mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 19:13:39 +01:00
More standards work
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1062 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
dfe1ffbd37
commit
4b7193460b
@ -15,12 +15,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-11-15</pubdate>
|
<pubdate>2004-01-06</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002</year>
|
<year>2002-2004</year>
|
||||||
|
|
||||||
<year>2003</year>
|
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -111,9 +109,10 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>PPTP/ADSL</title>
|
<title>PPTP/ADSL</title>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> If you
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
have an ADSL Modem and you use PPTP to communicate with a server in that
|
|
||||||
modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
|
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
||||||
|
server in that modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
|
||||||
recommended here</ulink> <emphasis role="underline">in addition to those
|
recommended here</ulink> <emphasis role="underline">in addition to those
|
||||||
described in the steps below</emphasis>. ADSL with PPTP is most commonly
|
described in the steps below</emphasis>. ADSL with PPTP is most commonly
|
||||||
found in Europe, notably in Austria.</para>
|
found in Europe, notably in Austria.</para>
|
||||||
@ -122,11 +121,13 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Shorewall Concepts</title>
|
<title>Shorewall Concepts</title>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
configuration files for Shorewall are contained in the directory
|
|
||||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
<para>The configuration files for Shorewall are contained in the directory
|
||||||
these as described in this guide. After you have <ulink url="Install.htm">installed
|
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||||
Shorewall</ulink>, <emphasis role="bold">download the <ulink
|
setups, you only need to deal with a few of these as described in this
|
||||||
|
guide. After you have <ulink url="Install.htm">installed Shorewall</ulink>,
|
||||||
|
<emphasis role="bold">download the <ulink
|
||||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
||||||
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
|
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
|
||||||
files to /etc/shorewall (they will replace files with the same names that
|
files to /etc/shorewall (they will replace files with the same names that
|
||||||
@ -160,7 +161,7 @@
|
|||||||
</tgroup>
|
</tgroup>
|
||||||
</informaltable>
|
</informaltable>
|
||||||
|
|
||||||
<para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones">/etc/shorewall/zones</ulink>.</para>
|
<para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
||||||
|
|
||||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||||
default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
|
default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
|
||||||
@ -171,84 +172,33 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You express your default policy for connections from one zone to
|
<para>You express your default policy for connections from one zone to
|
||||||
another zone in the <ulink url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>
|
another zone in the <ulink url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
|
||||||
file.</para>
|
file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You define exceptions to those default policies in the <ulink
|
<para>You define exceptions to those default policies in the <ulink
|
||||||
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink> file.</para>
|
url="Documentation.htm#Rules"><filename>/etc/shorewall/rules</filename></ulink>
|
||||||
|
file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>For each connection request entering the firewall, the request is
|
<para>For each connection request entering the firewall, the request is
|
||||||
first checked against the /etc/shorewall/rules file. If no rule in that
|
first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
|
||||||
file matches the connection request then the first policy in
|
file. If no rule in that file matches the connection request then the
|
||||||
/etc/shorewall/policy that matches the request is applied. If that policy
|
first policy in <filename>/etc/shorewall/policy</filename> that matches
|
||||||
is REJECT or DROP the request is first checked against the rules in
|
the request is applied. If that policy is REJECT or DROP the request is
|
||||||
/etc/shorewall/common if that file exists; otherwise the rules in
|
first checked against the rules in /etc/shorewall/common if that file
|
||||||
/etc/shorewall/common.def are checked.</para>
|
exists; otherwise the rules in <filename>/etc/shorewall/common.def</filename>
