- Shorewall Installation and - Upgrade- |
-
+ Shorewall Installation and + Upgrade+ |
+
Before upgrading, be sure to review the Upgrade Issues
- +Install using RPM
- Install using tarball
- Install the .lrp
- Upgrade using RPM
- Upgrade using tarball
- Upgrade the .lrp
- Configuring Shorewall
- Uninstall/Fallback
To install Shorewall using the RPM:
- -If you have RedHat 7.2 and are running iptables version 1.2.3 (at a - shell prompt, type "/sbin/iptables --version"), you must upgrade to version - 1.2.4 either from the RedHat update - site or from the Shorewall Errata page before - attempting to start Shorewall.
- + +If you have RedHat 7.2 and are running iptables version 1.2.3 (at a + shell prompt, type "/sbin/iptables --version"), you must upgrade to version + 1.2.4 either from the RedHat update + site or from the Shorewall Errata page before + attempting to start Shorewall.
+To install Shorewall using the tarball - and install script:
- + +To install Shorewall using the tarball + and install script:
+To install my version of Shorewall on a fresh Bering -disk, simply replace the "shorwall.lrp" file on the image with the file that -you downloaded. See the two-interface QuickStart -Guide for information about further steps required.
- -If you already have the Shorewall RPM installed - and are upgrading to a new version:
- + +To install my version of Shorewall on a fresh Bering + disk, simply replace the "shorwall.lrp" file on the image with the file +that you downloaded. See the two-interface QuickStart + Guide for information about further steps required.
+ +If you already have the Shorewall RPM installed + and are upgrading to a new version:
+ +If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or +and you have entries in the /etc/shorewall/hosts file then please check + your /etc/shorewall/interfaces file to be sure that it contains an entry + for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.4 (you must use the +new 1.4 syntax). See the upgrade issues for +details.
+ + Note: Some SuSE users have encountered a problem whereby
+ rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
+ is installed. If this happens, simply use the --nodeps option to rpm
+(rpm -Uvh --nodeps <shorewall rpm>).
+
If you already have Shorewall installed +and are upgrading to a new version using the tarball:
+If you are upgrading from a 1.2 version of Shorewall to a 1.4 version -or and you have entries in the /etc/shorewall/hosts file then please check -your /etc/shorewall/interfaces file to be sure that it contains an entry -for each interface mentioned in the hosts file. Also, there are certain 1.2 -rule forms that are no longer supported under 1.4 (you must use the new -1.4 syntax). See the upgrade issues for details.
- - Note: Some SuSE users have encountered a problem whereby
- rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
-is installed. If this happens, simply use the --nodeps option to rpm (rpm
- -Uvh --nodeps <shorewall rpm>).
-
If you already have Shorewall installed and -are upgrading to a new version using the tarball:
- -If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and -you have entries in the /etc/shorewall/hosts file then please check your - /etc/shorewall/interfaces file to be sure that it contains an entry for -each interface mentioned in the hosts file. Also, there are certain 1.2 -rule forms that are no longer supported under 1.4 (you must use the new -1.4 syntax). See the upgrade issues for -details.
You will need to edit some or all of the configuration files to match -your setup. In most cases, the Shorewall - QuickStart Guides contain all of the information you need.
- + +You will need to edit some or all of the configuration files to match + your setup. In most cases, the Shorewall QuickStart Guides +contain all of the information you need.
+Updated 1/24/2003 - Tom Eastep -
- + +Updated 2/27/2003 - Tom Eastep +
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-| + |
Proxy ARP- |
-
Proxy ARP allows you to insert a firewall in front of a set of servers - without changing their IP addresses and without having to re-subnet. -Before you try to use this technique, I strongly recommend that you read -the Shorewall Setup Guide.
- + +Proxy ARP allows you to insert a firewall in front of a set of servers + without changing their IP addresses and without having to re-subnet. +Before you try to use this technique, I strongly recommend that you read the +Shorewall Setup Guide.
+The following figure represents a Proxy ARP environment.
