mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 08:44:05 +01:00
Updated for 2.0.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
7c1c39ee1d
commit
43ac5e4799
@ -2385,6 +2385,35 @@ eth0 eth1 206.124.146.176</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>PKTTYPE</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>(Added at Version 2.0.6) - Normally Shorewall attempts to use
|
||||||
|
the iptables packet type match extension to determine broadcast and
|
||||||
|
multicast packets. </para>
|
||||||
|
|
||||||
|
<orderedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>This can cause a message to appear during
|
||||||
|
<command>shorewall start</command> (modprobe: cant locate module
|
||||||
|
ipt_pkttype).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Some users have found problems with the packet match
|
||||||
|
extension with the result that their firewall log is flooded
|
||||||
|
with messages relating to broadcast packets.</para>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
|
||||||
|
<para>If you are experiencing either of these problems, setting
|
||||||
|
PKTTYPE=No will prevent Shorewall from trying to use the packet type
|
||||||
|
match extension and to use IP address matching to determine which
|
||||||
|
packets are broadcasts or multicasts. </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>RESTOREFILE</term>
|
<term>RESTOREFILE</term>
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-18</pubdate>
|
<pubdate>2004-07-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -224,6 +224,13 @@ DNAT net loc:192.168.3:22 tcp 1022</programlisting>
|
|||||||
as they go through your firewall and handle them on the firewall box
|
as they go through your firewall and handle them on the firewall box
|
||||||
itself; in that case, you use a REDIRECT rule.</para>
|
itself; in that case, you use a REDIRECT rule.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>(FAQ 38) Where can I find more information about DNAT?</title>
|
||||||
|
|
||||||
|
<para>Ian Allen has written a <ulink
|
||||||
|
url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and Linux</ulink>.</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -1735,7 +1742,8 @@ iptables: Invalid argument
|
|||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
|
<para><revhistory><revision><revnumber>1.28</revnumber><date>2004-07-14</date><authorinitials>TE</authorinitials><revremark>Insert
|
||||||
|
link to Ian Allen's DNAT paper (FAQ 38)</revremark></revision><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
|
||||||
formatting in H323 quote.</revremark></revision><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
|
formatting in H323 quote.</revremark></revision><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
|
||||||
obsolete ping information.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Empty
|
obsolete ping information.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Empty
|
||||||
/etc/shorewall on Debian.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-08</date><authorinitials>TE</authorinitials><revremark>Update
|
/etc/shorewall on Debian.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-08</date><authorinitials>TE</authorinitials><revremark>Update
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-03-12</pubdate>
|
<pubdate>2004-07-11</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003</year>
|
||||||
@ -109,7 +109,9 @@
|
|||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The above diagram should help you understand the output of
|
<para>The above diagram should help you understand the output of
|
||||||
<quote>shorewall status</quote>.</para>
|
<quote>shorewall status</quote>. You may also wish to refer to <ulink
|
||||||
|
url="PacketHandling.html">this article</ulink> that describes the flow of
|
||||||
|
packets through a Shorewall-generated firewall.</para>
|
||||||
|
|
||||||
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
||||||
server with one interface (eth0):</para>
|
server with one interface (eth0):</para>
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-10</pubdate>
|
<pubdate>2004-07-13</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2004</year>
|
<year>2004</year>
|
||||||
@ -142,9 +142,9 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>then the packet is ACCEPTed in the filter table's <emphasis
|
<para>then the packet is ACCEPTed in the <emphasis>filter</emphasis>
|
||||||
role="bold"><emphasis>interface</emphasis>_in</emphasis> chain (for
|
table's <emphasis role="bold"><emphasis>interface</emphasis>_in</emphasis>
|
||||||
example, eth0_in).</para>
|
chain (for example, eth0_in).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -153,7 +153,8 @@
|
|||||||
<filename>/etc/shorewall/interfaces</filename>, then the packet is
|
<filename>/etc/shorewall/interfaces</filename>, then the packet is
|
||||||
processed against your rfc1918 file (normally <filename>/usr/share/shorewall/rfc1918</filename>
|
processed against your rfc1918 file (normally <filename>/usr/share/shorewall/rfc1918</filename>
|
||||||
but that file may be copied to <filename>/etc/shorewall/rfc1918</filename>
|
but that file may be copied to <filename>/etc/shorewall/rfc1918</filename>
|
||||||
and modified). This happens in the filter table's rfc1918 chain.</para>
|
and modified). This happens in the <emphasis>filter</emphasis>
|
||||||
|
table's <emphasis role="bold">norfc1918</emphasis> chain.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -170,7 +171,8 @@
|
|||||||
the <emphasis>tcpflags</emphasis> option specified in
|
the <emphasis>tcpflags</emphasis> option specified in
|
||||||
<filename>/etc/shorewall/interfaces</filename> and the packet's
|
<filename>/etc/shorewall/interfaces</filename> and the packet's
|
||||||
protocol is TCP then the TCP flags are checked by the <emphasis
|
protocol is TCP then the TCP flags are checked by the <emphasis
|
||||||
role="bold">tcpflags</emphasis> chain (filter table).</para>
|
role="bold">tcpflags</emphasis> chain (<emphasis>filter</emphasis>
|
||||||
|
table).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
@ -203,7 +205,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If the packet is part of an established connection or is part of
|
<para>If the packet is part of an established connection or is part of
|
||||||
a related connection then no further processing takes place in the
|
a related connection then no further processing takes place in the
|
||||||
filter table (<emphasis>z</emphasis><emphasis role="bold"><emphasis>one1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
filter table (<emphasis><emphasis>zone1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
||||||
chain where <emphasis>zone1</emphasis> is the source zone and
|
chain where <emphasis>zone1</emphasis> is the source zone and
|
||||||
<emphasis>zone2</emphasis> is the destination zone).</para>
|
<emphasis>zone2</emphasis> is the destination zone).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -216,8 +218,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The packet is processed according to your <filename>/etc/shorewall/rules</filename>
|
<para>The packet is processed according to your <filename>/etc/shorewall/rules</filename>
|
||||||
file. This happens in chains named <emphasis>z</emphasis><emphasis
|
file. This happens in chains named <emphasis><emphasis role="bold"><emphasis>zone1</emphasis>2<emphasis>zone2</emphasis></emphasis></emphasis>
|
||||||
role="bold"><emphasis>one1</emphasis>2<emphasis>zone2</emphasis></emphasis>
|
|
||||||
chain where <emphasis>zone1</emphasis> is the source zone and
|
chain where <emphasis>zone1</emphasis> is the source zone and
|
||||||
<emphasis>zone2</emphasis> is the destination zone. Note that in the
|
<emphasis>zone2</emphasis> is the destination zone. Note that in the
|
||||||
presence of <ulink url="Documentation.htm#Nested">nested or
|
presence of <ulink url="Documentation.htm#Nested">nested or
|
||||||
@ -246,6 +247,29 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Packets Originating on the Firewall</title>
|
||||||
|
|
||||||
|
<para>Packets that originate on the firewall itself undergo additional
|
||||||
|
processing.</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The TOS field in the packet is conditionally altered based on
|
||||||
|
the contents of your <filename>/etc/shorewall/tos</filename> file.
|
||||||
|
This occurs in the <emphasis role="bold">outtos</emphasis> chain of
|
||||||
|
the <emphasis>mangle</emphasis> table.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Packets are marked based on the contents of your
|
||||||
|
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the
|
||||||
|
<emphasis role="bold">tcout</emphasis> chain of the
|
||||||
|
<emphasis>mangle</emphasis> table.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Packets Leaving the Firewall</title>
|
<title>Packets Leaving the Firewall</title>
|
||||||
|
|
||||||
@ -290,27 +314,4 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>Packets Originating on the Firewall</title>
|
|
||||||
|
|
||||||
<para>Just before being sent, packets that originated on the firewall
|
|
||||||
itself undergo additional processing.</para>
|
|
||||||
|
|
||||||
<itemizedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>The TOS field in the packet is conditionally altered based on
|
|
||||||
the contents of your <filename>/etc/shorewall/tos</filename> file.
|
|
||||||
This occurs in the <emphasis role="bold">outtos</emphasis> chain of
|
|
||||||
the <emphasis>mangle</emphasis> table.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Packets are marked based on the contents of your
|
|
||||||
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the
|
|
||||||
<emphasis role="bold">tcout</emphasis> chain of the
|
|
||||||
<emphasis>mangle</emphasis> table.</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
</section>
|
|
||||||
</article>
|
</article>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-04-19</pubdate>
|
<pubdate>2004-07-13</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003-2004</year>
|
<year>2003-2004</year>
|
||||||
@ -33,8 +33,6 @@
|
|||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<para></para>
|
|
||||||
|
|
||||||
<para>This page covers Shorewall configuration to use with <ulink
|
<para>This page covers Shorewall configuration to use with <ulink
|
||||||
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
|
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
|
||||||
Proxy or as a Manual Proxy.</para>
|
Proxy or as a Manual Proxy.</para>
|
||||||
@ -109,7 +107,7 @@ MANGLE_ENABLED=Yes</programlisting>
|
|||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||||
# PORT(S) DEST
|
# PORT(S) DEST
|
||||||
REDIRECT loc 3228 tcp www - !206.124.146.177
|
REDIRECT loc 3128 tcp www - !206.124.146.177
|
||||||
ACCEPT fw net tcp www</programlisting>
|
ACCEPT fw net tcp www</programlisting>
|
||||||
|
|
||||||
<para>There may be a requirement to exclude additional destination hosts
|
<para>There may be a requirement to exclude additional destination hosts
|
||||||
@ -122,7 +120,7 @@ ACCEPT fw net tcp www</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||||
# PORT(S) DEST
|
# PORT(S) DEST
|
||||||
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||||
|
|
||||||
<para>If you are running a Shorewall version earlier than 1.4.5, you
|
<para>If you are running a Shorewall version earlier than 1.4.5, you
|
||||||
must add a manual rule in /etc/shorewall/start:</para>
|
must add a manual rule in /etc/shorewall/start:</para>
|
||||||
|
|||||||
Binary file not shown.