|
||||||
|
are checked.</para>
|
||||||
|
|
||||||
<para>The /etc/shorewall/policy file included with the one-interface
|
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||||
sample has the following policies:</para>
|
the one-interface sample has the following policies:</para>
|
||||||
|
|
||||||
<table>
|
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
||||||
<title>one-interface sample /etc/shorewall/policy</title>
|
fw net ACCEPT
|
||||||
|
net all DROP info
|
||||||
<tgroup cols="5">
|
all all REJECT info</programlisting>
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">SOURCE ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DESTINATION ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">POLICY</entry>
|
|
||||||
|
|
||||||
<entry align="center">LOG LEVEL</entry>
|
|
||||||
|
|
||||||
<entry align="center">LIMIT:BURST</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>fw</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>ACCEPT</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>all</entry>
|
|
||||||
|
|
||||||
<entry>DROP</entry>
|
|
||||||
|
|
||||||
<entry>info</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>all</entry>
|
|
||||||
|
|
||||||
<entry>all</entry>
|
|
||||||
|
|
||||||
<entry>REJECT</entry>
|
|
||||||
|
|
||||||
<entry>info</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<para>The above policy will:</para>
|
<para>The above policy will:</para>
|
||||||
|
|
||||||
@ -268,8 +218,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>At this point, edit your /etc/shorewall/policy and make any changes
|
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||||
that you wish.</para>
|
and make any changes that you wish.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -287,12 +237,14 @@
|
|||||||
<emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
|
<emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
|
||||||
external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
|
external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
Shorewall one-interface sample configuration assumes that the external
|
|
||||||
interface is <emphasis role="bold">eth0</emphasis>. If your configuration
|
<para>The Shorewall one-interface sample configuration assumes that the
|
||||||
is different, you will have to modify the sample /etc/shorewall/interfaces
|
external interface is <emphasis role="bold">eth0</emphasis>. If your
|
||||||
file accordingly. While you are there, you may wish to review the list of
|
configuration is different, you will have to modify the sample
|
||||||
options that are specified for the interface. Some hints:</para>
|
/etc/shorewall/interfaces file accordingly. While you are there, you may
|
||||||
|
wish to review the list of options that are specified for the interface.
|
||||||
|
Some hints:</para>
|
||||||
|
|
||||||
<tip>
|
<tip>
|
||||||
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
||||||
@ -309,9 +261,9 @@
|
|||||||
<tip>
|
<tip>
|
||||||
<para>If you specify <emphasis>norfc1918</emphasis> for your external
|
<para>If you specify <emphasis>norfc1918</emphasis> for your external
|
||||||
interface, you will want to check the <ulink url="errata.htm">Shorewall
|
interface, you will want to check the <ulink url="errata.htm">Shorewall
|
||||||
Errata</ulink> periodically for updates to the /etc/shorewall/rfc1918
|
Errata</ulink> periodically for updates to the <filename>/etc/shorewall/rfc1918
|
||||||
file. Alternatively, you can <ulink url="myfiles.htm#RFC1918">strip down
|
file</filename>. Alternatively, you can <ulink url="myfiles.htm#RFC1918">strip
|
||||||
your /etc/shorewall/rfc1918 files as I do</ulink>.</para>
|
down your <filename>/etc/shorewall/rfc1918</filename> file as I do</ulink>.</para>
|
||||||
</tip>
|
</tip>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -332,70 +284,31 @@
|
|||||||
Translation</emphasis> to rewrite packet headers when forwarding to/from
|
Translation</emphasis> to rewrite packet headers when forwarding to/from
|
||||||
the internet.</para>
|
the internet.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> Before
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
starting Shorewall, you should look at the IP address of your external
|
|
||||||
interface and if it is one of the above ranges, you should remove the
|
<para>Before starting Shorewall, you should look at the IP address of your
|
||||||
<quote>norfc1918</quote> option from the entry in
|
external interface and if it is one of the above ranges, you should remove
|
||||||
/etc/shorewall/interfaces.</para>
|
the <quote>norfc1918</quote> option from the entry in
|
||||||
|
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Enabling other Connections</title>
|
<title>Enabling other Connections</title>
|
||||||
|
|
||||||
<para>If you wish to enable connections from the internet to your
|
<para>If you wish to enable connections from the internet to your
