From 46f2b12e0f36d71df88e06f07b49b57430a4a4df Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Wed, 31 Aug 2005 08:04:41 +0000 Subject: [PATCH] v3.0 take 2 (more work needed in the near future) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2601 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/FTP.xml | 11 +-- Shorewall-docs2/MAC_Validation.xml | 9 ++- Shorewall-docs2/two-interface.xml | 116 ++++++++++++----------------- 3 files changed, 58 insertions(+), 78 deletions(-) diff --git a/Shorewall-docs2/FTP.xml b/Shorewall-docs2/FTP.xml index b7fe0c40e..8d53df062 100644 --- a/Shorewall-docs2/FTP.xml +++ b/Shorewall-docs2/FTP.xml @@ -228,13 +228,6 @@ jbd 47860 2 [ext3] If you want Shorewall to load these modules from an alternate directory, you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf to point to that directory. - - If your FTP helper modules are compressed and have the names - ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz then you - will need Shorewall 1.4.7 or later if you want Shorewall to load them for - you. If your helper modules have names ip_nat_ftp.ko.gz and - ip_conntrack_ftp.ko.gz then you will need Shorewall 2.0.2 or - later if you want Shorewall to load them for you.
@@ -329,13 +322,13 @@ DNAT ACTION = #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -DNAT net loc:192.168.1.5 tcp 21 +FTP/DNAT net 192.168.1.5 Allow your DMZ FTP access to the Internet #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -ACCEPT dmz net tcp 21 +FTP/ACCEPT dmz net Note that the FTP connection tracking in the kernel cannot handle diff --git a/Shorewall-docs2/MAC_Validation.xml b/Shorewall-docs2/MAC_Validation.xml index a310ba9f0..4fc79dbca 100644 --- a/Shorewall-docs2/MAC_Validation.xml +++ b/Shorewall-docs2/MAC_Validation.xml @@ -15,7 +15,7 @@ - 2005-06-01 + 2005-08-31 2001-2005 @@ -63,6 +63,13 @@ incoming connection requests. + + DO NOT use MAC verification as your only + security measure . MAC addresses can be easily spoofed. You can use it in + combination with either IPSEC or + OpenVPN. + +
Components diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index 255efbd8c..0e1237e92 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -12,14 +12,10 @@ Eastep - 2005-02-02 + 2005-08-31 - 2002 - - 2003 - - 2004 + 2002- 2005 @@ -335,11 +331,11 @@ fw net ACCEPT The above policy will: - If your external interface is If your external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf. + class="directory">/etc/shorewall/shorewall.conf. Your Internal Interface will be an ethernet adapter (eth1 or The above policy will: switch. Your other computers will be connected to the same hub/switch (note: If you have only a single internal system, you can connect the firewall directly to the computer using a cross-over cable). - Do not connect the internal and external interface to the same - hub or switch except for testing AND you are running Shorewall version - 1.4.7 or later. When using these recent versions, you can test using - this kind of configuration if you specify the arp_filter option in - Do not connect the internal and external + interface to the same hub or switch except for testing.You + can test using this kind of configuration if you specify the + arp_filter option in /etc/shorewall/interfaces - for all interfaces connected to the common hub/switch. Using such a - setup with a production firewall is strongly recommended - against. + for all interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly + recommended against. @@ -382,17 +377,6 @@ fw net ACCEPT The above policy will: If your internal interface is a bridge create using the brctl utility then you must add the routeback option to the option list. - - If you specify norfc1918 for your external - interface, you will want to check the Shorewall Errata periodically for updates to - the /usr/share/shorewall/rfc1918 file. - Alternatively, you can copy - /usr/share/shorewall/rfc1918 to - /etc/shorewall/rfc1918 then strip down your - /etc/shorewall/rfc1918 file as I - do.