- -+ ++ +- -- + +
-
-Proxy ARP can be used to make the systems with addresses - 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) - subnet. Assuming that the upper firewall interface is eth0 and the - lower interface is eth1, this is accomplished using the following entries +
Proxy ARP can be used to make the systems with addresses + 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) + subnet. Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp:
- -+ ++ +- -- -
-- +ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- -130.252.100.18 -eth1 -eth0 -no -- - - +130.252.100.19 -eth1 -eth0 -no -ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE + ++ +130.252.100.18 +eth1 +eth0 +no ++ + +130.252.100.19 +eth1 +eth0 +no +Be sure that the internal systems (130.242.100.18 and 130.252.100.19 - in the above example) are not included in any specification in -/etc/shorewall/masq or /etc/shorewall/nat.
- -Note that I've used an RFC1918 IP address for eth1 - that IP address is +
Be sure that the internal systems (130.242.100.18 and 130.252.100.19 + in the above example) are not included in any specification in /etc/shorewall/masq +or /etc/shorewall/nat.
+ +Note that I've used an RFC1918 IP address for eth1 - that IP address is irrelevant.
- -The lower systems (130.252.100.18 and 130.252.100.19) should have their - subnet mask and default gateway configured exactly the same way that + +
The lower systems (130.252.100.18 and 130.252.100.19) should have their + subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured.
- -A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from - parallel to your firewall to behind your firewall with Proxy ARP, it will - probably be HOURS before that system can communicate with the internet. + +
A word of warning is in order here. ISPs typically configure
+ their routers with a long ARP cache timeout. If you move a system from
+ parallel to your firewall to behind your firewall with Proxy ARP, it will
+ probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:
-
tcpdump -nei eth0 icmp-
Now from 130.252.100.19, ping the ISP's gateway (which we +
Now from 130.252.100.19, ping the ISP's gateway (which we will assume is 130.252.100.254):
-ping 130.252.100.254-
We can now observe the tcpdump output:
-13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this -case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 - was the MAC address of the system on the lower left. In other words, the -gateway's ARP cache still associates 130.252.100.19 with the NIC in that + +
13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)+
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this +case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of the system on the lower left. In other words, the +gateway's ARP cache still associates 130.252.100.19 with the NIC in that system rather than with the firewall's eth0.
-Last updated 1/11/2003 -
+
+ Last updated 1/26/2003 - Tom Eastep Warning: I
+ use a combination of Static NAT and Proxy ARP, neither of which are relevant
+ to a simple configuration with a single public IP address.
+ If you have just a single public IP address, most of what you see here won't
+ apply to your setup so beware of copying parts of this configuration and
+expecting them to work for you. What you copy may or may not work in your
+setup. I have DSL service and have 5 static IP addresses (206.124.146.176-180).
+ My DSL "modem" (Fujitsu Speedport)
+ is connected to eth0. I have a local network connected to eth2 (subnet
+ 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). I use: The firewall runs on a 256MB PII/233 with RH8.0 and Kernel 2.4.20. Wookie runs Samba and acts as the a WINS server. Wookie is in its
+ own 'whitelist' zone called 'me'. My laptop (eastept1) is connected to eth3 using a cross-over cable.
+ It runs its own Sygate firewall software
+ and is managed by Proxy ARP. It connects to the local network through
+a PPTP server running on Ursa. The single system in the DMZ (address 206.124.146.177) runs postfix,
+ Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
+server (Pure-ftpd). The system also runs fetchmail to fetch our email
+from our old and current ISPs. That server is managed through Proxy ARP. The firewall system itself runs a DHCP server that serves the local
+ network. All administration and publishing is done using ssh/scp. I have X installed
+on both the firewall and the server but no X server or desktop is installed.