|
||||||
firewall, the general format is:</para>
|
firewall, the general format of a rule in <filename>/etc/shorewall/rules</filename>
|
||||||
|
is:</para>
|
||||||
|
|
||||||
<table>
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
<title>/etc/shorewall/rules</title>
|
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||||
|
|
||||||
<tgroup cols="7">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ACTION</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DESTINATION</entry>
|
|
||||||
|
|
||||||
<entry align="center">PROTOCOL</entry>
|
|
||||||
|
|
||||||
<entry align="center">PORT</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE PORT</entry>
|
|
||||||
|
|
||||||
<entry align="center">ORIGINAL ADDRESS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>ACCEPT</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>fw</entry>
|
|
||||||
|
|
||||||
<entry><<emphasis>protocol</emphasis>></entry>
|
|
||||||
|
|
||||||
<entry><<emphasis>port</emphasis>></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>You want to run a Web Server and a POP3 Server on your firewall
|
<title>You want to run a Web Server and a POP3 Server on your firewall
|
||||||
system:</title>
|
system:</title>
|
||||||
|
|
||||||
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
ACCEPT net fw tcp 80
|
||||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
ACCEPT net fw tcp 110</programlisting></para>
|
||||||
align="center">PORT</entry><entry align="center">SOURCE PORT</entry><entry
|
|
||||||
align="center">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry>tcp</entry><entry>110</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
|
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>If you don't know what port and protocol a particular
|
<para>If you don't know what port and protocol a particular
|
||||||
@ -406,87 +319,52 @@
|
|||||||
it uses clear text (even for login!). If you want shell access to your
|
it uses clear text (even for login!). If you want shell access to your
|
||||||
firewall from the internet, use SSH:</para>
|
firewall from the internet, use SSH:</para>
|
||||||
|
|
||||||
<table>
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
<title>/etc/shorewall/rules</title>
|
ACCEPT net fw tcp 22</programlisting>
|
||||||
|
|
||||||
<tgroup cols="7">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ACTION</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DESTINATION</entry>
|
|
||||||
|
|
||||||
<entry align="center">PROTOCOL</entry>
|
|
||||||
|
|
||||||
<entry align="center">PORT</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE PORT</entry>
|
|
||||||
|
|
||||||
<entry align="center">ORIGINAL ADDRESS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>ACCEPT</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>fw</entry>
|
|
||||||
|
|
||||||
<entry>tcp</entry>
|
|
||||||
|
|
||||||
<entry>22</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> At this
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
point, edit /etc/shorewall/rules to add other connections as desired.</para>
|
|
||||||
|
<para>At this point, edit /etc/shorewall/rules to add other connections as
|
||||||
|
desired.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Starting and Stopping Your Firewall</title>
|
<title>Starting and Stopping Your Firewall</title>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
<ulink url="Install.htm">installation procedure</ulink> configures your
|
|
||||||
system to start Shorewall at system boot but beginning with Shorewall
|
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||||
version 1.3.9 startup is disabled so that your system won't try to
|
configures your system to start Shorewall at system boot but beginning
|
||||||
start Shorewall before configuration is complete. Once you have completed
|
with Shorewall version 1.3.9 startup is disabled so that your system
|
||||||
configuration of your firewall, you can enable Shorewall startup by
|
won't try to start Shorewall before configuration is complete. Once
|
||||||
removing the file /etc/shorewall/startup_disabled.</para>
|
you have completed configuration of your firewall, you can enable
|
||||||
|
Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para><emphasis role="bold">Users of the .deb package must edit
|
<para><emphasis role="bold">Users of the .deb package must edit
|
||||||
/etc/default/shorewall and set <quote>startup=1</quote>.</emphasis></para>
|
<filename>/etc/default/shorewall</filename> and set <quote>startup=1</quote>.</emphasis></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The firewall is started using the <quote>shorewall start</quote>
|
<para>The firewall is started using the <quote><command>shorewall start</command></quote>
|
||||||
command and stopped using <quote>shorewall stop</quote>. When the firewall
|
command and stopped using <quote><command>shorewall stop</command></quote>.
