un d'entre eux comme décris dans ce guide.<tip>
|
||||
<para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
|
||||
téléchargez <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
|
||||
one-interface</ulink>, décompressez le (<command>tar
|
||||
<option>-zxvf</option>
|
||||
<filename>one-interface.tgz</filename></command>) et copiez les
|
||||
fichiers dans <filename class="directory">/etc/shorewall</filename>
|
||||
<emphasis role="bold">(ces fichiers remplaceront les
|
||||
initiaux)</emphasis>.</para>
|
||||
</tip>Parallèlement à la présentation, je vous suggère de jeter un oeil
|
||||
à ceux physiquement présents sur votre système -- chacun des fichiers
|
||||
contient des instructions de configuration détaillées et des entrées par
|
||||
défaut.</para>
|
||||
répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez
|
||||
à faire qu'avec quelques un d'entre eux comme décris dans ce
|
||||
guide.<tip><para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
|
||||
téléchargez <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
|
||||
one-interface</ulink>, décompressez le (<command>tar <option>-zxvf</option>
|
||||
<filename>one-interface.tgz</filename></command>) et copiez les fichiers
|
||||
dans <filename class="directory">/etc/shorewall</filename> <emphasis
|
||||
role="bold">(ces fichiers remplaceront les initiaux)</emphasis>.</para></tip>Parallèlement
|
||||
à la présentation, je vous suggère de jeter un oeil à ceux physiquement
|
||||
présents sur votre système -- chacun des fichiers contient des
|
||||
instructions de configuration détaillées et des entrées par défaut.</para>
|
||||
|
||||
<para>Shorewall voit le réseau où il fonctionne, comme un ensemble de
|
||||
zones.Dans les fichiers de configuration fournis pour une unique
|
||||
@ -206,8 +197,7 @@
|
||||
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
||||
|
||||
<para>Shorewall reconnaît aussi le système de firewall comme sa propre
|
||||
zone - par défaut, le firewall est connu comme <emphasis
|
||||
role="bold"><varname>fw</varname></emphasis>.</para>
|
||||
zone - par défaut, le firewall est connu comme <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
|
||||
|
||||
<para>Les règles concernant le trafic à autoriser ou à interdire sont
|
||||
exprimées en utilisant les termes de zones.</para>
|
||||
@ -215,9 +205,8 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Vous exprimez votre politique par défaut pour les connexions
|
||||
d'une zone vers une autre zone dans le fichier <ulink
|
||||
url="Documentation.htm#Policy"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
|
||||
d'une zone vers une autre zone dans le fichier <ulink
|
||||
url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -231,19 +220,17 @@
|
||||
requête est en premier lieu comparée par rapport au fichier <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>. Si
|
||||
aucune règle dans ce fichier ne correspond à la demande de connexion alors
|
||||
la première politique dans le fichier <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
la première politique dans le fichier <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
qui y correspond sera appliquée. Si cette politique est
|
||||
<varname>REJECT</varname> ou <varname>DROP</varname> la requête est dans
|
||||
un premier temps comparée par rapport aux règles contenues dans le fichier
|
||||
<filename
|
||||
class="directory">/etc/shorewall/</filename><filename>common</filename>,
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>common</filename>,
|
||||
si ce fichier existe; sinon les régles dans le fichier <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>common.def</filename>
|
||||
sont vérifiées.</para>
|
||||
|
||||
<para>Le fichier /etc/shorewall/policy inclus dans l'archive d'exemple
|
||||
(one-interface) contient les politiques suivantes:</para>
|
||||
<para>Le fichier /etc/shorewall/policy inclus dans l'archive
|
||||
d'exemple (one-interface) contient les politiques suivantes:</para>
|
||||
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
||||
fw net ACCEPT
|
||||
@ -255,12 +242,12 @@ all all REJECT info</programlisting>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Permettre toutes demandes de connexion depuis le firewall vers