@ -1,5 +1,5 @@
|
|||||||
<?xml version='1.0' encoding='utf-8' ?>
|
<?xml version='1.0' encoding='utf-8' ?>
|
||||||
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='7FFFD71E985B2EC26C075C7B645086876BCF8593C1531AF84243713B2E33B0E1BB767D5BAB15540F77B203D6763DCEC7B8F1B2A0D15011499EE13ADA8EAD43CD' keystart='261' ?>
|
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='0521AC4BEA80618BB0978E5B7B9EB3C745F7D52F8D1C20BB755782286111C25A4AD1A4735C8175FB7A1E5BC0F3F3C63F5FFC23BB44E7F7DF2FCF1FD158440E55' keystart='261' ?>
|
||||||
|
|
||||||
<VisioDocument xmlns='urn:schemas-microsoft-com:office:visio'>
|
<VisioDocument xmlns='urn:schemas-microsoft-com:office:visio'>
|
||||||
<DocumentProperties>
|
<DocumentProperties>
|
||||||
@ -1807,10 +1807,10 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////
|
|||||||
/7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLyQkJANjAwAQAAAAAAAAA
|
/7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLyQkJANjAwAQAAAAAAAAA
|
||||||
AAAAAYGBhISEjhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
AAAAAYGBhISEjhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP/////////
|
D//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP/////////
|
||||||
//////////////////////////////////////////39/f////39/f////39/f////39/f////39/
|
//////////////////////////////////////////////////7+/v////7+/v////7+/v////7+/
|
||||||
f////39/f////39/f////39/f////39/f////39/f////39/f////////////////////////////
|
v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////f397
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
+/v7+/v7+/v4+PjwwMMAAAhwAAfwAAfwAAfwAAfwAOWAAQQAAQQAAQQAAOQAAEKAAAAAAAABoaGwA
|
///////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAzwAAtwAAfwAKaAAGQAABCRoaGwA
|
||||||
AAFVVVbKysrm5ucDAwHSsdBPiEziwOCnIKSDXIEamRgP6Az2qPRrZGpubm7+/v7i4uLGxsaqqqqOj
|
AAFVVVbKysrm5ucDAwHSsdBPiEziwOCnIKSDXIEamRgP6Az2qPRrZGpubm7+/v7i4uLGxsaqqqqOj
|
||||||
oyQkK3Nzc4uLiwcHGwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
oyQkK3Nzc4uLiwcHGwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////
|
||||||
@ -1818,22 +1818,22 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////
|
|||||||
//////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLx8f
|
//////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wMjIy8vLx8f
|
||||||
HyoqKiQkJCQkJCQkJCQkJDAwMAwMDDhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//
|
HyoqKiQkJCQkJCQkJCQkJDAwMAwMDDhCQmBgYJqammBgYAdbWwD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7
|
wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7
|
||||||
+/v0BAQP///////////////////////////////////////////////39/f////wAAAP///wAAAP/
|
+/v0BAQP///////////////////////////////////////////////////////yAgIP///wAAAP/
|
||||||
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///5+fn///////
|
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///0BAQP//////////////
|
||||||
/////////////////////////////////////////////////////////8fHxzJAQDBAQBooKAAAA
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
AAAAAAAAAAAAAQICBBAQAwwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMIAAQQAAPUAAAfwAAhw
|
////////////////////////////7+/vxAQQAAA1wAAvwAAhwAEeAAQQAAMIAAAAAAAAAAAAAAQOA
|
||||||
AAvwAAvwAAYBAQEAAAAB4eHi0tLS4uLgwMDDo6Ok+fT293b2GJYWiAaGiAaGGJYW93b0ujSzMzMxI
|
AHcAAApwAAVBAQEAAAAB4eHi0tLS4uLgwMDDo6Ok+fT293b2GJYWiAaGiAaGGJYW93b0ujSzMzMxI
|
||||||
SEi4uLiwsLDU1NVFRURQUFnNzc4aGhgoKGgAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
SEi4uLiwsLDU1NVFRURQUFnNzc4aGhgoKGgAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAAvzAwQP////////////////////////////////////////////////////////////////
|
wAA/wAAvzAwQP////////////////////////////////////////////////////////////////
|
||||||
///////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD
|
///////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||||
//wD//wMgIDY2NkxMTEhISEhISEhISEhISEhISEhISFpaWjA2NmBgYJqammBgYAdbWwD//wD//wD/
|
//wD//wMgIDY2NkxMTEhISEhISEhISEhISEhISEhISFpaWjA2NmBgYJqammBgYAdbWwD//wD//wD/
|
||||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////
|
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////
|
||||||
////////////////7+/v0BAQP///////////////////////////////////////////////////w
|
////////////////7+/v0BAQP////////////////////////////////////////////////////
|
||||||
AAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
||||||
//wAAAP////////////////////////////////////////////////////////////////////f3
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
9x8wMACPjwDX1wD39wCHhw5YWBBAQA4oKAAAAAkQEDBAQCQ0NAgIIAAAfwAAtwAAvwAA5wAA/wAA/
|
/////////////////////////+fn57+/v5eXl39/fzBAQBkoKAAAAAAAAAAAAAAAAAAAAAAOKAAMY
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA7wsLKVBQU56enqysrKysrNjY2Obm5ubm5ubm5ubm5ubm5ubm5u
|
AAAjwAAxwAA/wAA/wAA/wAA/wAA7wsLKVBQU56enqysrKysrNjY2Obm5ubm5ubm5ubm5ubm5ubm5u
|
||||||
bm5ubm5ubm5ubm5tDQ0KysrKysrJ6ennNzc4GBgZKSzoeHhwcHGwAA/wAA/wAA/wAA/wAA/wAA/wA
|
bm5ubm5ubm5ubm5tDQ0KysrKysrJ6ennNzc4GBgZKSzoeHhwcHGwAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP///////////////////////////////////////////////
|
/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP///////////////////////////////////////////////
|
||||||
@ -1841,10 +1841,10 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
|||||||
D//wD//wD//wD//wD//wD//wNeXgQEBBIVFRQXFxQXFxQXFxQXFxQXFxQXFxQXFxYZGWZ0dJqammB
|
D//wD//wD//wD//wD//wD//wNeXgQEBBIVFRQXFxQXFxQXFxQXFxQXFxQXFxQXFxYZGWZ0dJqammB
|
||||||
gYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////
|
gYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////
|
||||||
/////////////////////////////////7+/v0BAQP///////////////////////////////////
|
/////////////////////////////////7+/v0BAQP///////////////////////////////////
|
||||||
////////////////////////////8PDw4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
|
////////////////////8fHx////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
|
||||||
+Pj4+Pj4+Pj9HR0f/////////////////////////////////////////////////////////////
|
+/v////7+/v////8/Pz//////////////////////////////////////////////////////////
|
||||||
//////////////////9/f3xUwMADv7wD39xI4OHh4eL+/v9fX1////////////7+/vxAQQAAA/wAA
|
//////////////+/v77+/v5+fn39/f0FQUCg4OAAAAAoYGBBAQAQoKAAICAQYGAAAAAEICQAQSAAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xQUTqCgpubm5ubm5ubm5ubm5ubm5
|
fwAAvwAA7wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xQUTqCgpubm5ubm5ubm5ubm5ubm5
|
||||||
ubm5ubm5ubm5ubm
|
ubm5ubm5ubm5ubm
|
||||||
5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5oCAtAcHGwAA/wAA/wAA/wAA/wAA/wAA/
|
5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5oCAtAcHGwAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
@ -1853,9 +1853,9 @@ AA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////////////////////////////
|
|||||||
/wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm5ubm5ubm5ubm5qCmpnWFh
|
/wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm5ubm5ubm5ubm5qCmpnWFh
|
||||||
WBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////
|
WBgYAdbWwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////
|
||||||
///////////////////////////////////7+/v0BAQP/////////////////////////////////
|
///////////////////////////////////7+/v0BAQP/////////////////////////////////
|
||||||
//////////////////////////9HR0QQEBA0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
DQ0NDQ0NDQcHBxISEt/f3////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
////////////////////////6qvrxJQUAD//wDf3x44OOfn5////////////////7+/vxAQQAAA/w
|
////////////////3d/fwUQEAxgYAB/fwCvrwBoaApoaBA4OAAAADBAQHR4eKenp6enpxAQQAAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xAQRgAAAAAAAAAAAAAAAAA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xAQRgAAAAAAAAAAAAAAAAA
|
||||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYGLQAA/wAA
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYGLQAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
@ -1864,9 +1864,9 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////////////////////////////
|
|||||||
AQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm
|
AQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgxAXF9jY2Obm5ubm5ubm5ubm
|
||||||
5ubm5ubm5ubm5qCmpklTUwdYWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
5ubm5ubm5ubm5qCmpklTUwdYWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP////////////////
|
wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP////////////////
|
||||||
///////////////////////////////////////////zAwMD09PcDAwK6uipCQMJCQMJCQMJCQMJC
|
///////////////////////////////39/f////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
|
||||||
QMJCQMJCQMJCQMJCQMK6uisDAwCQkJG1tbTMzM9/f3///////////////////////////////////
|
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///5+fn///////////////////////////////
|
||||||
/////////////////////////9/f37+/v6+vr39/f39/fwoQEASPjwD//wC/vzBAQP///////////
|
/////////////////////////////////////05gYAqfnwD//wDn5w0gIHh4eMfHx////////////
|
||||||
////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wwMfwQECAUFnwAA/wAA/wAA/wAA/wAA/wA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wwMfwQECAUFnwAA/wAA/wAA/wAA/wAA/wA
|
||||||
A9wQEhwAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A9wQEhwAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
@ -1875,10 +1875,10 @@ A9wQEhwAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
|||||||
///////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgwA
|
///////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wSDgwA
|
||||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARHRwD//wD//wD//wD//wD//wD//wD//wD//wD/
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARHRwD//wD//wD//wD//wD//wD//wD//wD//wD/
|
||||||
/wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQ
|
/wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQ
|
||||||
P///////////////////////////////////////////////////////////wwMDImJieLi4sfPc2
|
P///////////////////////////////////////////////////wAAAP///wAAAP///wAAAP///w
|
||||||
zcGJCQYJCQYGxsiJ3FKn7WHH5+dJ2tQmzcGNvbsdTU1BISEpWVlYeHhzMzM9/f3//////////////
|
AAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////
|
||||||
//////9/f37+/v6+vr39/f39/fzBAQDBAQAkQEAAAAAwgIAQQEAMQEABAQABAQAB/fwCPjwB/fwB/
|
//////////////////////////////////////////////////////////0dYWAWnpwD//wDPzyhA
|
||||||
fwQoKGl4eP///////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
QO/v7////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wUFpwQECBAQSA
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wUFpwQECBAQSA
|
||||||
AA5wAA/wAA/wAA/wAA3wUFCBQUQAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
AA5wAA/wAA/wAA/wAA3wUFCBQUQAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
@ -1886,10 +1886,10 @@ vzAwQP///////////////////////////////////////////////////////////////////////
|
|||||||
////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
|
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
|
||||||
/////////7+/v0BAQP///////////////////////////////////////////////////////////
|
/////////7+/v0BAQP///////////////////////////////////////////////7+/v////39/f
|
||||||
3h4eBQUFKysrKysoqiogaiogaiogaiogaiogaiogaiogaiogaiogaqql6ysrD8/P1hYWJqamoeHhy
|
////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////8
|
||||||
MjI29vbzBAQDBAQAkQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEwMDBAQDBAQDB
|
/Pz////////////////////////////////////////////////////////////////////////+/
|
||||||
AQDBAQFRgYH9/f39/f39/f7+/v////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
v7x0oKAa3twD//wDPzyhAQO/v7////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAAzwwMGAgIEAAAtwAA/wAA/wAA3xQUIMfHxxoaOAAAzwAA/wAA/wAA/wAA/wAA/wAA/w
|
wAA/wAA/wAAzwwMGAgIEAAAtwAA/wAA/wAA3xQUIMfHxxoaOAAAzwAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
@ -1897,11 +1897,11 @@ A/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////////////////
|
|||||||
/////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//
|
/////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
|
||||||
//////////////////////////8fHxxAQEEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
|
//////////////////////////7+/v0BAQP//////////////////////////////////////////
|
||||||
QEBAQEBAQEBAQEBAQEBAQAkJCSUlJTs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O
|
/////////////////////y8vLw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PDw8PD
|
||||||
zs7O3V1dZqampqa
|
w8PD0pKSv//////
|
||||||
mmBgYDExMX9/f39/f39/f4+Pj7+/v7+/v7+/v7+/v7+/v////////////////////////////////
|
/////////////////////////////////////////////////////////////7+/v4+Pj0pYWBooK
|
||||||