|
||||||
is stopped, routing is enabled on those hosts that have an entry in <ulink
|
When the firewall is stopped, routing is enabled on those hosts that have
|
||||||
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
|
an entry in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
|
||||||
A running firewall may be restarted using the <quote>shorewall restart</quote>
|
A running firewall may be restarted using the <quote><command>shorewall
|
||||||
command. If you want to totally remove any trace of Shorewall from your
|
restart</command></quote> command. If you want to totally remove any trace
|
||||||
Netfilter configuration, use <quote>shorewall clear</quote>.</para>
|
of Shorewall from your Netfilter configuration, use <quote><command>shorewall
|
||||||
|
clear</command></quote>.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you are connected to your firewall from the internet, do not
|
<para>If you are connected to your firewall from the internet, do not
|
||||||
issue a <quote>shorewall stop</quote> command unless you have added an
|
issue a <quote><command>shorewall stop</command></quote> command unless
|
||||||
entry for the IP address that you are connected from to <ulink
|
you have added an entry for the IP address that you are connected from
|
||||||
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
|
to <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||||
Also, I don't recommend using <quote>shorewall restart</quote>; it
|
Also, I don't recommend using <quote><command>shorewall restart</command></quote>;
|
||||||
is better to create an <emphasis><ulink
|
it is better to create an <emphasis><ulink
|
||||||
url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
|
url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
|
||||||
and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote>shorewall
|
and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
||||||
try</quote> command</ulink>.</para>
|
try</command></quote> command</ulink>.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -502,8 +380,9 @@
|
|||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
|
<para><revhistory><revision><revnumber>1.5</revnumber><date>2003-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||||
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
|
Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
|
||||||
|
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||||
Docbook Conversion</revremark></revision></revhistory></para>
|
Docbook Conversion</revremark></revision></revhistory></para>
|
||||||
</appendix>
|
</appendix>
|
||||||
</article>
|
</article>
|
@ -12,7 +12,7 @@
|
|||||||
<surname>Eastep</surname>
|
<surname>Eastep</surname>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<pubdate>2003-12-31</pubdate>
|
<pubdate>2003-01-06</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002</year>
|
<year>2002</year>
|
||||||
@ -106,13 +106,11 @@
|
|||||||
installed by the presence of an <command>ip</command> program on your
|
installed by the presence of an <command>ip</command> program on your
|
||||||
firewall system. As <systemitem class="username">root</systemitem>, you
|
firewall system. As <systemitem class="username">root</systemitem>, you
|
||||||
can use the <command>which</command> command to check for this program:
|
can use the <command>which</command> command to check for this program:
|
||||||
<programlisting>
|
<programlisting>[root@gateway root]# <command>which ip</command>
|
||||||
[root@gateway root]# which ip
|
|
||||||
/sbin/ip
|
/sbin/ip
|
||||||
[root@gateway root]#
|
[root@gateway root]#</programlisting> I recommend that you first read through
|
||||||
</programlisting> I recommend that you first read through the guide to
|
the guide to familiarize yourself with what's involved then go back
|
||||||
familiarize yourself with what's involved then go back through it
|
through it again making your configuration changes.</para>
|
||||||
again making your configuration changes.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -195,32 +193,16 @@
|
|||||||
|
|
||||||
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
file included with the two-interface sample has the following policies:
|
file included with the two-interface sample has the following policies:
|
||||||
<informaltable frame="all" label="policy file" pgwide="0"><tgroup
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
align="left" cols="5"><thead valign="middle"><row valign="middle"><entry
|
loc net ACCEPT
|
||||||
align="left">Source Zone</entry><entry align="left">Destination Zone</entry><entry
|
net all DROP info
|
||||||
align="left">Policy</entry><entry align="left">Log Level</entry><entry
|
all all REJECT info</programlisting> In the two-interface
|
||||||
align="left">Limit:Burst</entry></row></thead><tbody valign="middle"><row
|
sample, the line below is included but commented out. If you want your
|
||||||
valign="middle"><entry align="left"><varname>loc</varname></entry><entry
|
firewall system to have full access to servers on the internet, uncomment
|
||||||
align="left"><varname>net</varname></entry><entry align="left"><varname>ACCEPT</varname></entry><entry
|
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
align="left"></entry><entry align="left"></entry></row><row
|
fw net ACCEPT</programlisting> The above policy will:
|
||||||
valign="middle"><entry align="left"><varname>net</varname></entry><entry
|
<itemizedlist><listitem><para>Allow all connection requests from your
|
||||||
align="left"><varname>all</varname></entry><entry align="left"><varname>DROP</varname></entry><entry
|
local network to the internet</para></listitem><listitem><para>Drop
|
||||||
align="left"><varname>info</varname></entry><entry align="left"></entry></row><row
|
|
||||||
valign="middle"><entry align="left"><varname>all</varname></entry><entry
|
|
||||||
align="left"><varname>all</varname></entry><entry align="left"><varname>REJECT</varname></entry><entry
|
|
||||||
align="left"><varname>info</varname></entry><entry align="left"></entry></row></tbody></tgroup></informaltable>
|
|
||||||
In the two-interface sample, the line below is included but commented out.