+X applications tunnel through SSH to XWin.exe running on Ursa. I run an SNMP server on my firewall to serve MRTG running
+ in the DMZ. The ethernet interface in the Server is configured
+ with IP address 206.124.146.177, netmask
+ 255.255.255.0. The server's default gateway is
+ 206.124.146.254 (Router at my ISP. This is the same
+ default gateway used by the firewall itself). On the firewall,
+ Shorewall automatically adds a host route
+to 206.124.146.177 through eth1 (192.168.2.1)
+because of the entry in /etc/shorewall/proxyarp
+(see below). A similar setup is used on eth3 (192.168.3.1) which
+ interfaces to my laptop (206.124.146.180). Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
+ access. This is set up so that I can start the firewall before bringing up my
+Ethernet interfaces. Although most of our internal systems use static NAT, my wife's system
+ (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
+ laptops. Also, I masquerade wookie to the peer subnet in Texas. In addition to those applications described in the /etc/shorewall/rules documentation, here
- are some other services/applications that you may need to configure your
-firewall to accommodate.
+
diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm
new file mode 100644
index 000000000..0c96d8ef5
--- /dev/null
+++ b/Shorewall-docs/myfiles.htm
@@ -0,0 +1,212 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ About My Network
+
+
+My Current Network
+
+
+
+
+
+
+
+
+
+ 
+
+
+ Shorewall.conf
+
+
+
+
+SHARED_DIR=/usr/share/shorewall
+
LOGFILE=/var/log/firewall
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
+
+Params File (Edited):
+ MIRRORS=<list of shorewall mirror ip addresses>
+
+
+ NTPSERVERS=<list of the NTP servers I sync with>
+ LOG=ULOG
+ TEXAS=<ip address of gateway in Dallas>
+ Zones File
+
+
+
+
+#ZONE DISPLAY COMMENTS
+
net Internet Internet
me Wookie My Linux Workstation
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEInterfaces File:
+
+
+
+
+
+
+#ZONE INERFACE BROADCAST OPTIONS
+
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp,maclist
dmz eth1 192.168.2.255
net eth3 206.124.146.255
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Hosts File:
+
+
+
+#ZONE HOST(S) OPTIONS
+
me eth2:192.168.1.3
tx texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVERoutestopped File:
+
+
+
+#INTERFACQ HOST(S)
+
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE Policy File:
+
+
+
+#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
+
me all ACCEPT
tx me ACCEPT
all me CONTINUE - 2/sec:5
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
net net ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEMasq File:
+
+
+
+
+
+
+
+#INTERFACE SUBNET ADDRESS
+
eth0:0.0.0.0/0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
NAT File:
+
+
+
+#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
+
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.179 eth0:1 192.168.1.3 No No
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEProxy ARP File:
+
+
+
+#ADDRESS INTERFACE EXTERNAL HAVEROUTE
+
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):
+
+
+
+#TYPE ZONE GATEWAY GATEWAY ZONE PORT
+
gre net $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Common File:
+
+
+. /etc/shorewall/common.def
+
run_iptables -A common -p tcp --dport auth -j REJECTRules File (The shell variables
+ are set in /etc/shorewall/params):
+
+
+
+
+ Copyright
+© 2001, 2002, 2003 Thomas M. Eastep.################################################################################################################################################################
+
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
LOG:$LOG loc net tcp 137:139
################################################################################################################################################################
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh,time,10000
ACCEPT loc fw udp snmp
ACCEPT loc fw udp ntp
################################################################################################################################################################
# Local Network to DMZ (10027 is our SMTP backdoor that bypasses virus/spam filtering)
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp,domain,ssh,imap,https,imaps,cvspserver,www,ftp,10027,10000,8080 -
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz tcp www,smtp,ftp,imaps,domain,cvspserver,https,imap -
ACCEPT net dmz udp domain
ACCEPT net:$MIRRORS dmz tcp rsync
ACCEPT:$LOG net dmz tcp 32768:61000 20
DROP net dmz tcp 1433
################################################################################################################################################################
#
# Net to Local
#
# My laptop isn't NATTED when in its docking station. To allow access to the local lan, I need a VPN to Ursa which is enabled by the following "half"-rules.