////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
AQICBBAQACvrwDHxwC3twJAQDRISPf39////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
A/wAA/wAA/wAA/wAA5xISOAAAAA8PYAAA7wAA3xQUIP///9/f3yUlOAUFrwAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA5xISOAAAAA8PYAAA7wAA3xQUIP///9/f3yUlOAUFrwAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
@ -1909,10 +1909,10 @@ wAA/wAA/wAA/wAA/wAAvzAwQP////////////////////////////////////////////////////
|
|||||||
///////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD
|
///////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD
|
||||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
|
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
|
||||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////
|
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////
|
||||||
////////////////////////////////8fHx7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7
|
////////////////////////////7+/v0BAQP////////////////////////////////////////
|
||||||
+/v7+/v7+/v7+/v7+/v7+/v9fX115eXpGRkebm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ub
|
///////////////////3h4eBAQEGxsbGpqZWNjUWNjUWNjUWNjUWNjUWNjUWNjUWNjUWNjUWdnXmx
|
||||||
m5ubm5ubm5tDQ0JqammBgYFtbW///////////////////////////////////////////////////
|
sbCgoKC0tLXl5ef///////////////////////////////////////////8/Pz5+fn15oaCg4OAAA
|
||||||
/////////////////////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/
|
AAQQEAMwMAAoKAVISBBAQAoYGAAAACg4ODhISH9/f5+fn////////////7+/vxAQQAAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xERWBQUGBUVMAAApxQUIP///4+PjzIyQCwsOAw
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9xERWBQUGBUVMAAApxQUIP///4+PjzIyQCwsOAw
|
||||||
MfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
MfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
@ -1920,10 +1920,10 @@ MfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
|||||||
////////////////////////////////////////////////////////////////7+/vxBAQAD//w
|
////////////////////////////////////////////////////////////////7+/vxBAQAD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxg
|
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxg
|
||||||
YJ+fn////////////////////////////////////////////////////////////////////////
|
YJ+fn////////////////////////////////////////7+/v0BAQP///////////////////////
|
||||||
////////////////////////////////////////////////15eXpGRkebm5ubm5ubm5ubm5ubm5u
|
////////////////////////////////////wwMDH5+fs7OzrGxbJSUJ5SUJ5SUJ5SUJ5SUJ5SUJ5
|
||||||
bm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5tDQ0GBgYFtbW//////////////////////////////////
|
SUJ5SUJ5SUJ8DAosHBwRISEpWVlVNTU3l5ef///////////////////9/f36+vr3R4eDBAQAQICAA
|
||||||
//////////////////////////////////////////////////////////////////////////7+/
|
AAAAAAAAAAAAAAAAAACEwMDBAQH9/f4+Pj7+/v+fn5////////////////////////////////7+/
|
||||||
vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w0NhyUlMCIiMBcXIP
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w0NhyUlMCIiMBcXIP
|
||||||
///39/fwAASBMTKCoqMBERWAAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
///39/fwAASBMTKCoqMBERWAAA9wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
@ -1931,10 +1931,10 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////
|
|||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||||
//wD//wD//wD//wxgYJ+fn///////////////////////////////////////////////////////
|
//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP//////
|
||||||
/////////////////////////////////////////////////////////////////////15eXoKCg
|
/////////////////////////////////////////////////////zExMUlJSebm5tnhoHjoIaCga
|
||||||
qysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrGJiYltbW/////////////////
|
6Cga3h4ka/XNozkJoyMfq+/TnjoIeDgpebm5igoKH19fZqamlNTU3Jycre3t39/fzhISA8YGAAAAA
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
AAAAAAABooKDBAQH9/f4+Pj7+/v9/f3//////////////////////////////////////////////
|
||||||
//////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
//////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wUFryUlOLe3t////39/fwAAfwAA7xISUAYGCBERMAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
wAA/wUFryUlOLe3t////39/fwAAfwAA7xISUAYGCBERMAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
@ -1943,9 +1943,9 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/
|
|||||||
/////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
/////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
|
D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
//7+/vzAwML+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v52dnQMD
|
||||||
/////////////29vbz4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pra2t
|
Azc3Nzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ox4eHkJCQpqampqamjs7OxgaG
|
||||||
v////////////////////////////////////////////////////////////////////////////
|
jBAQHR4eIeHh7+/v9fX1/////////////////////////////////////////////////////////
|
||||||
///////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
///////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAAzxUVMMfHx1RUYAAAnwAA/wAA/wUFnwgIEAwMGAAAzwAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAAzxUVMMfHx1RUYAAAnwAA/wAA/wUFnwgIEAwMGAAAzwAA/wAA/
|
||||||
@ -1955,9 +1955,9 @@ AA/wAA/wAAvzAwQP/////////////////////////////////////////////////////////////
|
|||||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD/
|
wD//wD//wD//wD/
|
||||||
/wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////
|
/wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
////+fn50hISEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
RERC0tLaGhoaysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrM7OzqysrJqammBgYFt
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
bW///////////////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA7xQUQBoaIAAAnwAA/wAA/wAA/wAA5xAQQAQECAUFpwA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA7xQUQBoaIAAAnwAA/wAA/wAA/wAA5xAQQAQECAUFpwA
|
||||||
@ -1967,8 +1967,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
|||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
|
||||||
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////
|
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
////////////////////8/Pzzw8PNjY2Obm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5u
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
bm5uPj46ysrGBgYFtbW//////////////////////////////////////////////////////////
|
||||||
//////////////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA
|
//////////////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9w0NaAAAxwAA/wAA/wAA/w
|
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9w0NaAAAxwAA/wAA/wAA/w
|
||||||
@ -1978,8 +1978,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////
|
|||||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//
|
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////8/Pzzw8PNjY2Obm5ubm5ubm5ubm5ubm5ubm5
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
ubm5ubm5ubm5ubm5ubm5ubm5uPj42tra1tbW/////////////////////////////////////////
|
||||||
///////////////////////////////////////////////////////////////////7+/vxAQQAA
|
///////////////////////////////////////////////////////////////////7+/vxAQQAA
|
||||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
|
||||||
@ -1989,8 +1989,8 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////////////////////
|
|||||||
vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
|
||||||
D//wD//wxgYJ+fn//////////////////////////////////////////////////////////////
|
D//wD//wxgYJ+fn//////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
//////////////////////////////////////////////////////////////8/Pzy0tLTs7Ozs7
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OyUlJW1tbf///////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
///////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
///////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
|
||||||
@ -2001,7 +2001,7 @@ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP////////
|
|||||||
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
|
||||||
wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
|
wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
//////9/f37+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v/f39///////
|
||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
|
||||||
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA
|
||||||
@ -3206,8 +3206,8 @@ f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f
|
|||||||
/////////////////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////////////////
|
||||||
/////////////w4AAAAUAAAAAAAAABAAAAAUAAAA</PreviewPicture>
|
/////////////w4AAAAUAAAAAAAAABAAAAAUAAAA</PreviewPicture>
|
||||||
<TimeCreated>2002-08-11T08:58:32</TimeCreated>
|
<TimeCreated>2002-08-11T08:58:32</TimeCreated>
|
||||||
<TimeSaved>2004-03-16T15:13:54</TimeSaved>
|
<TimeSaved>2004-07-13T11:44:37</TimeSaved>
|
||||||
<TimeEdited>2004-03-16T15:13:48</TimeEdited>
|
<TimeEdited>2004-07-13T11:38:59</TimeEdited>
|
||||||
<TimePrinted>2002-08-11T08:58:32</TimePrinted>
|
<TimePrinted>2002-08-11T08:58:32</TimePrinted>
|
||||||
</DocumentProperties>
|
</DocumentProperties>
|
||||||
<DocumentSettings TopPage='0' DefaultTextStyle='3' DefaultLineStyle='3' DefaultFillStyle='3' DefaultGuideStyle='4'>
|
<DocumentSettings TopPage='0' DefaultTextStyle='3' DefaultLineStyle='3' DefaultFillStyle='3' DefaultGuideStyle='4'>
|
||||||
@ -40781,7 +40781,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
</Master>
|
</Master>
|
||||||
</Masters>
|
</Masters>
|
||||||
<Pages>
|
<Pages>
|
||||||
<Page ID='0' NameU='Page-1' ViewScale='1.5' ViewCenterX='61.571428571429' ViewCenterY='26.607142857143'>
|
<Page ID='0' NameU='Page-1' ViewScale='1.5' ViewCenterX='84.428571428571' ViewCenterY='71.607142857143'>
|
||||||
<PageSheet LineStyle='0' FillStyle='0' TextStyle='0'>
|
<PageSheet LineStyle='0' FillStyle='0' TextStyle='0'>
|
||||||
<PageProps>
|
<PageProps>
|
||||||
<PageWidth Unit='IN'>85</PageWidth>
|
<PageWidth Unit='IN'>85</PageWidth>
|
||||||
@ -41197,11 +41197,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
<Shape ID='18' Type='Shape' Master='7'>
|
<Shape ID='18' Type='Shape' Master='7'>
|
||||||
<XForm>
|
<XForm>
|
||||||
<PinX F='Inh'>36.817303557046</PinX>
|
<PinX F='Inh'>36.817303557046</PinX>
|
||||||
<PinY F='Inh'>58.396443645478</PinY>
|
<PinY F='Inh'>59.283146921411</PinY>
|
||||||
<Width F='Guard(EndX-BeginX)'>3.2357053859082</Width>
|
<Width F='Guard(EndX-BeginX)'>3.2357053859085</Width>
|
||||||
<Height F='Guard(EndY-BeginY)'>-13.207112709043</Height>
|
<Height F='Guard(EndY-BeginY)'>-14.980519260909</Height>
|
||||||
<LocPinX F='Inh'>1.6178526929541</LocPinX>
|
<LocPinX F='Inh'>1.6178526929541</LocPinX>
|
||||||
<LocPinY F='Inh'>-6.6035563545217</LocPinY>
|
<LocPinY F='Inh'>-7.4902596304544</LocPinY>
|
||||||
<Angle F='Inh'>0</Angle>
|
<Angle F='Inh'>0</Angle>
|
||||||
<FlipX F='Inh'>0</FlipX>
|
<FlipX F='Inh'>0</FlipX>
|
||||||
<FlipY F='Inh'>0</FlipY>
|
<FlipY F='Inh'>0</FlipY>
|
||||||
@ -41209,7 +41209,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
</XForm>
|
</XForm>
|
||||||
<XForm1D>
|
<XForm1D>
|
||||||
<BeginX F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>35.199450864092</BeginX>
|
<BeginX F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>35.199450864092</BeginX>
|
||||||
<BeginY F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>65</BeginY>
|
<BeginY F='Par(Pnt(Modem!Connections.X3,Modem!Connections.Y3))'>66.773406551866</BeginY>
|
||||||
<EndX F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>38.43515625</EndX>
|
<EndX F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>38.43515625</EndX>
|
||||||
<EndY F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>51.792887290957</EndY>
|
<EndY F='Par(Pnt(Firewall!Connections.X5,Firewall!Connections.Y5))'>51.792887290957</EndY>
|
||||||
</XForm1D>
|
</XForm1D>
|
||||||
@ -41241,8 +41241,8 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
<NoLiveDynamics F='Inh'>1</NoLiveDynamics>
|
<NoLiveDynamics F='Inh'>1</NoLiveDynamics>
|
||||||
</Misc>
|
</Misc>
|
||||||
<TextXForm>
|
<TextXForm>
|
||||||
<TxtPinX>-6.8244508640918</TxtPinX>
|
<TxtPinX>-6.824450864092</TxtPinX>
|
||||||
<TxtPinY>-8.0339090474758</TxtPinY>
|
<TxtPinY>-8.9206123234091</TxtPinY>
|
||||||
<TxtWidth F='Inh'>1.1111111111111</TxtWidth>
|
<TxtWidth F='Inh'>1.1111111111111</TxtWidth>
|
||||||
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
||||||
<TxtLocPinX F='Inh'>0.55555555555556</TxtLocPinX>
|
<TxtLocPinX F='Inh'>0.55555555555556</TxtLocPinX>
|
||||||