|
|
||||||
If you want your firewall system to have full access to servers on the
|
|
||||||
internet, uncomment that line. <informaltable frame="all"
|
|
||||||
label="policy file" pgwide="0"><tgroup align="left" cols="5"><thead
|
|
||||||
valign="middle"><row valign="middle"><entry align="left">Source Zone</entry><entry
|
|
||||||
align="left">Destination Zone</entry><entry align="left">Policy</entry><entry
|
|
||||||
align="left">Log Level</entry><entry align="left">Limit:Burst</entry></row></thead><tbody
|
|
||||||
valign="middle"><row valign="middle"><entry align="left"><varname>fw</varname></entry><entry
|
|
||||||
align="left"><varname>net</varname></entry><entry align="left"><varname>ACCEPT</varname></entry><entry
|
|
||||||
align="left"></entry><entry align="left"></entry></row></tbody></tgroup></informaltable>
|
|
||||||
The above policy will: <itemizedlist><listitem><para>Allow all connection
|
|
||||||
requests from your local network to the internet</para></listitem><listitem><para>Drop
|
|
||||||
(ignore) all connection requests from the internet to your firewall or
|
(ignore) all connection requests from the internet to your firewall or
|
||||||
local network</para></listitem><listitem><para>Optionally accept all
|
local network</para></listitem><listitem><para>Optionally accept all
|
||||||
connection requests from the firewall to the internet (if you uncomment
|
connection requests from the firewall to the internet (if you uncomment
|
||||||
@ -310,11 +292,10 @@
|
|||||||
network (the Internal Interface on your firewall plus your other
|
network (the Internal Interface on your firewall plus your other
|
||||||
computers). <emphasis role="bold">RFC 1918</emphasis> reserves several
|
computers). <emphasis role="bold">RFC 1918</emphasis> reserves several
|
||||||
<emphasis>Private</emphasis> <acronym>IP</acronym> address ranges for this
|
<emphasis>Private</emphasis> <acronym>IP</acronym> address ranges for this
|
||||||
purpose: <programlisting>
|
purpose: <programlisting>10.0.0.0 - 10.255.255.255
|
||||||
10.0.0.0 - 10.255.255.255
|
|
||||||
172.16.0.0 - 172.31.255.255
|
172.16.0.0 - 172.31.255.255
|
||||||
192.168.0.0 - 192.168.255.255
|
192.168.0.0 - 192.168.255.255</programlisting> <inlinegraphic
|
||||||
</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Before starting Shorewall, you should look at the IP address of your
|
<para>Before starting Shorewall, you should look at the IP address of your
|
||||||
external interface and if it is one of the above ranges, you should remove
|
external interface and if it is one of the above ranges, you should remove
|
||||||
@ -460,38 +441,18 @@
|
|||||||
|
|
||||||
<para>The general form of a simple port forwarding rule in <filename
|
<para>The general form of a simple port forwarding rule in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(s)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>loc:<server local ip address> [:<server
|
|
||||||
port>]</varname></entry><entry align="left"><varname><protocol></varname></entry><entry
|
|
||||||
align="left"><varname><port></varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
<example label="1"><title>Web Server</title><para>You run a Web Server on
|
<example label="1"><title>Web Server</title><para>You run a Web Server on
|
||||||
computer 2 and you want to forward incoming <acronym>TCP</acronym> port 80
|
computer 2 and you want to forward incoming <acronym>TCP</acronym> port 80
|
||||||
to that system: <informaltable frame="all" label="rules" pgwide="0"><tgroup
|
to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
align="left" cols="7"><thead valign="middle"><row valign="middle"><entry
|
DNAT net loc:10.10.10.2 tcp 80</programlisting></para></example>
|
||||||
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
|
||||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
|
||||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
|
||||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>loc:10.10.10.2</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>80</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></example>
|
|
||||||
<example label="2"><title>FTP Server</title><para>You run an
|
<example label="2"><title>FTP Server</title><para>You run an
|
||||||
<acronym>FTP</acronym> Server on computer 1 so you want to forward
|
<acronym>FTP</acronym> Server on computer 1 so you want to forward
|
||||||
incoming <acronym>TCP</acronym> port 21 to that system: <informaltable
|
incoming <acronym>TCP</acronym> port 21 to that system:
|
||||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
DNAT net loc:10.10.10.1 tcp 21</programlisting> For
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
<acronym>FTP</acronym>, you will also need to have <acronym>FTP</acronym>
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>loc:10.10.10.1</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>21</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