|
||||
l'Internet</para>
|
||||
l'Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Drop (ignorer) toutes les demandes de connexion depuis
|
||||
l'Internet vers votre firewall</para>
|
||||
l'Internet vers votre firewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -270,57 +257,50 @@ all all REJECT info</programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
|
||||
votre /etc/shorewall/policy et faites y les changements que vous
|
||||
désirez.</para>
|
||||
votre /etc/shorewall/policy et faites y les changements que vous désirez.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Interface Externe</title>
|
||||
|
||||
<para>Le firewall possède une seule interface réseau. Lorsque la connexion
|
||||
Internet passe par un modem câble ou par un
|
||||
<quote>Routeur</quote><acronym> ADSL</acronym>(pas un simple modem),
|
||||
l'<emphasis>Interface Externe</emphasis> sera l'adaptateur ethernet qui y
|
||||
est connecté à ce <quote>Modem</quote> (e.g., <filename
|
||||
class="devicefile">eth0</filename>) à moins d'une connexion par
|
||||
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
|
||||
(<acronym>PPPoE</acronym>) ou <emphasis>Point-to-Point Tunneling
|
||||
Protocol</emphasis> (<acronym>PPTP</acronym>) dans ce cas l'interface
|
||||
externe sera (e.g., <filename class="devicefile">ppp0</filename>). Si vous
|
||||
utilisez par un simple modem (<acronym>RTC</acronym>), votre interface
|
||||
externe sera aussi <filename class="devicefile">ppp0</filename>. Si vous
|
||||
utilisez l'<acronym>ISDN</acronym>, votre interface externe sera <filename
|
||||
class="devicefile">ippp0</filename>.</para>
|
||||
Internet passe par un modem câble ou par un <quote>Routeur</quote><acronym>
|
||||
ADSL</acronym>(pas un simple modem), l'<emphasis>Interface Externe</emphasis>
|
||||
sera l'adaptateur ethernet qui y est connecté à ce <quote>Modem</quote>
|
||||
(e.g., <filename class="devicefile">eth0</filename>) à moins d'une
|
||||
connexion par <emphasis>Point-to-Point Protocol</emphasis> over Ethernet (<acronym>PPPoE</acronym>)
|
||||
ou <emphasis>Point-to-Point Tunneling Protocol</emphasis> (<acronym>PPTP</acronym>)
|
||||
dans ce cas l'interface externe sera (e.g., <filename
|
||||
class="devicefile">ppp0</filename>). Si vous utilisez par un simple modem
|
||||
(<acronym>RTC</acronym>), votre interface externe sera aussi <filename
|
||||
class="devicefile">ppp0</filename>. Si vous utilisez l'<acronym>ISDN</acronym>,
|
||||
votre interface externe sera <filename class="devicefile">ippp0</filename>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Si votre interface vers l'extérieur est <emphasis
|
||||
role="bold">ppp0</emphasis> ou <emphasis role="bold">ippp0</emphasis>
|
||||
alors vous mettrez <varname>CLAMPMSS=yes</varname> dans le fichier
|
||||
<filename
|
||||
<para>Si votre interface vers l'extérieur est <emphasis role="bold">ppp0</emphasis>
|
||||
ou <emphasis role="bold">ippp0</emphasis> alors vous mettrez
|
||||
<varname>CLAMPMSS=yes</varname> dans le fichier <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
|
||||
|
||||
<para>Le fichier de configuration d'exemple pour une interface suppose que
|
||||
votre interface externe est eth0. Si votre configuration est différente,
|
||||
vous devrez modifier le fichier<filename
|
||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
<para>Le fichier de configuration d'exemple pour une interface suppose
|
||||
que votre interface externe est eth0. Si votre configuration est
|
||||
différente, vous devrez modifier le fichier<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
|
||||
options qui sont spécifiées pour les interfaces. Quelques trucs:</para>
|
||||
|
||||
<tip>
|
||||
<para>Si votre interface vers l'extérieur est <filename
|
||||
class="devicefile">ppp0</filename> ou <filename
|
||||
class="devicefile">ippp0</filename>, vous pouvez remplacer le detect
|
||||
dans la seconde colonne par un <quote>-</quote> (sans les
|
||||
quotes).</para>
|
||||
<para>Si votre interface vers l'extérieur est <filename
|
||||
class="devicefile">ppp0</filename> ou <filename class="devicefile">ippp0</filename>,