@ -41275,19 +41275,19 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
</MoveTo>
|
</MoveTo>
|
||||||
<LineTo IX='2'>
|
<LineTo IX='2'>
|
||||||
<X>0</X>
|
<X>0</X>
|
||||||
<Y>0.1875</Y>
|
<Y>0.18749999999973</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='3'>
|
<LineTo IX='3'>
|
||||||
<X>-6.8244508640918</X>
|
<X>-6.824450864092</X>
|
||||||
<Y>0.1875</Y>
|
<Y>0.18749999999973</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='4'>
|
<LineTo IX='4'>
|
||||||
<X>-6.8244508640918</X>
|
<X>-6.824450864092</X>
|
||||||
<Y>-13.207112709043</Y>
|
<Y>-14.980519260909</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='5'>
|
<LineTo IX='5'>
|
||||||
<X>3.2357053859082</X>
|
<X>3.2357053859079</X>
|
||||||
<Y>-13.207112709043</Y>
|
<Y>-14.980519260909</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
</Geom>
|
</Geom>
|
||||||
</Shape>
|
</Shape>
|
||||||
@ -41711,19 +41711,19 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
<Shape ID='44' NameU='Comm-link' Type='Shape' Master='12'>
|
<Shape ID='44' NameU='Comm-link' Type='Shape' Master='12'>
|
||||||
<XForm>
|
<XForm>
|
||||||
<PinX F='Inh'>50.636703275727</PinX>
|
<PinX F='Inh'>50.636703275727</PinX>
|
||||||
<PinY F='Inh'>63.484375</PinY>
|
<PinY F='Inh'>64.371078275933</PinY>
|
||||||
<Width F='Inh'>17.983898127284</Width>
|
<Width F='Inh'>18.366187407064</Width>
|
||||||
<Height>2.5</Height>
|
<Height>2.5</Height>
|
||||||
<LocPinX F='Inh'>8.9919490636419</LocPinX>
|
<LocPinX F='Inh'>9.1830937035322</LocPinX>
|
||||||
<LocPinY F='Inh'>1.25</LocPinY>
|
<LocPinY F='Inh'>1.25</LocPinY>
|
||||||
<Angle F='Inh'>-0.16936204617136</Angle>
|
<Angle F='Inh'>-0.26468305291974</Angle>
|
||||||
<FlipX F='Inh'>0</FlipX>
|
<FlipX F='Inh'>0</FlipX>
|
||||||
<FlipY F='Inh'>0</FlipY>
|
<FlipY F='Inh'>0</FlipY>
|
||||||
<ResizeMode F='Inh'>0</ResizeMode>
|
<ResizeMode F='Inh'>0</ResizeMode>
|
||||||
</XForm>
|
</XForm>
|
||||||
<XForm1D>
|
<XForm1D>
|
||||||
<BeginX F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>41.773406551454</BeginX>
|
<BeginX F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>41.773406551454</BeginX>
|
||||||
<BeginY F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>65</BeginY>
|
<BeginY F='Par(Pnt(Modem!Connections.X2,Modem!Connections.Y2))'>66.773406551866</BeginY>
|
||||||
<EndX F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>59.5</EndX>
|
<EndX F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>59.5</EndX>
|
||||||
<EndY F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>61.96875</EndY>
|
<EndY F='Par(Pnt(Router!Connections.X3,Router!Connections.Y3))'>61.96875</EndY>
|
||||||
</XForm1D>
|
</XForm1D>
|
||||||
@ -41738,11 +41738,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
<LayerMember>0</LayerMember>
|
<LayerMember>0</LayerMember>
|
||||||
</LayerMem>
|
</LayerMem>
|
||||||
<TextXForm>
|
<TextXForm>
|
||||||
<TxtPinX F='Inh'>8.9919490636419</TxtPinX>
|
<TxtPinX F='Inh'>9.1830937035322</TxtPinX>
|
||||||
<TxtPinY F='Inh'>-1.2222222222222</TxtPinY>
|
<TxtPinY F='Inh'>-1.2222222222222</TxtPinY>
|
||||||
<TxtWidth F='Inh'>17.983898127284</TxtWidth>
|
<TxtWidth F='Inh'>18.366187407064</TxtWidth>
|
||||||
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
<TxtHeight F='Inh'>2.4444444444444</TxtHeight>
|
||||||
<TxtLocPinX F='Inh'>8.9919490636419</TxtLocPinX>
|
<TxtLocPinX F='Inh'>9.1830937035322</TxtLocPinX>
|
||||||
<TxtLocPinY F='Inh'>1.2222222222222</TxtLocPinY>
|
<TxtLocPinY F='Inh'>1.2222222222222</TxtLocPinY>
|
||||||
<TxtAngle F='Inh'>0</TxtAngle>
|
<TxtAngle F='Inh'>0</TxtAngle>
|
||||||
</TextXForm>
|
</TextXForm>
|
||||||
@ -41756,23 +41756,23 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
|
|||||||
<Y F='Inh'>1.25</Y>
|
<Y F='Inh'>1.25</Y>
|
||||||
</MoveTo>
|
</MoveTo>
|
||||||
<LineTo IX='2'>
|
<LineTo IX='2'>
|
||||||
<X F='Inh'>10.241949063642</X>
|
<X F='Inh'>10.433093703532</X>
|
||||||
<Y F='Inh'>2.5</Y>
|
<Y F='Inh'>2.5</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='3'>
|
<LineTo IX='3'>
|
||||||
<X F='Inh'>9.3044490636419</X>
|
<X F='Inh'>9.4955937035322</X>
|
||||||
<Y F='Inh'>0.75</Y>
|
<Y F='Inh'>0.75</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='4'>
|
<LineTo IX='4'>
|
||||||
<X F='Inh'>17.983898127284</X>
|
<X F='Inh'>18.366187407064</X>
|
||||||
<Y F='Inh'>1.25</Y>
|
<Y F='Inh'>1.25</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='5'>
|
<LineTo IX='5'>
|
||||||
<X F='Inh'>7.7419490636419</X>
|
<X F='Inh'>7.9330937035322</X>
|
||||||
<Y F='Inh'>0</Y>
|
<Y F='Inh'>0</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='6'>
|
<LineTo IX='6'>
|
||||||
<X F='Inh'>8.6794490636419</X>
|
<X F='Inh'>8.8705937035322</X>
|
||||||
<Y F='Inh'>1.75</Y>
|
<Y F='Inh'>1.75</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='7'>
|
<LineTo IX='7'>
|
||||||
@ -67146,7 +67146,7 @@ www.xxx.yyy.zzz/
|
|||||||
<Shape ID='1' NameU='Modem' Type='Group' Master='21'>
|
<Shape ID='1' NameU='Modem' Type='Group' Master='21'>
|
||||||
<XForm>
|
<XForm>
|
||||||
<PinX>37.906373794182</PinX>
|
<PinX>37.906373794182</PinX>
|
||||||
<PinY>64.226593448134</PinY>
|
<PinY>66</PinY>
|
||||||
<Width>6.1872524116354</Width>
|
<Width>6.1872524116354</Width>
|
||||||
<Height>1.5468131037315</Height>
|
<Height>1.5468131037315</Height>
|
||||||
<LocPinX F='Inh'>3.0936262058177</LocPinX>
|
<LocPinX F='Inh'>3.0936262058177</LocPinX>
|
||||||
@ -67185,7 +67185,7 @@ www.xxx.yyy.zzz/
|
|||||||
</Misc>
|
</Misc>
|
||||||
<Control IX='0'>
|
<Control IX='0'>
|
||||||
<X F='Inh'>3.0936262058177</X>
|
<X F='Inh'>3.0936262058177</X>
|
||||||
<Y F='Inh'>-1.1111111111111</Y>
|
<Y F='Inh'>-1.9444444444445</Y>
|
||||||
<XDyn F='Inh'>3.0936262058177</XDyn>
|
<XDyn F='Inh'>3.0936262058177</XDyn>
|
||||||
<YDyn F='Inh'>0.77340655186576</YDyn>
|
<YDyn F='Inh'>0.77340655186576</YDyn>
|
||||||
<XCon F='Inh'>3</XCon>
|
<XCon F='Inh'>3</XCon>
|
||||||
@ -68106,9 +68106,9 @@ www.xxx.yyy.zzz/
|
|||||||
<PinX F='Inh'>0</PinX>
|
<PinX F='Inh'>0</PinX>
|
||||||
<PinY F='Inh'>0</PinY>
|
<PinY F='Inh'>0</PinY>
|
||||||
<Width F='Inh'>9.1994900183611</Width>
|
<Width F='Inh'>9.1994900183611</Width>
|
||||||
<Height F='Inh'>2.2222222222222</Height>
|
<Height F='Inh'>3.8888888888889</Height>
|
||||||
<LocPinX F='Inh'>1.5061188033628</LocPinX>
|
<LocPinX F='Inh'>1.5061188033628</LocPinX>
|
||||||
<LocPinY F='Inh'>2.2222222222222</LocPinY>
|
<LocPinY F='Inh'>3.8888888888889</LocPinY>
|
||||||
<Angle F='Inh'>0</Angle>
|
<Angle F='Inh'>0</Angle>
|
||||||
<FlipX F='Inh'>0</FlipX>
|
<FlipX F='Inh'>0</FlipX>
|
||||||
<FlipY F='Inh'>0</FlipY>
|
<FlipY F='Inh'>0</FlipY>
|
||||||
@ -68144,11 +68144,11 @@ www.xxx.yyy.zzz/
|
|||||||
</Protection>
|
</Protection>
|
||||||
<TextXForm>
|
<TextXForm>
|
||||||
<TxtPinX F='Inh'>4.5997450091806</TxtPinX>
|
<TxtPinX F='Inh'>4.5997450091806</TxtPinX>
|
||||||
<TxtPinY F='Inh'>1.1111111111111</TxtPinY>
|
<TxtPinY F='Inh'>1.9444444444445</TxtPinY>
|
||||||
<TxtWidth F='Inh'>9.1994900183612</TxtWidth>
|
<TxtWidth F='Inh'>9.1994900183612</TxtWidth>
|
||||||
<TxtHeight F='Inh'>2.2222222222222</TxtHeight>
|
<TxtHeight F='Inh'>3.8888888888889</TxtHeight>
|
||||||
<TxtLocPinX F='Inh'>4.5997450091806</TxtLocPinX>
|
<TxtLocPinX F='Inh'>4.5997450091806</TxtLocPinX>
|
||||||
<TxtLocPinY F='Inh'>1.1111111111111</TxtLocPinY>
|
<TxtLocPinY F='Inh'>1.9444444444445</TxtLocPinY>
|
||||||
<TxtAngle F='Inh'>0</TxtAngle>
|
<TxtAngle F='Inh'>0</TxtAngle>
|
||||||
</TextXForm>
|
</TextXForm>
|
||||||
<Char IX='0'>
|
<Char IX='0'>
|
||||||
@ -68182,18 +68182,19 @@ www.xxx.yyy.zzz/
|
|||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='3'>
|
<LineTo IX='3'>
|
||||||
<X F='Inh'>9.1994900183611</X>
|
<X F='Inh'>9.1994900183611</X>
|
||||||
<Y F='Inh'>2.2222222222222</Y>
|
<Y F='Inh'>3.8888888888889</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='4'>
|
<LineTo IX='4'>
|
||||||
<X F='Inh'>0</X>
|
<X F='Inh'>0</X>
|
||||||
<Y F='Inh'>2.2222222222222</Y>
|
<Y F='Inh'>3.8888888888889</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
<LineTo IX='5'>
|
<LineTo IX='5'>
|
||||||
<X F='Inh'>0</X>
|
<X F='Inh'>0</X>
|
||||||
<Y F='Inh'>0</Y>
|
<Y F='Inh'>0</Y>
|
||||||
</LineTo>
|
</LineTo>
|
||||||
</Geom>
|
</Geom>
|
||||||
<Text><cp IX='0'/>DSL “Modem”</Text>
|
<Text><cp IX='0'/>DSL “Modem”
|
||||||
|
192.168.1.1</Text>
|
||||||
</Shape>
|
</Shape>
|
||||||
</Shapes>
|
</Shapes>
|
||||||
</Shape>
|
</Shape>
|
||||||
@ -71283,7 +71284,7 @@ www.xxx.yyy.zzz/
|
|||||||
</Page>
|
</Page>
|
||||||
</Pages>
|
</Pages>
|
||||||
<Windows ClientWidth='1280' ClientHeight='850'>
|
<Windows ClientWidth='1280' ClientHeight='850'>
|
||||||
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1.5' ViewCenterX='61.571428571429' ViewCenterY='26.607142857143'>
|
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1.5' ViewCenterX='84.428571428571' ViewCenterY='71.607142857143'>
|
||||||
<ShowRulers>1</ShowRulers>
|
<ShowRulers>1</ShowRulers>
|
||||||
<ShowGrid>1</ShowGrid>
|
<ShowGrid>1</ShowGrid>
|
||||||
<ShowPageBreaks>0</ShowPageBreaks>
|
<ShowPageBreaks>0</ShowPageBreaks>
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-04</pubdate>
|
<pubdate>2004-07-13</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -47,16 +47,17 @@
|
|||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>The configuration shown here corresponds to Shorewall version
|
<para>The configuration shown here corresponds to Shorewall version
|
||||||
2.0.3. My configuration uses features not available in earlier Shorewall
|
2.1.1. My configuration uses features not available in earlier Shorewall
|
||||||
releases.</para>
|
releases.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para>I have DSL service and have 5 static IP addresses
|
<para>I have DSL service and have 5 static IP addresses
|
||||||
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
|
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
|
||||||
connected to eth0. I have a local network connected to eth2 (subnet
|
connected to eth0 and has IP address 192.168.1.1 (factory default). I have
|
||||||
192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
|
a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ
|
||||||
that I configure the same IP address on both <filename class="devicefile">eth0</filename>
|
connected to eth1 (206.124.146.176/32). Note that I configure the same IP
|
||||||
and <filename class="devicefile">eth1</filename>.</para>
|
address on both <filename class="devicefile">eth0</filename> and <filename
|
||||||
|
class="devicefile">eth1</filename>.</para>
|
||||||
|
|
||||||
<para>In this configuration:</para>
|
<para>In this configuration:</para>
|
||||||
|
|
||||||
@ -217,7 +218,7 @@ tx Texas Peer Network in Plano
|
|||||||
|
|
||||||
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
||||||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||||
loc eth2 192.168.1.255 dhcp,detectnets
|
loc eth2 192.168.1.255 dhcp
|
||||||
dmz eth1 -
|
dmz eth1 -
|
||||||
- texas 192.168.9.255
|
- texas 192.168.9.255
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
@ -259,6 +260,25 @@ eth2 -
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>RFC1918 File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
|
||||||
|
is connected to eth0, I need to make an exception for that address in
|
||||||
|
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
|
||||||
|
/etc/shorewall/rfc1918 and changed it as follows:</para>
|
||||||
|
|
||||||
|
<programlisting>#SUBNET TARGET
|
||||||
|
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
|
||||||
|
172.16.0.0/12 logdrop # RFC 1918
|
||||||
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
|
10.0.0.0/8 logdrop # RFC 1918
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Policy File</title>
|
<title>Policy File</title>
|
||||||
|
|
||||||
@ -286,7 +306,15 @@ all all REJECT $LOG # Reje
|
|||||||
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
||||||
visitors with laptops.</para>
|
visitors with laptops.</para>
|
||||||
|
|
||||||
|
<para>The first entry allows access to the DSL modem and uses features
|
||||||
|
introduced in Shorewall 2.1.1. The leading plus sign ("+_")
|
||||||
|
causes the rule to be placed before rules generated by the
|
||||||
|
/etc/shorewall/nat file below. The double colons ("::") causes
|
||||||
|
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
|
||||||
|
file above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||||
|
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
eth0:2 eth2 206.124.146.179
|
eth0:2 eth2 206.124.146.179
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -300,13 +328,6 @@ eth0:2 eth2 206.124.146.179