For <acronym>FTP</acronym>, you will also need to have <acronym>FTP</acronym>
|
|
||||||
connection tracking and <acronym>NAT</acronym> support in your kernel. For
|
connection tracking and <acronym>NAT</acronym> support in your kernel. For
|
||||||
vendor-supplied kernels, this means that the <filename class="libraryfile">ip_conntrack_ftp</filename>
|
vendor-supplied kernels, this means that the <filename class="libraryfile">ip_conntrack_ftp</filename>
|
||||||
and <filename class="libraryfile">ip_nat_ftp</filename> modules must be
|
and <filename class="libraryfile">ip_nat_ftp</filename> modules must be
|
||||||
@ -508,15 +469,8 @@
|
|||||||
url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
|
url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
|
||||||
<acronym>ISP</acronym>s block incoming connection requests to port 80. If
|
<acronym>ISP</acronym>s block incoming connection requests to port 80. If
|
||||||
you have problems connecting to your web server, try the following rule
|
you have problems connecting to your web server, try the following rule
|
||||||
and try connecting to port 5000.</para></listitem></itemizedlist><informaltable
|
and try connecting to port 5000.</para></listitem></itemizedlist><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>loc:10.10.10.2:80</varname></entry><entry
|
|
||||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>At this point, modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
<para>At this point, modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||||
@ -556,111 +510,48 @@
|
|||||||
<acronym>UDP</acronym> and <acronym>TCP</acronym>) from the local network
|
<acronym>UDP</acronym> and <acronym>TCP</acronym>) from the local network
|
||||||
to the firewall; you do that by adding the following rules in <filename
|
to the firewall; you do that by adding the following rules in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
ACCEPT loc fw tcp 53
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
ACCEPT loc fw udp 53</programlisting></para></listitem></itemizedlist></para>
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>udp</varname></entry><entry
|
|
||||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></listitem></itemizedlist></para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Other Connections</title>
|
<title>Other Connections</title>
|
||||||
|
|
||||||
<para>The two-interface sample includes the following rules:
|
<para>The two-interface sample includes the following rules:
|
||||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
ACCEPT fw net tcp 53
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
ACCEPT fw net udp 53</programlisting>Those
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
rules allow <acronym>DNS</acronym> access from your firewall and may be
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
removed if you uncommented the line in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
|
||||||
align="left"><varname>net</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
|
||||||
align="left"><varname>net</varname></entry><entry align="left"><varname>udp</varname></entry><entry
|
|
||||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
Those rules allow <acronym>DNS</acronym> access from your firewall and may
|
|
||||||
be removed if you uncommented the line in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
|
||||||
allowing all connections from the firewall to the internet.</para>
|
allowing all connections from the firewall to the internet.</para>
|
||||||
|
|
||||||
<para>The sample also includes: <informaltable frame="all" label="rules"
|
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
|
ACCEPT loc fw tcp 22</programlisting> That
|
||||||
valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
rule allows you to run an <acronym>SSH</acronym> server on your firewall
|
||||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
and connect to that server from your local systems.</para>
|
||||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
|
||||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
That rule allows you to run an <acronym>SSH</acronym> server on your
|
|
||||||
firewall and connect to that server from your local systems.</para>
|
|
||||||
|
|
||||||
<para>If you wish to enable other connections between your firewall and
|
<para>If you wish to enable other connections between your firewall and
|
||||||
other systems, the general format is: <informaltable frame="all"
|
other systems, the general format is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
ACCEPT fw <emphasis><destination zone> <protocol> <port></emphasis></programlisting>
|
||||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname><source
|
|
||||||
zone></varname></entry><entry align="left"><varname><destination
|
|
||||||
zone></varname></entry><entry align="left"><varname><protocol></varname></entry><entry
|
|
||||||