|
||||
vous pouvez remplacer le detect dans la seconde colonne par un
|
||||
<quote>-</quote> (sans les quotes).</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
<para>Si votre interface vers l'extérieur est <filename
|
||||
class="devicefile">ppp0</filename> or <filename
|
||||
class="devicefile">ippp0</filename> u si vous avez une adresse
|
||||
<acronym>IP</acronym> statique, vous pouvez enlever
|
||||
<varname>dhcp</varname> dans la liste des options .</para>
|
||||
<para>Si votre interface vers l'extérieur est <filename
|
||||
class="devicefile">ppp0</filename> or <filename class="devicefile">ippp0</filename>
|
||||
u si vous avez une adresse <acronym>IP</acronym> statique, vous pouvez
|
||||
enlever <varname>dhcp</varname> dans la liste des options .</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
@ -330,28 +310,27 @@ all all REJECT info</programlisting>
|
||||
<filename>/usr/share/shorewall/rfc1918</filename>. Sinon, vous pouvez
|
||||
copier le fichier <filename>/usr/share/shorewall/rfc1918</filename> vers
|
||||
<filename>/etc/shorewall/rfc1918</filename> et <ulink
|
||||
url="myfiles.htm#RFC1918">adapter votre fichier
|
||||
<filename>/etc/shorewall/rfc1918</filename> comme je le
|
||||
fais</ulink>.</para>
|
||||
url="myfiles.htm#RFC1918">adapter votre fichier <filename>/etc/shorewall/rfc1918</filename>
|
||||
comme je le fais</ulink>.</para>
|
||||
</tip>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Adresse IP</title>
|
||||
|
||||
<para>Avant d'aller plus loin, nous devons dire quelques mots au sujet des
|
||||
adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
|
||||
<para>Avant d'aller plus loin, nous devons dire quelques mots au sujet
|
||||
des adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
|
||||
fournisseur Internet <acronym>ISP</acronym> vous assignera une seule
|
||||
adresse IP. Cette adresse peut être assignée par le Dynamic Host
|
||||
Configuration Protocol (<acronym>DHCP</acronym>) ou lors de
|
||||
l'établissement de votre connexion (modem standard) ou établissez votre
|
||||
connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider peut
|
||||
vous assigner une adresse statique <acronym>IP</acronym> ; cela signifie
|
||||
que vous devez configurer l'interface externe de votre firewall afin
|
||||
d'utiliser cette adresse de manière permanente. La <emphasis
|
||||
role="bold">RFC 1918</emphasis> réserve plusieurs plages d'adresses
|
||||
privées <emphasis>Private</emphasis> <acronym>IP</acronym> à cet
|
||||
fin:</para>
|
||||
l'établissement de votre connexion (modem standard) ou établissez
|
||||
votre connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider
|
||||
peut vous assigner une adresse statique <acronym>IP</acronym> ; cela
|
||||
signifie que vous devez configurer l'interface externe de votre
|
||||
firewall afin d'utiliser cette adresse de manière permanente. La
|
||||
<emphasis role="bold">RFC 1918</emphasis> réserve plusieurs plages
|
||||
d'adresses privées <emphasis>Private</emphasis> <acronym>IP</acronym>
|
||||
à cet fin:</para>
|
||||
|
||||
<table>
|
||||
<title>Exemple sous-réseau</title>
|
||||
@ -370,81 +349,75 @@ all all REJECT info</programlisting>
|
||||
<row>
|
||||
<entry>Subnet Address:</entry>
|
||||
|
||||
<entry><systemitem
|
||||
class="ipaddress">10.10.10.0</systemitem></entry>
|
||||
<entry><systemitem class="ipaddress">10.10.10.0</systemitem></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Broadcast Address:</entry>
|
||||
|
||||
<entry><systemitem
|
||||
class="ipaddress">10.10.10.255</systemitem></entry>
|
||||
<entry><systemitem class="ipaddress">10.10.10.255</systemitem></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CIDR Notation:</entry>
|
||||
|
||||
<entry><systemitem
|
||||
class="ipaddress">10.10.10.0/24</systemitem></entry>
|
||||
<entry><systemitem class="ipaddress">10.10.10.0/24</systemitem></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Ces adresses sont parfois nommées comme
|
||||
<emphasis>non-routable</emphasis> car les routeurs centraux d'Internet ne
|
||||
renvoient pas un paquet dont la destination est réservée par la RFC 1918.