|
|||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||||
206.124.146.178 eth0:0 192.168.1.5 No No
|
206.124.146.178 eth0:0 192.168.1.5 No No
|
||||||
206.124.146.180 eth0:1 192.168.1.7 No No
|
206.124.146.180 eth0:1 192.168.1.7 No No
|
||||||
#
|
|
||||||
# The following entry allows the server to be accessed through an address in
|
|
||||||
# the local network. This is convenient when I'm on the road and connected
|
|
||||||
# to the PPTP server. By doing this, I don't need to set my client's default
|
|
||||||
# gateway to route through the tunnel.
|
|
||||||
#
|
|
||||||
192.168.1.193 eth2:0 206.124.146.177 No No
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -317,6 +338,7 @@ eth0:2 eth2 206.124.146.179
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
206.124.146.177 eth1 eth0 Yes
|
206.124.146.177 eth1 eth0 Yes
|
||||||
|
192.168.1.1 eth0 eth2 yes # Allow access to DSL modem from the local zone
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -371,7 +393,7 @@ AllowPing
|
|||||||
dropBcast
|
dropBcast
|
||||||
DropSMB
|
DropSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNonSyn
|
dropNotSyn
|
||||||
DropDNSrep</programlisting>
|
DropDNSrep</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -392,7 +414,7 @@ AllowPing
|
|||||||
dropBcast
|
dropBcast
|
||||||
RejectSMB
|
RejectSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNonSyn
|
dropNotSyn
|
||||||
DropDNSrep
|
DropDNSrep
|
||||||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||||||
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
||||||
@ -405,115 +427,136 @@ DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP sy
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>###############################################################################################################################################################################
|
<programlisting>###############################################################################################################################################################################
|
||||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
||||||
# PORT(S) DEST:SNAT SET
|
# PORT(S) DEST:SNAT SET
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Local Network to Internet - Reject attempts by Trojans to call home
|
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
|
||||||
#
|
#
|
||||||
REJECT:$LOG loc net tcp 6667
|
RejectSMTP loc net tcp 25
|
||||||
|
REJECT:$LOG loc net tcp 6667,25
|
||||||
|
REJECT:$LOG loc net udp 1025:1031
|
||||||
#
|
#
|
||||||
# Stop NETBIOS crap since our policy is ACCEPT
|
# Stop NETBIOS crap since our policy is ACCEPT
|
||||||
#
|
#
|
||||||
REJECT loc net tcp 137,445
|
REJECT loc net tcp 137,445
|
||||||
REJECT loc net udp 137:139
|
REJECT loc net udp 137:139
|
||||||
#
|
#
|
||||||
QUEUE loc net udp
|
DROP loc:!192.168.1.0/24 net
|
||||||
QUEUE loc fw udp
|
|
||||||
QUEUE loc net tcp
|
#QUEUE loc net udp
|
||||||
|
#QUEUE loc fw udp
|
||||||
|
#QUEUE loc net tcp
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Local Network to Firewall
|
# Local Network to Firewall
|
||||||
#
|
#
|
||||||
ACCEPT loc fw tcp ssh,time
|
DROP loc:!192.168.1.0/24 fw
|
||||||
ACCEPT loc fw udp snmp,ntp
|
ACCEPT loc fw tcp ssh,time
|
||||||
|
ACCEPT loc fw udp 161,ntp
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Local Network to DMZ
|
# Local Network to DMZ
|
||||||
#
|
#
|
||||||
REJECT loc dmz tcp 465
|
DROP loc:!192.168.1.0/24 dmz
|
||||||
ACCEPT loc dmz udp domain,xdmcp
|
ACCEPT loc dmz udp domain,xdmcp
|
||||||
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
|
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3 -
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Internet to DMZ
|
# Internet to ALL -- drop NewNotSyn packets
|
||||||
#
|
#
|
||||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
dropNotSyn net fw tcp
|
||||||
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
|
dropNotSyn net loc tcp
|
||||||
ACCEPT net dmz udp domain
|
dropNotSyn net dmz tcp
|
||||||
ACCEPT net dmz udp 33434:33436
|
###############################################################################################################################################################################
|
||||||
Mirrors net dmz tcp rsync
|
# Internet to DMZ
|
||||||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
#
|
||||||
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||||||
|
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
||||||
|
ACCEPT net dmz udp domain
|
||||||
|
ACCEPT net dmz udp 33434:33436
|
||||||
|
Mirrors net dmz tcp rsync
|
||||||
|
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
#
|
#
|
||||||
# Net to Local
|
# Net to Local
|
||||||
#
|
#
|
||||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||||
#
|
#
|
||||||
DNAT net loc:192.168.1.4 tcp 1723
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||||
DNAT net loc:192.168.1.4 gre
|
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
|
||||||
|
ACCEPT net loc:192.168.1.5 tcp 22
|
||||||
#
|
#
|
||||||
# ICQ
|
# ICQ
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||||
#
|
#
|
||||||
# Real Audio
|
# Real Audio
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||||||
#
|
#
|
||||||
# Overnet
|
# Overnet
|
||||||
#
|
#
|
||||||
#ACCEPT net loc:192.168.1.5 tcp 4662
|
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||||||
#ACCEPT net loc:192.168.1.5 udp 12112
|
#ACCEPT net loc:192.168.1.5 udp 12112
|
||||||
|
#
|
||||||
|
# Silently Handle common probes
|
||||||
|
#
|
||||||
|
REJECT net loc tcp www,ftp,https
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# DMZ to Internet
|
# DMZ to Internet
|
||||||
#
|
#
|
||||||
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
|
||||||
ACCEPT dmz net udp domain
|
ACCEPT dmz net udp domain
|
||||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
REJECT:$LOG dmz net udp 1025:1031
|
||||||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||||
|
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||||
#
|
#
|
||||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||||
# the following works around the problem.
|
# the following works around the problem.
|
||||||
#
|
#
|
||||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||||
#
|
#
|
||||||
ACCEPT dmz fw udp ntp ntp
|
ACCEPT dmz fw udp ntp ntp
|
||||||
ACCEPT dmz fw tcp snmp,ssh
|
ACCEPT dmz fw tcp 161,ssh
|
||||||
ACCEPT dmz fw udp snmp
|
ACCEPT dmz fw udp 161
|
||||||
REJECT dmz fw tcp auth
|
REJECT dmz fw tcp auth
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# DMZ to Local Network
|
# DMZ to Local Network
|
||||||
#
|
#
|
||||||
ACCEPT dmz loc tcp smtp,6001:6010
|
ACCEPT dmz loc tcp smtp,6001:6010
|
||||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
||||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Internet to Firewall
|
# Internet to Firewall
|
||||||
#
|
#
|
||||||
REJECT net fw tcp www
|
REJECT net fw tcp www,ftp,https
|
||||||
ACCEPT net dmz udp 33434:33435
|
ACCEPT net dmz udp 33434:33435
|
||||||
|
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Firewall to Internet
|
# Firewall to Internet
|
||||||
#
|
#
|
||||||
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||||||
#ACCEPT fw net:$POPSERVERS tcp pop3
|
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||||||
ACCEPT fw net udp domain
|
ACCEPT fw net udp domain
|
||||||
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||||||
ACCEPT fw net udp 33435:33535
|
ACCEPT fw net udp 33435:33535
|
||||||
ACCEPT fw net icmp
|
ACCEPT fw net icmp
|
||||||
|
REJECT:$LOG fw net udp 1025:1031
|
||||||
|
DROP fw net udp ntp
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Firewall to DMZ
|
# Firewall to DMZ
|
||||||
#
|
#
|
||||||
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||||||
ACCEPT fw dmz udp domain
|
ACCEPT fw dmz udp domain
|
||||||
REJECT fw dmz udp 137:139
|
REJECT fw dmz udp 137:139
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Ping
|
# Ping
|
||||||
#
|
#
|
||||||
ACCEPT all all icmp 8
|
ACCEPT all all icmp 8
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
###############################################################################################################################################################################
|
||||||
|
ACCEPT tx loc:192.168.1.5 all
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -521,14 +564,23 @@ ACCEPT all all icmp
|
|||||||
<title>/etc/network/interfaces</title>
|
<title>/etc/network/interfaces</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>This file is Debian specific. My additional entry (which is
|
<para>This file is Debian specific. My additional entries(which is
|
||||||
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
|
displayed in <emphasis role="bold">bold type</emphasis>) add a route
|
||||||
to my DMZ server when eth1 is brought up. It allows me to enter
|
to my DSL modem when eth0 is brought up and a route to my DMZ server
|
||||||
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
|
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
|
||||||
Proxy ARP file</link>.</para>
|
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
|
||||||
|
|
||||||
<programlisting>...
|
<programlisting>...