align="left"><varname><port></varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
<example><title>Web Server on Firewall</title><para>You want to run a Web
|
<example><title>Web Server on Firewall</title><para>You want to run a Web
|
||||||
Server on your firewall system: <informaltable frame="all" label="rules"
|
Server on your firewall system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
pgwide="0"><tgroup align="left" cols="7"><colspec colname="c1" /><colspec
|
ACCEPT net fw tcp 80
|
||||||
colname="c2" /><colspec colname="c3" /><colspec colname="c4" /><colspec
|
ACCEPT loc fw tcp 80</programlisting> Those
|
||||||
colname="c5" /><colspec colname="c6" /><colspec colname="c7" /><thead
|
two rules would of course be in addition to the rules listed above under
|
||||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
<quote><link linkend="cachingdns">You can configure a Caching Name Server
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
on your firewall</link></quote>.</para></example> If you don't know
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
what port and protocol a particular application uses, look <ulink
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>80</varname></entry><entry nameend="c7" namest="c6">#Allow
|
|
||||||
web access from the Internet</entry></row><row><entry align="left"><varname>ACCEPT</varname></entry><entry
|
|
||||||
align="left"><varname>loc</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
|
||||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>80</varname></entry><entry
|
|
||||||
nameend="c7" namest="c6">#Allow web access from the local network</entry></row></tbody></tgroup></informaltable>
|
|
||||||
Those two rules would of course be in addition to the rules listed above
|
|
||||||
under <quote><link linkend="cachingdns">You can configure a Caching Name
|
|
||||||
Server on your firewall</link></quote>.</para></example> If you don't
|
|
||||||
know what port and protocol a particular application uses, look <ulink
|
|
||||||
url="ports.htm">here</ulink>. <important><para>I don't recommend
|
url="ports.htm">here</ulink>. <important><para>I don't recommend
|
||||||
enabling <command>telnet</command> to/from the internet because it uses
|
enabling <command>telnet</command> to/from the internet because it uses
|
||||||
clear text (even for login!). If you want shell access to your firewall
|
clear text (even for login!). If you want shell access to your firewall
|
||||||
from the internet, use <acronym>SSH</acronym>:</para></important><informaltable
|
from the internet, use <acronym>SSH</acronym>:</para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
ACCEPT net fw tcp 22</programlisting></important>
|
||||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
|
||||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
|
||||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
|
||||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
|
||||||
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
|
||||||
<inlinegraphic fileref="images/leaflogo.gif" format="GIF" />Bering users
|
<inlinegraphic fileref="images/leaflogo.gif" format="GIF" />Bering users
|
||||||
will want to add the following two rules to be compatible with
|
will want to add the following two rules to be compatible with
|
||||||
Jacques's Shorewall configuration. <informaltable frame="all"
|
Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
label="rules" pgwide="0"><tgroup align="left" cols="7"><colspec
|
ACCEPT loc fw udp 53 #Allow DNS Cache to work
|
||||||
colname="c1" /><colspec colname="c2" /><colspec colname="c3" /><colspec
|
ACCEPT loc fw tcp 80 #Allow Weblet to work</programlisting>
|
||||||
colname="c4" /><colspec colname="c5" /><colspec colname="c6" /><colspec
|
|
||||||
colname="c7" /><thead valign="middle"><row valign="middle"><entry
|
|
||||||
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
|
||||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
|
||||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
|
||||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
|
||||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
|
||||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>udp</varname></entry><entry
|
|
||||||
align="left"><varname>53</varname></entry><entry nameend="c7" namest="c6">#Allow
|
|
||||||
DNS Cache to work</entry></row><row><entry align="left"><varname>ACCEPT</varname></entry><entry
|
|
||||||
align="left"><varname>loc</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
|
||||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>80</varname></entry><entry
|
|
||||||
nameend="c7" namest="c6">#Allow weblet to work</entry></row></tbody></tgroup></informaltable>
|
|
||||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>Now edit your <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
<para>Now edit your <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||||
|
Loading…
Reference in New Issue
Block a user