|
||||
Dans certain cas cependant, les FAI (fournisseurs d'accés Internet)
|
||||
assignent ces adresses et utilisent ensuite NAT <emphasis>Network Address
|
||||
Translation</emphasis> pour réécrire les en-têtes de paquets renvoyés
|
||||
vers/depuis Internet.</para>
|
||||
<para>Ces adresses sont parfois nommées comme <emphasis>non-routable</emphasis>
|
||||
car les routeurs centraux d'Internet ne renvoient pas un paquet dont
|
||||
la destination est réservée par la RFC 1918. Dans certain cas cependant,
|
||||
les FAI (fournisseurs d'accés Internet) assignent ces adresses et
|
||||
utilisent ensuite NAT <emphasis>Network Address Translation</emphasis>
|
||||
pour réécrire les en-têtes de paquets renvoyés vers/depuis Internet.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Avant de lancer Shorewall, regarder l'adresse IP de votre interface
|
||||
externe, et si elle est dans les plages précédentes, vous devez enlever
|
||||
l'option 'norfc1918' dans la ligne concernant l'interface externe dans le
|
||||
fichier <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
|
||||
<para>Avant de lancer Shorewall, regarder l'adresse IP de votre
|
||||
interface externe, et si elle est dans les plages précédentes, vous devez
|
||||
enlever l'option 'norfc1918' dans la ligne concernant
|
||||
l'interface externe dans le fichier <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Permettre d'autres connexions</title>
|
||||
<title>Permettre d'autres connexions</title>
|
||||
|
||||
<para>Shorewall version 2.0.0 et postérieure propose une collection
|
||||
d'actions qui peuvent être utilisées pour rapidemement autoriser ou
|
||||
d'actions qui peuvent être utilisées pour rapidemement autoriser ou
|
||||
refuser des services. Pour voir les actions comprises avec votre version
|
||||
de Shorewall, regardez dans le fichier
|
||||
<filename>/etc/shorewall/actions.std</filename>. Le nom de celles qui
|
||||
acceptent des connexions débutent par <quote>Allow</quote>.</para>
|
||||
de Shorewall, regardez dans le fichier <filename>/usr/share/shorewall/actions.std</filename>.