|
||||||
auto eth1
|
auto auto eth0
|
||||||
|
iface eth0 inet static
|
||||||
|
address 206.124.146.176
|
||||||
|
netmask 255.255.255.0
|
||||||
|
network 206.124.146.0
|
||||||
|
broadcast 206.124.146.255
|
||||||
|
gateway 206.124.146.254
|
||||||
|
<emphasis role="bold">up ip route add 192.168.1.1 dev eth0</emphasis>
|
||||||
|
|
||||||
|
eth1
|
||||||
iface eth1 inet static
|
iface eth1 inet static
|
||||||
address 206.124.146.176
|
address 206.124.146.176
|
||||||
netmask 255.255.255.255
|
netmask 255.255.255.255
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-11</pubdate>
|
<pubdate>2004-07-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002-2004</year>
|
<year>2002-2004</year>
|
||||||
@ -317,7 +317,7 @@ all all REJECT info</programlisting>
|
|||||||
<para>Shorewall 2.0.0 and later include a collection of actions that can
|
<para>Shorewall 2.0.0 and later include a collection of actions that can
|
||||||
be used to quickly allow or deny services. You can find a list of the
|
be used to quickly allow or deny services. You can find a list of the
|
||||||
actions included in your version of Shorewall in the file
|
actions included in your version of Shorewall in the file
|
||||||
<filename>/etc/shorewall/actions.std</filename>.</para>
|
<filename>/usr/share/shorewall/actions.std</filename>.</para>
|
||||||
|
|
||||||
<para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
|
<para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
|
||||||
|
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-02-16</pubdate>
|
<pubdate>2004-07-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002-2004</year>
|
<year>2002-2004</year>
|
||||||
@ -41,22 +41,20 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
License</ulink></quote>.</para>
|
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para><emphasis role="underline">Notes du traducteur :</emphasis> Le guide
|
<para><emphasis role="underline">Notes du traducteur :</emphasis> Le guide
|
||||||
initial a été traduit par <ulink
|
initial a été traduit par <ulink url="mailto:vetsel.patrice@wanadoo.fr">VETSEL
|
||||||
url="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</ulink> que je
|
Patrice</ulink> que je remercie. J'en ai assuré la révision pour
|
||||||
remercie. J'en ai assuré la révision pour l'adapter à la version 2 de
|
l'adapter à la version 2 de Shorewall. J'espère vous faciliter
|
||||||
Shorewall. J'espère vous faciliter l'accès et la prise en main d'un
|
l'accès et la prise en main d'un firewall performant, efficace,
|
||||||
firewall performant, efficace, adaptable et facile d'utilisation. Donc
|
adaptable et facile d'utilisation. Donc félicitations pour la qualité
|
||||||
félicitations pour la qualité du travail et la disponibilité offerte par
|
du travail et la disponibilité offerte par Thomas M. Eastep. Si vous
|
||||||
Thomas M. Eastep. Si vous trouvez des erreurs ou des améliorations à
|
trouvez des erreurs ou des améliorations à apporter vous pouvez me
|
||||||
apporter vous pouvez me contacter <ulink
|
contacter <ulink url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
|
||||||
url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
|
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -87,12 +85,11 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Pré-requis</title>
|
<title>Pré-requis</title>
|
||||||
|
|
||||||
<para>Shorewall a besoin que le package
|
<para>Shorewall a besoin que le package <command>iproute</command>/<command>iproute2</command>
|
||||||
<command>iproute</command>/<command>iproute2</command> soit installé
|
soit installé (avec la distribution <trademark>RedHat</trademark>, le
|
||||||
(avec la distribution <trademark>RedHat</trademark>, le package
|
package s'appelle <command>iproute</command>). Vous pouvez vérifier
|
||||||
s'appelle <command>iproute</command>). Vous pouvez vérifier si le
|
si le package est installé par la présence du programme
|
||||||
package est installé par la présence du programme <command>ip</command>
|
<command>ip</command> sur votre firewall. En tant que <systemitem
|
||||||
sur votre firewall. En tant que <systemitem
|
|
||||||
class="username">root</systemitem>, vous pouvez utiliser la commande
|
class="username">root</systemitem>, vous pouvez utiliser la commande
|
||||||
<command>which</command> pour cela:</para>
|
<command>which</command> pour cela:</para>
|
||||||
|
|
||||||
@ -113,22 +110,20 @@
|
|||||||
<trademark>Windows</trademark>, vous devez les sauver comme des
|
<trademark>Windows</trademark>, vous devez les sauver comme des
|
||||||
fichiers <trademark>Unix</trademark> si votre éditeur supporte cette
|
fichiers <trademark>Unix</trademark> si votre éditeur supporte cette
|
||||||
option sinon vous devez les convertir avec <command>dos2unix</command>
|
option sinon vous devez les convertir avec <command>dos2unix</command>
|
||||||
avant d'essayer de les utiliser. De la même manière, si vous copiez un
|
avant d'essayer de les utiliser. De la même manière, si vous
|
||||||
fichier de configuration depuis votre disque dur
|
copiez un fichier de configuration depuis votre disque dur
|
||||||
<trademark>Windows</trademark> vers une disquette, vous devez lancer
|
<trademark>Windows</trademark> vers une disquette, vous devez lancer
|
||||||
<command>dos2unix</command> sur la copie avant de l'utiliser avec
|
<command>dos2unix</command> sur la copie avant de l'utiliser avec
|
||||||
Shorewall.</para>
|
Shorewall.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
|
||||||
url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
|
|
||||||
Version of <command>dos2unix</command></ulink></para>
|
Version of <command>dos2unix</command></ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||||
url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
|
||||||
Version of <command>dos2unix</command></ulink></para>
|
Version of <command>dos2unix</command></ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -138,7 +133,7 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Conventions</title>
|
<title>Conventions</title>
|
||||||
|
|
||||||
<para>Les points ou les modifications s'imposent sont indiqués par
|
<para>Les points ou les modifications s'imposent sont indiqués par
|
||||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
|
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -148,12 +143,12 @@
|
|||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et utilisez
|
<para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et
|
||||||
<acronym>PPTP</acronym> pour communiquer avec un serveur à travers ce
|
utilisez <acronym>PPTP</acronym> pour communiquer avec un serveur à
|
||||||
modem, vous devez faire le changement <ulink
|
travers ce modem, vous devez faire le changement <ulink
|
||||||
url="PPTP.htm#PPTP_ADSL">suivant</ulink> en plus de ceux ci-dessous.
|
url="PPTP.htm#PPTP_ADSL">suivant</ulink> en plus de ceux ci-dessous.
|
||||||
<acronym>ADSL</acronym> avec <acronym>PPTP</acronym> est commun en Europe,
|
<acronym>ADSL</acronym> avec <acronym>PPTP</acronym> est commun en Europe,
|
||||||
ainsi qu'en Australie.</para>
|
ainsi qu'en Australie.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -162,21 +157,17 @@
|
|||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Les fichiers de configuration pour Shorewall sont situés dans le
|
<para>Les fichiers de configuration pour Shorewall sont situés dans le
|
||||||
répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez à
|
répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez
|
||||||
faire qu'avec quelques un d'entre eux comme décris dans ce guide.<tip>
|
à faire qu'avec quelques un d'entre eux comme décris dans ce
|
||||||
<para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
|
guide.<tip><para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
|
||||||
téléchargez <ulink
|
téléchargez <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
|
||||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
|
one-interface</ulink>, décompressez le (<command>tar <option>-zxvf</option>
|
||||||
one-interface</ulink>, décompressez le (<command>tar
|
<filename>one-interface.tgz</filename></command>) et copiez les fichiers
|
||||||
<option>-zxvf</option>
|
dans <filename class="directory">/etc/shorewall</filename> <emphasis
|
||||||
<filename>one-interface.tgz</filename></command>) et copiez les
|
role="bold">(ces fichiers remplaceront les initiaux)</emphasis>.</para></tip>Parallèlement
|
||||||
fichiers dans <filename class="directory">/etc/shorewall</filename>
|
à la présentation, je vous suggère de jeter un oeil à ceux physiquement
|
||||||
<emphasis role="bold">(ces fichiers remplaceront les
|
présents sur votre système -- chacun des fichiers contient des
|
||||||
initiaux)</emphasis>.</para>
|
instructions de configuration détaillées et des entrées par défaut.</para>
|
||||||
</tip>Parallèlement à la présentation, je vous suggère de jeter un oeil
|
|
||||||
à ceux physiquement présents sur votre système -- chacun des fichiers
|
|
||||||
contient des instructions de configuration détaillées et des entrées par
|
|
||||||
défaut.</para>
|
|
||||||
|
|
||||||
<para>Shorewall voit le réseau où il fonctionne, comme un ensemble de
|
<para>Shorewall voit le réseau où il fonctionne, comme un ensemble de
|
||||||
zones.Dans les fichiers de configuration fournis pour une unique
|
zones.Dans les fichiers de configuration fournis pour une unique
|
||||||
@ -206,8 +197,7 @@
|
|||||||
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
||||||
|
|
||||||
<para>Shorewall reconnaît aussi le système de firewall comme sa propre
|
<para>Shorewall reconnaît aussi le système de firewall comme sa propre
|
||||||
zone - par défaut, le firewall est connu comme <emphasis
|
zone - par défaut, le firewall est connu comme <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
|
||||||
role="bold"><varname>fw</varname></emphasis>.</para>
|
|
||||||
|
|
||||||
<para>Les règles concernant le trafic à autoriser ou à interdire sont
|
<para>Les règles concernant le trafic à autoriser ou à interdire sont
|
||||||
exprimées en utilisant les termes de zones.</para>
|
exprimées en utilisant les termes de zones.</para>
|
||||||
@ -215,9 +205,8 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Vous exprimez votre politique par défaut pour les connexions
|
<para>Vous exprimez votre politique par défaut pour les connexions
|
||||||
d'une zone vers une autre zone dans le fichier <ulink
|
d'une zone vers une autre zone dans le fichier <ulink
|
||||||
url="Documentation.htm#Policy"><filename
|
url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
|
||||||
class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -231,19 +220,17 @@
|
|||||||
requête est en premier lieu comparée par rapport au fichier <filename
|
requête est en premier lieu comparée par rapport au fichier <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>. Si
|
class="directory">/etc/shorewall/</filename><filename>rules</filename>. Si
|
||||||
aucune règle dans ce fichier ne correspond à la demande de connexion alors
|
aucune règle dans ce fichier ne correspond à la demande de connexion alors
|
||||||
la première politique dans le fichier <filename
|
la première politique dans le fichier <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
|
||||||
qui y correspond sera appliquée. Si cette politique est
|
qui y correspond sera appliquée. Si cette politique est
|
||||||
<varname>REJECT</varname> ou <varname>DROP</varname> la requête est dans
|
<varname>REJECT</varname> ou <varname>DROP</varname> la requête est dans
|
||||||
un premier temps comparée par rapport aux règles contenues dans le fichier
|
un premier temps comparée par rapport aux règles contenues dans le fichier
|
||||||
<filename
|
<filename class="directory">/etc/shorewall/</filename><filename>common</filename>,
|
||||||
class="directory">/etc/shorewall/</filename><filename>common</filename>,
|
|
||||||
si ce fichier existe; sinon les régles dans le fichier <filename
|
si ce fichier existe; sinon les régles dans le fichier <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>common.def</filename>
|
class="directory">/etc/shorewall/</filename><filename>common.def</filename>