@@ -418,10 +402,11 @@ fw net ACCEPT The above policy will: 192.168.0.0 - 192.168.255.255 - Before starting Shorewall, you should look at the IP address of your - external interface and if it is one of the above ranges, you should remove - the 'norfc1918' option from the external interface's entry in /etc/shorewall/interfaces. + Before starting Shorewall, you should look at + the IP address of your external interface and if it is one of the above + ranges, you should remove the 'norfc1918' option from the external + interface's entry in /etc/shorewall/interfaces. You will want to assign your addresses from the same sub-network (subnet). For our purposes, we can consider a subnet to consists of a @@ -511,8 +496,8 @@ fw net ACCEPT The above policy will: Your ISP might assign your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 - subnet then you will need to select a DIFFERENT RFC 1918 subnet for - your local network. + subnet then you will need to select a DIFFERENT + RFC 1918 subnet for your local network.
@@ -579,10 +564,10 @@ fw net ACCEPT The above policy will: - If you are using the Debian package, please check your - shorewall.conf file to ensure that the following is - set correctly; if it is not, change it appropriately: + If you are using the Debian package, please + check your shorewall.conf file to ensure that the + following is set correctly; if it is not, change it + appropriately: IP_FORWARDING=On @@ -618,21 +603,21 @@ DNAT net loc:<server local ip address>[:You run a Web Server on computer 2 and you want to forward incoming TCP port 80 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT net loc:10.10.10.2 tcp 80 +Web/DNAT net 192.168.1.5 FTP Server You run an FTP Server on computer 1 so you want to forward incoming TCP port 21 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT net loc:10.10.10.1 tcp 21 For - FTP, you will also need to have - FTP connection tracking and NAT - support in your kernel. For vendor-supplied kernels, this means that - the ip_conntrack_ftp and - ip_nat_ftp modules must be - loaded. Shorewall will automatically load these modules if they are - available and located in the standard place under For FTP, + you will also need to have FTP connection tracking + and NAT support in your kernel. For vendor-supplied + kernels, this means that the ip_conntrack_ftp and ip_nat_ftp modules must be loaded. + Shorewall will automatically load these modules if they are available + and located in the standard place under /lib/modules/<kernel version>/kernel/net/ipv4/netfilter. A couple of important points to keep in mind: @@ -706,7 +691,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 in /etc/shorewall/rules. #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS loc fw +DNS/ACCEPT loc fw @@ -715,15 +700,15 @@ AllowDNS loc fw Other Connections The two-interface sample includes the following rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS fw netThis rule allows + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNS/ACCEPT fw netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in /etc/shorewall/policy allowing all connections from the firewall to the internet. - In the rule shown above, AllowDNS is an example of a - defined action. Shorewall includes a number of + In the rule shown above, DNS/ACCEPT is an example of + a defined action. Shorewall includes a number of defined actions and you can add your own. To see the list of actions included with your version of Shorewall, look in the file @@ -743,8 +728,8 @@ ACCEPT fw net tcp 53 your needs, you can either define the action yourself or you can simply code the appropriate rules directly. - The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowSSH loc fw That rule allows you to run an + The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) +SSH/ACCEPT loc fw That rule allows you to run an SSH server on your firewall and connect to that server from your local systems. @@ -757,10 +742,10 @@ ACCEPT fw <destination zone> <protocol> <por Web Server on Firewall You want to run a Web Server on your firewall system: - #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowWeb net fw -AllowWeb loc fw Those two rules would of course be in - addition to the rules listed above under #ACTION SOURCE DEST PROTO DEST PORT(S) +Web/ACCEPT net fw +Web/ACCEPT loc fw Those two rules would of course be + in addition to the rules listed above under You can configure a Caching Name Server on your firewall. If you don't know what port and protocol a particular @@ -771,7 +756,7 @@ AllowWeb loc fw Those two rules would of course be in SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowSSH net fw +SSH/ACCEPT net fw Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S) @@ -846,19 +831,14 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work The installation procedure - configures your system to start Shorewall at system boot but beginning - with Shorewall version 1.3.9 startup is disabled so that your system won't - try to start Shorewall before configuration is complete. Once you have - completed configuration of your firewall, you can enable Shorewall startup - by removing the file /etc/shorewall/startup_disabled. - + configures your system to start Shorewall at system boot but startup is + disabled so that your system won't try to start Shorewall before + configuration is complete. Once you have completed configuration of your + firewall, you must edit /etc/shorewall/shorewall.conf and set + STARTUP_ENABLED=Yes. Users of the .deb package must edit /etc/default/shorewall and set startup=1. - - Users running Shorewall 2.1.3 or later must edit - /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is