#
DNAT- net loc:192.168.1.5 tcp 1723 - 206.124.146.178
DNAT- net loc:192.168.1.5 gre - - 206.124.146.178
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# ICQ to Ursa
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
################################################################################################################################################################
# Net to me
#
ACCEPT net me:192.168.1.3 tcp 4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT dmz net udp domain
ACCEPT dmz net:206.124.128.8 tcp pop3
ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT dmz me tcp 111
ACCEPT dmz me udp 111
ACCEPT dmz me udp 2049
ACCEPT dmz me udp 32700:
################################################################################################################################################################
# Internet to Firewall
#
ACCEPT net:eth3:206.124.146.180 fw udp ntp ntp
REJECT net fw tcp www
DROP net fw tcp 1433
DROP net:eth3:!206.124.146.180 fw all
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp 8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
ACCEPT fw dmz icmp 8
REJECT fw dmz udp 137:139
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+
diff --git a/Shorewall-docs/ports.htm b/Shorewall-docs/ports.htm
index 4912c722f..e6d655c99 100644
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@@ -1,202 +1,205 @@
-
+
-
-
-
+
-
-
-
+
+
-
- Ports required for Various
- Services/Applications
-
+
+
+
+
+ Ports required for Various
+ Services/Applications
+
NTP (Network Time Protocol)
- -+ ++- +UDP Port 123
-
rdate
- --+TCP Port 37
-
++TCP Port 37
+
UseNet (NNTP)
- -+ ++- +TCP Port 119
-
DNS
- --+UDP Port 53. If you are configuring a DNS client, you will probably want -to open TCP Port 53 as well.
- If you are configuring a server, only open TCP Port 53 if you will -return long replies to queries or if you need to enable ZONE transfers. In + ++- +UDP Port 53. If you are configuring a DNS client, you will probably +want to open TCP Port 53 as well.
-
+ If you are configuring a server, only open TCP Port 53 if you will +return long replies to queries or if you need to enable ZONE transfers. In the latter case, be sure that your server is properly configured.
ICQ
- --- + +UDP Port 4000. You will also need to open a range of TCP ports which - you can specify to your ICQ client. By default, clients use 4000-4100.
-
++UDP Port 4000. You will also need to open a range of TCP ports which + you can specify to your ICQ client. By default, clients use 4000-4100.
+
PPTP
- -+ ++- -Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information here).
-IPSEC
- --- -Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port - 500. These should be opened in both directions (Lots more information - here and here).
-SMTP
- --- -TCP Port 25.
-POP3
- --- -TCP Port 110.
-TELNET
- --- -TCP Port 23.
-SSH
- --- -TCP Port 22.
-Auth (identd)
- --- -TCP Port 113
-Web Access
- --+TCP Ports 80 and 443.
-
IPSEC
+ +++ +Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port + 500. These should be opened in both directions (Lots more information + here and here).
+
SMTP
+ +++ +TCP Port 25.
+
POP3
+ +++ +TCP Port 110.
+
TELNET
+ +++ +TCP Port 23.
+
SSH
+ +++ +TCP Port 22.
+
Auth (identd)
+ +++ +TCP Port 113
+
Web Access
+ +++TCP Ports 80 and 443.
+
FTP
- -+ +++Server configuration is covered on in the /etc/shorewall/rules documentation,
- -For a client, you must open outbound TCP port 21 and be sure that your - kernel is compiled to support FTP connection tracking. If you build this - support as a module, Shorewall will automatically load the module from + +
For a client, you must open outbound TCP port 21 and be sure that your + kernel is compiled to support FTP connection tracking. If you build this + support as a module, Shorewall will automatically load the module from /var/lib/<kernel version>/kernel/net/ipv4/netfilter.
- -
-If you run an FTP server on a nonstandard port or you need to access - such a server, then you must specify that port in /etc/shorewall/modules. - For example, if you run an FTP server that listens on port 49 then you would +
+ +If you run an FTP server on a nonstandard port or you need to access + such a server, then you must specify that port in /etc/shorewall/modules. + For example, if you run an FTP server that listens on port 49 then you would have:
- -
-+ + ++ +- -loadmodule ip_conntrack_ftp ports=21,49
-
- loadmodule ip_nat_ftp ports=21,49
-Note that you MUST include port 21 in the ports list or you may + loadmodule ip_nat_ftp ports=21,49
+
+Note that you MUST include port 21 in the ports list or you may have problems accessing regular FTP servers.