|
||||||
sont vérifiées.</para>
|
sont vérifiées.</para>
|
||||||
|
|
||||||
<para>Le fichier /etc/shorewall/policy inclus dans l'archive d'exemple
|
<para>Le fichier /etc/shorewall/policy inclus dans l'archive
|
||||||
(one-interface) contient les politiques suivantes:</para>
|
d'exemple (one-interface) contient les politiques suivantes:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
||||||
fw net ACCEPT
|
fw net ACCEPT
|
||||||
@ -255,12 +242,12 @@ all all REJECT info</programlisting>
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Permettre toutes demandes de connexion depuis le firewall vers
|
<para>Permettre toutes demandes de connexion depuis le firewall vers
|
||||||
l'Internet</para>
|
l'Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Drop (ignorer) toutes les demandes de connexion depuis
|
<para>Drop (ignorer) toutes les demandes de connexion depuis
|
||||||
l'Internet vers votre firewall</para>
|
l'Internet vers votre firewall</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -270,57 +257,50 @@ all all REJECT info</programlisting>
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
|
<para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
|
||||||
votre /etc/shorewall/policy et faites y les changements que vous
|
votre /etc/shorewall/policy et faites y les changements que vous désirez.</para>
|
||||||
désirez.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Interface Externe</title>
|
<title>Interface Externe</title>
|
||||||
|
|
||||||
<para>Le firewall possède une seule interface réseau. Lorsque la connexion
|
<para>Le firewall possède une seule interface réseau. Lorsque la connexion
|
||||||
Internet passe par un modem câble ou par un
|
Internet passe par un modem câble ou par un <quote>Routeur</quote><acronym>
|
||||||
<quote>Routeur</quote><acronym> ADSL</acronym>(pas un simple modem),
|
ADSL</acronym>(pas un simple modem), l'<emphasis>Interface Externe</emphasis>
|
||||||
l'<emphasis>Interface Externe</emphasis> sera l'adaptateur ethernet qui y
|
sera l'adaptateur ethernet qui y est connecté à ce <quote>Modem</quote>
|
||||||
est connecté à ce <quote>Modem</quote> (e.g., <filename
|
(e.g., <filename class="devicefile">eth0</filename>) à moins d'une
|
||||||
class="devicefile">eth0</filename>) à moins d'une connexion par
|
connexion par <emphasis>Point-to-Point Protocol</emphasis> over Ethernet (<acronym>PPPoE</acronym>)
|
||||||
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
|
ou <emphasis>Point-to-Point Tunneling Protocol</emphasis> (<acronym>PPTP</acronym>)
|
||||||
(<acronym>PPPoE</acronym>) ou <emphasis>Point-to-Point Tunneling
|
dans ce cas l'interface externe sera (e.g., <filename
|
||||||
Protocol</emphasis> (<acronym>PPTP</acronym>) dans ce cas l'interface
|
class="devicefile">ppp0</filename>). Si vous utilisez par un simple modem
|
||||||
externe sera (e.g., <filename class="devicefile">ppp0</filename>). Si vous
|
(<acronym>RTC</acronym>), votre interface externe sera aussi <filename
|
||||||
utilisez par un simple modem (<acronym>RTC</acronym>), votre interface
|
class="devicefile">ppp0</filename>. Si vous utilisez l'<acronym>ISDN</acronym>,
|
||||||
externe sera aussi <filename class="devicefile">ppp0</filename>. Si vous
|
votre interface externe sera <filename class="devicefile">ippp0</filename>.</para>
|
||||||
utilisez l'<acronym>ISDN</acronym>, votre interface externe sera <filename
|
|
||||||
class="devicefile">ippp0</filename>.</para>
|
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Si votre interface vers l'extérieur est <emphasis
|
<para>Si votre interface vers l'extérieur est <emphasis role="bold">ppp0</emphasis>
|
||||||
role="bold">ppp0</emphasis> ou <emphasis role="bold">ippp0</emphasis>
|
ou <emphasis role="bold">ippp0</emphasis> alors vous mettrez
|
||||||
alors vous mettrez <varname>CLAMPMSS=yes</varname> dans le fichier
|
<varname>CLAMPMSS=yes</varname> dans le fichier <filename
|
||||||
<filename
|
|
||||||
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
|
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
|
||||||
|
|
||||||
<para>Le fichier de configuration d'exemple pour une interface suppose que
|
<para>Le fichier de configuration d'exemple pour une interface suppose
|
||||||
votre interface externe est eth0. Si votre configuration est différente,
|
que votre interface externe est eth0. Si votre configuration est
|
||||||
vous devrez modifier le fichier<filename
|
différente, vous devrez modifier le fichier<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
|
||||||
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
|
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
|
||||||
options qui sont spécifiées pour les interfaces. Quelques trucs:</para>
|
options qui sont spécifiées pour les interfaces. Quelques trucs:</para>
|
||||||
|
|
||||||
<tip>
|
<tip>
|
||||||
<para>Si votre interface vers l'extérieur est <filename
|
<para>Si votre interface vers l'extérieur est <filename
|
||||||
class="devicefile">ppp0</filename> ou <filename
|
class="devicefile">ppp0</filename> ou <filename class="devicefile">ippp0</filename>,
|
||||||
class="devicefile">ippp0</filename>, vous pouvez remplacer le detect
|
vous pouvez remplacer le detect dans la seconde colonne par un
|
||||||
dans la seconde colonne par un <quote>-</quote> (sans les
|
<quote>-</quote> (sans les quotes).</para>
|
||||||
quotes).</para>
|
|
||||||
</tip>
|
</tip>
|
||||||
|
|
||||||
<tip>
|
<tip>
|
||||||
<para>Si votre interface vers l'extérieur est <filename
|
<para>Si votre interface vers l'extérieur est <filename
|
||||||
class="devicefile">ppp0</filename> or <filename
|
class="devicefile">ppp0</filename> or <filename class="devicefile">ippp0</filename>
|
||||||
class="devicefile">ippp0</filename> u si vous avez une adresse
|
u si vous avez une adresse <acronym>IP</acronym> statique, vous pouvez
|
||||||
<acronym>IP</acronym> statique, vous pouvez enlever
|
enlever <varname>dhcp</varname> dans la liste des options .</para>
|
||||||
<varname>dhcp</varname> dans la liste des options .</para>
|
|
||||||
</tip>
|
</tip>
|
||||||
|
|
||||||
<tip>
|
<tip>
|
||||||
@ -330,28 +310,27 @@ all all REJECT info</programlisting>
|
|||||||
<filename>/usr/share/shorewall/rfc1918</filename>. Sinon, vous pouvez
|
<filename>/usr/share/shorewall/rfc1918</filename>. Sinon, vous pouvez
|
||||||
copier le fichier <filename>/usr/share/shorewall/rfc1918</filename> vers
|
copier le fichier <filename>/usr/share/shorewall/rfc1918</filename> vers
|
||||||
<filename>/etc/shorewall/rfc1918</filename> et <ulink
|
<filename>/etc/shorewall/rfc1918</filename> et <ulink
|
||||||
url="myfiles.htm#RFC1918">adapter votre fichier
|
url="myfiles.htm#RFC1918">adapter votre fichier <filename>/etc/shorewall/rfc1918</filename>
|
||||||
<filename>/etc/shorewall/rfc1918</filename> comme je le
|
comme je le fais</ulink>.</para>
|
||||||
fais</ulink>.</para>
|
|
||||||
</tip>
|
</tip>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Adresse IP</title>
|
<title>Adresse IP</title>
|
||||||
|
|
||||||
<para>Avant d'aller plus loin, nous devons dire quelques mots au sujet des
|
<para>Avant d'aller plus loin, nous devons dire quelques mots au sujet
|
||||||
adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
|
des adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
|
||||||
fournisseur Internet <acronym>ISP</acronym> vous assignera une seule
|
fournisseur Internet <acronym>ISP</acronym> vous assignera une seule
|
||||||
adresse IP. Cette adresse peut être assignée par le Dynamic Host
|
adresse IP. Cette adresse peut être assignée par le Dynamic Host
|
||||||
Configuration Protocol (<acronym>DHCP</acronym>) ou lors de
|
Configuration Protocol (<acronym>DHCP</acronym>) ou lors de
|
||||||
l'établissement de votre connexion (modem standard) ou établissez votre
|
l'établissement de votre connexion (modem standard) ou établissez
|
||||||
connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider peut
|
votre connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider
|
||||||
vous assigner une adresse statique <acronym>IP</acronym> ; cela signifie
|
peut vous assigner une adresse statique <acronym>IP</acronym> ; cela
|
||||||
que vous devez configurer l'interface externe de votre firewall afin
|
signifie que vous devez configurer l'interface externe de votre
|
||||||
d'utiliser cette adresse de manière permanente. La <emphasis
|
firewall afin d'utiliser cette adresse de manière permanente. La
|
||||||
role="bold">RFC 1918</emphasis> réserve plusieurs plages d'adresses
|
<emphasis role="bold">RFC 1918</emphasis> réserve plusieurs plages
|
||||||
privées <emphasis>Private</emphasis> <acronym>IP</acronym> à cet
|
d'adresses privées <emphasis>Private</emphasis> <acronym>IP</acronym>
|
||||||
fin:</para>
|
à cet fin:</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>Exemple sous-réseau</title>
|
<title>Exemple sous-réseau</title>
|
||||||
@ -370,81 +349,75 @@ all all REJECT info</programlisting>
|
|||||||
<row>
|
<row>
|
||||||
<entry>Subnet Address:</entry>
|
<entry>Subnet Address:</entry>
|
||||||
|
|
||||||
<entry><systemitem
|
<entry><systemitem class="ipaddress">10.10.10.0</systemitem></entry>
|
||||||
class="ipaddress">10.10.10.0</systemitem></entry>
|
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>Broadcast Address:</entry>
|
<entry>Broadcast Address:</entry>
|
||||||
|
|
||||||
<entry><systemitem
|
<entry><systemitem class="ipaddress">10.10.10.255</systemitem></entry>
|
||||||
class="ipaddress">10.10.10.255</systemitem></entry>
|
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>CIDR Notation:</entry>
|
<entry>CIDR Notation:</entry>
|
||||||
|
|
||||||
<entry><systemitem
|
<entry><systemitem class="ipaddress">10.10.10.0/24</systemitem></entry>
|
||||||
class="ipaddress">10.10.10.0/24</systemitem></entry>
|
|
||||||
</row>
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>Ces adresses sont parfois nommées comme
|
<para>Ces adresses sont parfois nommées comme <emphasis>non-routable</emphasis>
|
||||||
<emphasis>non-routable</emphasis> car les routeurs centraux d'Internet ne
|
car les routeurs centraux d'Internet ne renvoient pas un paquet dont
|
||||||
renvoient pas un paquet dont la destination est réservée par la RFC 1918.
|
la destination est réservée par la RFC 1918. Dans certain cas cependant,
|
||||||
Dans certain cas cependant, les FAI (fournisseurs d'accés Internet)
|
les FAI (fournisseurs d'accés Internet) assignent ces adresses et
|
||||||
assignent ces adresses et utilisent ensuite NAT <emphasis>Network Address
|
utilisent ensuite NAT <emphasis>Network Address Translation</emphasis>
|
||||||
Translation</emphasis> pour réécrire les en-têtes de paquets renvoyés
|
pour réécrire les en-têtes de paquets renvoyés vers/depuis Internet.</para>
|
||||||
vers/depuis Internet.</para>
|
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Avant de lancer Shorewall, regarder l'adresse IP de votre interface
|
<para>Avant de lancer Shorewall, regarder l'adresse IP de votre
|
||||||
externe, et si elle est dans les plages précédentes, vous devez enlever
|
interface externe, et si elle est dans les plages précédentes, vous devez
|
||||||
l'option 'norfc1918' dans la ligne concernant l'interface externe dans le
|
enlever l'option 'norfc1918' dans la ligne concernant
|
||||||
fichier <filename
|
l'interface externe dans le fichier <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
|
||||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Permettre d'autres connexions</title>
|
<title>Permettre d'autres connexions</title>
|
||||||
|
|
||||||
<para>Shorewall version 2.0.0 et postérieure propose une collection
|
<para>Shorewall version 2.0.0 et postérieure propose une collection
|
||||||
d'actions qui peuvent être utilisées pour rapidemement autoriser ou
|
d'actions qui peuvent être utilisées pour rapidemement autoriser ou
|
||||||
refuser des services. Pour voir les actions comprises avec votre version
|
refuser des services. Pour voir les actions comprises avec votre version
|
||||||
de Shorewall, regardez dans le fichier
|
de Shorewall, regardez dans le fichier <filename>/usr/share/shorewall/actions.std</filename>.