|
||||
Le nom de celles qui acceptent des connexions débutent par <quote>Allow</quote>.</para>
|
||||
|
||||
<para>Si vous souhaitez autoriser d'autre connexions depuis internet vers
|
||||
votre firewall, le format général utilisant l'action type
|
||||
<para>Si vous souhaitez autoriser d'autre connexions depuis internet
|
||||
vers votre firewall, le format général utilisant l'action type
|
||||
<quote>Allow</quote> est:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>action</emphasis>> net fw</programlisting>
|
||||
<<emphasis>action</emphasis>> net fw</programlisting>
|
||||
|
||||
<example>
|
||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
|
||||
votre firewall:</title>
|
||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur
|
||||
sur votre firewall:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
AllowWeb net fw
|
||||
AllowPOP3 net fw</programlisting>
|
||||
</example>
|
||||
|
||||
<para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
|
||||
<para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
|
||||
conviennent, vous pouvez les définir vous même ou coder directement les
|
||||
régles dans <filename>/etc/shorewall/rules</filename> selon le format
|
||||
suivant:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example>
|
||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
|
||||
votre firewall:</title>
|
||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur
|
||||
sur votre firewall:</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net fw tcp 80
|
||||
@ -452,14 +425,13 @@ ACCEPT net fw tcp 110</programlisting></para>
|
||||
</example>
|
||||
|
||||
<para>Si vous ne savez pas quel port(s) et protocole(s) requièrent une
|
||||
application particulière, vous pouvez regarder <ulink
|
||||
url="ports.htm">ici</ulink>.</para>
|
||||
application particulière, vous pouvez regarder <ulink url="ports.htm">ici</ulink>.</para>
|
||||
|
||||
<important>
|
||||
<para>Je ne recommande pas d'autoriser <command>telnet</command> vers/de
|
||||
l'Internet parce qu'il utilise du texte en clair (même pour le login!).
|
||||
Si vous voulez un accés shell à votre firewall, utilisez
|
||||
<acronym>SSH</acronym>:</para>
|
||||
<para>Je ne recommande pas d'autoriser <command>telnet</command>
|
||||
vers/de l'Internet parce qu'il utilise du texte en clair (même
|
||||
pour le login!). Si vous voulez un accés shell à votre firewall,
|
||||
utilisez <acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
AllowSSH net fw</programlisting>
|
||||
@ -477,14 +449,13 @@ AllowSSH net fw</programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>La <ulink url="Install.htm">procédure d'installation</ulink>
|
||||
<para>La <ulink url="Install.htm">procédure d'installation</ulink>
|
||||
configure votre système pour lancer Shorewall au boot du système, mais au
|
||||
début avec la version 1.3.9 de Shorewall le lancement est désactivé,
|
||||
n'essayer pas de lancer Shorewall avec que la configuration soit finie.
|
||||
Une fois que vous en aurez fini avec la configuration du firewall, vous
|
||||
pouvez permettre le lancement de Shorewall en supprimant le fichier
|
||||
<filename
|
||||
class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
|
||||
n'essayer pas de lancer Shorewall avec que la configuration soit
|
||||
finie. Une fois que vous en aurez fini avec la configuration du firewall,
|
||||
vous pouvez permettre le lancement de Shorewall en supprimant le fichier
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
|
||||
|
||||
<important>
|
||||
<para>Les utilisateurs des paquets .deb doivent éditer <filename
|
||||
@ -492,32 +463,27 @@ AllowSSH net fw</programlisting>
|
||||
and set <varname>startup=1</varname>.</para>
|
||||
</important>
|
||||
|
||||
<para>Le firewall est activé en utilisant la commande
|
||||
<quote><command>shorewall start</command></quote> et arrêté avec
|
||||
<quote><command>shorewall stop</command></quote>. Lorsque le firewall est
|
||||
stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
|
||||
dans <filename
|
||||
class="directory">/etc/shorewall/</filename><filename><ulink
|
||||
<para>Le firewall est activé en utilisant la commande <quote><command>shorewall
|
||||
start</command></quote> et arrêté avec <quote><command>shorewall stop</command></quote>.