- -If there is a possibility that these modules might be loaded before Shorewall -starts, then you should include the port list in /etc/modules.conf:
-
-+- + options ip_nat_ftp ports=21,49If there is a possibility that these modules might be loaded before +Shorewall starts, then you should include the port list in /etc/modules.conf:
+ +
+-options ip_conntrack_ftp ports=21,49
-
- options ip_nat_ftp ports=21,49
-
+ +
SMB/NMB (Samba/Windows Browsing/File Sharing)
- +- -
+ ++- + UDP Ports 137-139.TCP Ports 137, 139 and 445.
-
- UDP Ports 137-139.
-
- Also, see this page.
+
+ Also, see this page. +
Traceroute
- --+UDP ports 33434 through 33434+<max number of hops>-1
-
++UDP ports 33434 through 33434+<max number of hops>-1
+
NFS
-
-+ +I personally use the following rules for opening access from zone z1 +
+ ++- -I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2:
-
-ACCEPT z1 z2:a.b.c.d udp 111-
ACCEPT z1 z2:a.b.c.d udp 2049
ACCEPT z1 z2:a.b.c.d udp 32700:-+ +Note that my rules only cover NFS using UDP (the normal case). There +
+ +ACCEPT z1 z2:a.b.c.d udp 111+
ACCEPT z1 z2:a.b.c.d tcp 111
ACCEPT z1 z2:a.b.c.d udp 2049
ACCEPT z1 z2:a.b.c.d udp 32700:+- -Note that my rules only cover NFS using UDP (the normal case). There is lots of additional information at http://nfs.sourceforge.net/nfs-howto/security.html
-Didn't find what you are looking for -- have you looked in your own /etc/services -file?
- +
Didn't find what you are looking for -- have you looked in your own +/etc/services file?
+Still looking? Try http://www.networkice.com/advice/Exploits/Ports
- -Last updated 2/7/2003 - Last updated 2/25/2003 - Tom Eastep
- Copyright © Copyright © 2001, 2002, 2003 Thomas M. Eastep.| + |
-
- Shorewall QuickStart Guides
+
+ - Version 3.1 |
-
With thanks to Richard who reminded me once again that
-we must all first walk before we can run.
- The French Translations are courtesy of Patrice Vetsel
-
With thanks to Richard who reminded me once again that we
+must all first walk before we can run.
+ The French Translations are courtesy of Patrice Vetsel
+
These guides provide step-by-step instructions for configuring Shorewall + +
These guides provide step-by-step instructions for configuring Shorewall in common firewall setups.
- +The following guides are for users who have a single public IP address:
- +The above guides are designed to get your first firewall up and running + +
The above guides are designed to get your first firewall up and running quickly in the three most common Shorewall configurations.
- -The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple - public IP addresses involved or if you want to learn more about -Shorewall than is explained in the single-address guides above.
- + +The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple + public IP addresses involved or if you want to learn more about Shorewall + than is explained in the single-address guides above.
+The following documentation covers a variety of topics and supplements - the QuickStart Guides - described above. Please review the appropriate guide before trying + +
The following documentation covers a variety of topics and supplements + the QuickStart Guides + described above. Please review the appropriate guide before trying to use this documentation directly.
- +If you use one of these guides and have a suggestion for improvement please let me know.
- -Last modified 2/4/2003 - Tom Eastep
- -Copyright 2002, 2003 Thomas M.
- Eastep
-
Last modified 2/26/2003 - Tom Eastep
+ +Copyright 2002, 2003 Thomas M.
+ Eastep
+
| + |
-
- Starting/Stopping and Monitoring
+
+ |
+
-
If you have a permanent internet connection such as DSL or Cable, - I recommend that you start the firewall automatically at boot. -Once you have installed "firewall" in your init.d directory, simply -type "chkconfig --add firewall". This will start the firewall -in run levels 2-5 and stop it in run levels 1 and 6. If you want -to configure your firewall differently from this default, you can -use the "--level" option in chkconfig (see "man chkconfig") or using -your favorite graphical run-level editor.