|
||||||
<filename>/etc/shorewall/actions.std</filename>. Le nom de celles qui
|
Le nom de celles qui acceptent des connexions débutent par <quote>Allow</quote>.</para>
|
||||||
acceptent des connexions débutent par <quote>Allow</quote>.</para>
|
|
||||||
|
|
||||||
<para>Si vous souhaitez autoriser d'autre connexions depuis internet vers
|
<para>Si vous souhaitez autoriser d'autre connexions depuis internet
|
||||||
votre firewall, le format général utilisant l'action type
|
vers votre firewall, le format général utilisant l'action type
|
||||||
<quote>Allow</quote> est:</para>
|
<quote>Allow</quote> est:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
<<emphasis>action</emphasis>> net fw</programlisting>
|
<<emphasis>action</emphasis>> net fw</programlisting>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
|
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur
|
||||||
votre firewall:</title>
|
sur votre firewall:</title>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
AllowWeb net fw
|
AllowWeb net fw
|
||||||
AllowPOP3 net fw</programlisting>
|
AllowPOP3 net fw</programlisting>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
|
<para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
|
||||||
conviennent, vous pouvez les définir vous même ou coder directement les
|
conviennent, vous pouvez les définir vous même ou coder directement les
|
||||||
régles dans <filename>/etc/shorewall/rules</filename> selon le format
|
régles dans <filename>/etc/shorewall/rules</filename> selon le format
|
||||||
suivant:</para>
|
suivant:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
|
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur
|
||||||
votre firewall:</title>
|
sur votre firewall:</title>
|
||||||
|
|
||||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
ACCEPT net fw tcp 80
|
ACCEPT net fw tcp 80
|
||||||
@ -452,14 +425,13 @@ ACCEPT net fw tcp 110</programlisting></para>
|
|||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>Si vous ne savez pas quel port(s) et protocole(s) requièrent une
|
<para>Si vous ne savez pas quel port(s) et protocole(s) requièrent une
|
||||||
application particulière, vous pouvez regarder <ulink
|
application particulière, vous pouvez regarder <ulink url="ports.htm">ici</ulink>.</para>
|
||||||
url="ports.htm">ici</ulink>.</para>
|
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Je ne recommande pas d'autoriser <command>telnet</command> vers/de
|
<para>Je ne recommande pas d'autoriser <command>telnet</command>
|
||||||
l'Internet parce qu'il utilise du texte en clair (même pour le login!).
|
vers/de l'Internet parce qu'il utilise du texte en clair (même
|
||||||
Si vous voulez un accés shell à votre firewall, utilisez
|
pour le login!). Si vous voulez un accés shell à votre firewall,
|
||||||
<acronym>SSH</acronym>:</para>
|
utilisez <acronym>SSH</acronym>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
AllowSSH net fw</programlisting>
|
AllowSSH net fw</programlisting>
|
||||||
@ -477,14 +449,13 @@ AllowSSH net fw</programlisting>
|
|||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>La <ulink url="Install.htm">procédure d'installation</ulink>
|
<para>La <ulink url="Install.htm">procédure d'installation</ulink>
|
||||||
configure votre système pour lancer Shorewall au boot du système, mais au
|
configure votre système pour lancer Shorewall au boot du système, mais au
|
||||||
début avec la version 1.3.9 de Shorewall le lancement est désactivé,
|
début avec la version 1.3.9 de Shorewall le lancement est désactivé,
|
||||||
n'essayer pas de lancer Shorewall avec que la configuration soit finie.
|
n'essayer pas de lancer Shorewall avec que la configuration soit
|
||||||
Une fois que vous en aurez fini avec la configuration du firewall, vous
|
finie. Une fois que vous en aurez fini avec la configuration du firewall,
|
||||||
pouvez permettre le lancement de Shorewall en supprimant le fichier
|
vous pouvez permettre le lancement de Shorewall en supprimant le fichier
|
||||||
<filename
|
<filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
|
||||||
class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
|
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Les utilisateurs des paquets .deb doivent éditer <filename
|
<para>Les utilisateurs des paquets .deb doivent éditer <filename
|
||||||
@ -492,32 +463,27 @@ AllowSSH net fw</programlisting>
|
|||||||
and set <varname>startup=1</varname>.</para>
|
and set <varname>startup=1</varname>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>Le firewall est activé en utilisant la commande
|
<para>Le firewall est activé en utilisant la commande <quote><command>shorewall
|
||||||
<quote><command>shorewall start</command></quote> et arrêté avec
|
start</command></quote> et arrêté avec <quote><command>shorewall stop</command></quote>.
|
||||||
<quote><command>shorewall stop</command></quote>. Lorsque le firewall est
|
Lorsque le firewall est stoppé, le routage est autorisé sur les hôtes qui
|
||||||
stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
|
possèdent une entrée dans <filename class="directory">/etc/shorewall/</filename><filename><ulink
|
||||||
dans <filename
|
|
||||||
class="directory">/etc/shorewall/</filename><filename><ulink
|
|
||||||
url="Documentation.htm#Routestopped">routestopped</ulink></filename>. Un
|
url="Documentation.htm#Routestopped">routestopped</ulink></filename>. Un
|
||||||
firewall qui tourne peut être relancé en utilisant la commande
|
firewall qui tourne peut être relancé en utilisant la commande
|
||||||
<quote><command>shorewall restart</command></quote> command. Si vous
|
<quote><command>shorewall restart</command></quote> command. Si vous
|
||||||
voulez enlever toutes traces de Shorewall sur votre configuration de
|
voulez enlever toutes traces de Shorewall sur votre configuration de
|
||||||
Netfilter, utilisez <quote><command>shorewall
|
Netfilter, utilisez <quote><command>shorewall clear</command></quote>.</para>
|
||||||
clear</command></quote>.</para>
|
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Si vous êtes connecté à votre firewall depuis Internet, n'essayez
|
<para>Si vous êtes connecté à votre firewall depuis Internet,
|
||||||
pas une commande <quote><command>shorewall stop</command></quote> tant
|
n'essayez pas une commande <quote><command>shorewall stop</command></quote>
|
||||||
que vous n'avez pas ajouté une entrée pour votre adresse
|
tant que vous n'avez pas ajouté une entrée pour votre adresse
|
||||||
<acronym>IP</acronym> (celle à partir de laquelle vous êtes connectée)
|
<acronym>IP</acronym> (celle à partir de laquelle vous êtes connectée)
|
||||||
dans <filename
|
dans <filename class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
|
||||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
|
De la même manière, je ne vous recommande pas d'utiliser
|
||||||
De la même manière, je ne vous recommande pas d'utiliser
|
|
||||||
<quote><command>shorewall restart</command></quote>; il est plus
|
<quote><command>shorewall restart</command></quote>; il est plus
|
||||||
intéressant de créer <ulink
|
intéressant de créer <ulink url="configuration_file_basics.htm#Configs">une
|
||||||
url="configuration_file_basics.htm#Configs">une configuration
|
configuration alternative</ulink> et de la tester en utilisant la
|
||||||
alternative</ulink> et de la tester en utilisant la commande
|
commande <quote><command>shorewall try</command></quote>.</para>
|
||||||
<quote><command>shorewall try</command></quote>.</para>
|
|
||||||
</warning>
|
</warning>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -527,64 +493,18 @@ AllowSSH net fw</programlisting>
|
|||||||
<para>Je vous recommande vivement de lire la <ulink
|
<para>Je vous recommande vivement de lire la <ulink
|
||||||
url="configuration_file_basics.htm">page des Fonctionnalités Générales des
|
url="configuration_file_basics.htm">page des Fonctionnalités Générales des
|
||||||
Fichiers de Configuration</ulink> -- elle contient des trucs sur les
|
Fichiers de Configuration</ulink> -- elle contient des trucs sur les
|
||||||
possibilités de Shorewall pour rendre aisé l'administration de votre
|
possibilités de Shorewall pour rendre aisé l'administration de votre
|
||||||
firewall Shorewall.</para>
|
firewall Shorewall.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<appendix>
|
<appendix>
|
||||||
<title>Historique de Révision</title>
|
<title>Historique de Révision</title>
|
||||||
|
|
||||||
<para><revhistory>
|
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-16</date><authorinitials>TE</authorinitials><revremark>Move
|
||||||
<revision>
|
/etc/shorewall/rfc1918 to /usr/share/shorewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Update
|
||||||
<revnumber>1.7</revnumber>
|
for Shorewall 2.0</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||||
|
Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
|
||||||
<date>2004-02-16</date>
|
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||||
|
Docbook Conversion</revremark></revision></revhistory></para>
|
||||||
<authorinitials>TE</authorinitials>
|
|
||||||
|
|
||||||
<revremark>Move /etc/shorewall/rfc1918 to
|
|
||||||
/usr/share/shorewall.</revremark>
|
|
||||||
</revision>
|
|
||||||
|
|
||||||
<revision>
|
|
||||||
<revnumber>1.6</revnumber>
|
|
||||||
|
|
||||||
<date>2004-02-05</date>
|
|
||||||
|
|
||||||
<authorinitials>TE</authorinitials>
|
|
||||||
|
|
||||||
<revremark>Update for Shorewall 2.0</revremark>
|
|
||||||
</revision>
|
|
||||||
|
|
||||||
<revision>
|
|
||||||
<revnumber>1.5</revnumber>
|
|
||||||
|
|
||||||
<date>2004-01-05</date>
|
|
||||||
|
|
||||||
<authorinitials>TE</authorinitials>
|
|
||||||
|
|
||||||
<revremark>Standards Changes</revremark>
|
|
||||||
</revision>
|
|
||||||
|
|
||||||
<revision>
|
|
||||||
<revnumber>1.4</revnumber>
|
|
||||||
|
|
||||||
<date>2003-12-30</date>
|
|
||||||
|
|
||||||
<authorinitials>TE</authorinitials>
|
|
||||||
|
|
||||||
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
|
|
||||||
</revision>
|
|
||||||
|
|
||||||
<revision>
|
|
||||||
<revnumber>1.3</revnumber>
|
|
||||||
|
|
||||||
<date>2003-11-15</date>
|
|
||||||
|
|
||||||
<authorinitials>TE</authorinitials>
|
|
||||||
|
|
||||||
<revremark>Initial Docbook Conversion</revremark>
|
|
||||||
</revision>
|
|
||||||
</revhistory></para>
|
|
||||||
</appendix>
|
</appendix>
|
||||||
</article>
|
</article>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-11</pubdate>
|
<pubdate>2004-07-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002-2004</year>
|
<year>2002-2004</year>
|
||||||
@ -677,7 +677,7 @@ AllowDNS fw dmz:10.10.11.1 </programlisting></para>
|
|||||||
<emphasis>defined action</emphasis>. Shorewall includes a number of
|
<emphasis>defined action</emphasis>. Shorewall includes a number of
|
||||||
defined actions and <ulink url="User_defined_Actions.html">you can add
|
defined actions and <ulink url="User_defined_Actions.html">you can add
|
||||||
your own</ulink>. To see the list of actions included with your version of
|
your own</ulink>. To see the list of actions included with your version of
|
||||||
Shorewall, look in the file <filename>/etc/shorewall/actions.std</filename>.
|
Shorewall, look in the file <filename>/usr/share/shorewall/actions.std</filename>.
|
||||||
Those actions that accept connection requests have names that begin with
|
Those actions that accept connection requests have names that begin with
|
||||||
<quote>Allow</quote>.</para>
|
<quote>Allow</quote>.</para>
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-23</pubdate>
|
<pubdate>2004-07-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -41,9 +41,10 @@
|
|||||||
traffic shaping/control solutions. In order to use traffic shaping with
|
traffic shaping/control solutions. In order to use traffic shaping with
|
||||||
Shorewall, it is essential that you get a copy of the <ulink
|
Shorewall, it is essential that you get a copy of the <ulink
|
||||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
|
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
|
||||||
version 0.3.0 or later. It is also necessary to be running Linux Kernel
|
version 0.3.0 or later or <ulink
|
||||||
2.4.18 or later. Shorewall traffic shaping support consists of the
|
url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
|
||||||
following:</para>
|
HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
|
||||||
|
later. Shorewall traffic shaping support consists of the following:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user