|
||||
Lorsque le firewall est stoppé, le routage est autorisé sur les hôtes qui
|
||||
possèdent une entrée dans <filename class="directory">/etc/shorewall/</filename><filename><ulink
|
||||
url="Documentation.htm#Routestopped">routestopped</ulink></filename>. Un
|
||||
firewall qui tourne peut être relancé en utilisant la commande
|
||||
<quote><command>shorewall restart</command></quote> command. Si vous
|
||||
voulez enlever toutes traces de Shorewall sur votre configuration de
|
||||
Netfilter, utilisez <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
Netfilter, utilisez <quote><command>shorewall clear</command></quote>.</para>
|
||||
|
||||
<warning>
|
||||
<para>Si vous êtes connecté à votre firewall depuis Internet, n'essayez
|
||||
pas une commande <quote><command>shorewall stop</command></quote> tant
|
||||
que vous n'avez pas ajouté une entrée pour votre adresse
|
||||
<para>Si vous êtes connecté à votre firewall depuis Internet,
|
||||
n'essayez pas une commande <quote><command>shorewall stop</command></quote>
|
||||
tant que vous n'avez pas ajouté une entrée pour votre adresse
|
||||
<acronym>IP</acronym> (celle à partir de laquelle vous êtes connectée)
|
||||
dans <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
|
||||
De la même manière, je ne vous recommande pas d'utiliser
|
||||
dans <filename class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
|
||||
De la même manière, je ne vous recommande pas d'utiliser
|
||||
<quote><command>shorewall restart</command></quote>; il est plus
|
||||
intéressant de créer <ulink
|
||||
url="configuration_file_basics.htm#Configs">une configuration
|
||||
alternative</ulink> et de la tester en utilisant la commande
|
||||
<quote><command>shorewall try</command></quote>.</para>
|
||||
intéressant de créer <ulink url="configuration_file_basics.htm#Configs">une
|
||||
configuration alternative</ulink> et de la tester en utilisant la
|
||||
commande <quote><command>shorewall try</command></quote>.</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
@ -527,64 +493,18 @@ AllowSSH net fw</programlisting>
|
||||
<para>Je vous recommande vivement de lire la <ulink
|
||||
url="configuration_file_basics.htm">page des Fonctionnalités Générales des
|
||||
Fichiers de Configuration</ulink> -- elle contient des trucs sur les
|
||||
possibilités de Shorewall pour rendre aisé l'administration de votre
|
||||
possibilités de Shorewall pour rendre aisé l'administration de votre
|
||||
firewall Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Historique de Révision</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2004-02-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Move /etc/shorewall/rfc1918 to
|
||||
/usr/share/shorewall.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2004-02-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update for Shorewall 2.0</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2004-01-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Standards Changes</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-12-30</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-11-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Docbook Conversion</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-16</date><authorinitials>TE</authorinitials><revremark>Move
|
||||
/etc/shorewall/rfc1918 to /usr/share/shorewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Update
|
||||
for Shorewall 2.0</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||
Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook Conversion</revremark></revision></revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -677,7 +677,7 @@ AllowDNS fw dmz:10.10.11.1 </programlisting></para>
|
||||
<emphasis>defined action</emphasis>. Shorewall includes a number of
|
||||
defined actions and <ulink url="User_defined_Actions.html">you can add
|
||||
your own</ulink>. To see the list of actions included with your version of
|
||||
Shorewall, look in the file <filename>/etc/shorewall/actions.std</filename>.
|
||||
Shorewall, look in the file <filename>/usr/share/shorewall/actions.std</filename>.
|
||||
Those actions that accept connection requests have names that begin with
|
||||
<quote>Allow</quote>.</para>
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-23</pubdate>
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -41,9 +41,10 @@
|
||||
traffic shaping/control solutions. In order to use traffic shaping with
|
||||
Shorewall, it is essential that you get a copy of the <ulink
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
|
||||
version 0.3.0 or later. It is also necessary to be running Linux Kernel
|
||||
2.4.18 or later. Shorewall traffic shaping support consists of the
|
||||
following:</para>
|
||||
version 0.3.0 or later or <ulink
|
||||
url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
|
||||
HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
|
||||
later. Shorewall traffic shaping support consists of the following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user