- - - - - - - - - Important Notes:
-
-
- - - -You can manually start and stop Shoreline Firewall using the "shorewall" - shell program:
+If you have a permanent internet connection such as DSL or Cable, + I recommend that you start the firewall automatically at boot. Once + you have installed "firewall" in your init.d directory, simply type + "chkconfig --add firewall". This will start the firewall in run + levels 2-5 and stop it in run levels 1 and 6. If you want to configure + your firewall differently from this default, you can use the "--level" + option in chkconfig (see "man chkconfig") or using your favorite + graphical run-level editor.
- + + + + + + + + Important Notes:
+
+
+ + + + +You can manually start and stop Shoreline Firewall using the "shorewall" + shell program:
+ +shorewall debug start 2> /tmp/trace- -
The above command would trace the 'start' command and place the trace
-information in the file /tmp/trace
-
The Shorewall State Diagram is shown at the
- bottom of this page.
-
The above command would trace the 'start' command and place the trace information
+in the file /tmp/trace
+
The Shorewall State Diagram is shown at the
+ bottom of this page.
+
The "shorewall" program may also be used to monitor the firewall.
- +Examples:- - -
- -shorewall add ipsec0:192.0.2.24 vpn1 - -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1-
- shorewall delete ipsec0:192.0.2.24 vpn1 - -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1
-
The shorewall start, shorewall restart, and shorewall -try commands allow you to specify which Shorewall configuration - to use:
- - -- + Finally, the "shorewall" program may be used to dynamically alter + the contents of a zone.- - -
-shorewall [ -c configuration-directory ] {start|restart}
-
- shorewall try configuration-directory
If a configuration-directory is specified, each time that Shorewall - is going to use a file in /etc/shorewall it will first look in the configuration-directory - . If the file is present in the configuration-directory, that - file will be used; otherwise, the file in /etc/shorewall will be used.
+Examples:+ +
+ +shorewall add ipsec0:192.0.2.24 vpn1 + -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1+
+ shorewall delete ipsec0:192.0.2.24 +vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 +from zone vpn1
+
The shorewall start, shorewall restart, shorewall check, and + shorewall try commands allow you to specify which Shorewall configuration + to use:
+ +-+ + +When changing the configuration of a production firewall, I recommend +
shorewall [ -c configuration-directory ] {start|restart|check}
+
+ shorewall try configuration-directory
If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the +configuration-directory . If the file is present in the configuration-directory, +that file will be used; otherwise, the file in /etc/shorewall will be +used.
+ + + + +When changing the configuration of a production firewall, I recommend the following:
- +If the configuration starts but doesn't work, just "shorewall restart" - to restore the old configuration. If the new configuration fails to + +
If the configuration starts but doesn't work, just "shorewall restart" + to restore the old configuration. If the new configuration fails to start, the "try" command will automatically start the old one for you.
- +When the new configuration works then just
- +The Shorewall State Diargram is depicted below.
-
-
-
| shorewall start - |
- firewall start - |
-
| shorewall stop - |
- firewall stop - |
-
| shorewall restart - |
- firewall restart - |
-
| shorewall add - |
- firewall add - |
-
| shorewall delete - |
- firewall delete - |
-
| shorewall refresh - |
- firewall refresh - |
-
| shorewall try - |
- firewall -c <new configuration> restart - If unsuccessful then firewall start (standard configuration) - If timeout then firewall restart (standard configuration) - |
-
Updated 2/10/2003 - Tom Eastep -
- - - -Copyright - © 2001, 2002, 2003 Thomas M. Eastep.
- - -
+
| shorewall start + |
+ firewall start + |
+
| shorewall stop + |
+ firewall stop + |
+
| shorewall restart + |
+ firewall restart + |
+
| shorewall add + |
+ firewall add + |
+
| shorewall delete + |
+ firewall delete + |
+
| shorewall refresh + |
+ firewall refresh + |
+
| shorewall try + |
+ firewall -c <new configuration> restart + If unsuccessful then firewall start (standard configuration) + If timeout then firewall restart (standard configuration) + |
+
Updated 2/27/2003 - Tom Eastep +
+ + + +