extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into 5.0.6

Browse Source
This commit is contained in:
Tom Eastep 2016-03-01 15:13:20 -08:00
commit 4e9f4742cb
92 changed files with 1456 additions and 1908 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-core/install.sh
View File

@ -2,7 +2,7 @@
#
# Script to install Shoreline Firewall Core Modules
#
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#

242
Shorewall-core/lib.cli
View File

@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
#
# Show traffic control information
#
show_tc() {
show_tc1() {
show_one_tc() {
local device
@ -292,6 +292,19 @@ show_tc() {
}
show_tc() {
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
echo
shift
if [ -z "$1" ]; then
$g_tool -t mangle -L -n -v | $output_filter
echo
fi
show_tc1 $1
}
#
# Show classifier information
#
@ -928,6 +941,66 @@ show_actions() {
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
fi
}
show_chain() {
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
else
$g_tool -t $table -L $g_ipt_options | $output_filter
fi
}
show_chains() {
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
echo
show_reset
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
}
show_table() {
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t $table -L $g_ipt_options | $output_filter
}
show_nat() {
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t nat -L $g_ipt_options | $output_filter
}
show_macros() {
for directory in $(split $CONFIG_PATH); do
temp=
for macro in ${directory}/macro.*; do
case $macro in
*\*)
;;
*)
if [ -z "$temp" ]; then
echo
echo "Macros in $directory:"
echo
temp=Yes
fi
show_macro
;;
esac
done
done
}
#
# Show Command Executor
#
@ -1084,31 +1157,28 @@ show_command() {
;;
nat)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t nat -L $g_ipt_options | $output_filter
eval show_nat $g_pager
;;
raw)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t raw -L $g_ipt_options | $output_filter
eval { echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t raw -L $g_ipt_options | $output_filter } $g_pager
;;
rawpost)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t rawpost -L $g_ipt_options | $output_filter
eval { echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t rawpost -L $g_ipt_options | $output_filter } $g_pager
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t mangle -L $g_ipt_options | $output_filter
eval { echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t mangle -L $g_ipt_options | $output_filter } $g_pager
;;
log)
[ $# -gt 2 ] && usage 1
@ -1128,22 +1198,13 @@ show_command() {
;;
tc)
[ $# -gt 2 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
echo
shift
if [ -z "$1" ]; then
$g_tool -t mangle -L -n -v | $output_filter
echo
fi
show_tc $1
eval show_tc $g_pager
;;
classifiers|filters)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
echo
show_classifiers
eval { echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
echo
show_classifiers } $g_pager
;;
zones)
[ $# -gt 1 ] && usage 1
@ -1173,22 +1234,22 @@ show_command() {
determine_capabilities
VERBOSITY=2
if [ -n "$g_filemode" ]; then
report_capabilities1
eval report_capabilities1 $g_pager
else
report_capabilities
eval report_capabilities $g_pager
fi
;;
ip)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
echo
ip -$g_family addr list
eval { echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
echo
ip -$g_family addr list } $g_pager
;;
routing)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
echo
show_routing
eval { echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
echo
show_routing } $g_pager
;;
config)
. ${g_sharedir}/configpath
@ -1210,33 +1271,23 @@ show_command() {
;;
chain)
shift
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
else
$g_tool -t $table -L $g_ipt_options | $output_filter
fi
eval show_chain $@ $g_pager
;;
vardir)
echo $VARDIR;
;;
policies)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
echo
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
eval { echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
echo
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies } $g_pager
;;
ipa)
[ $g_family -eq 4 ] || usage 1
echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
echo
[ $# -gt 1 ] && usage 1
perip_accounting
eval { echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
echo
[ $# -gt 1 ] && usage 1
perip_accounting } $g_pager
;;
marks)
[ $# -gt 1 ] && usage 1
@ -1246,17 +1297,17 @@ show_command() {
;;
nfacct)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo
show_nfacct
eval { echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo
show_nfacct } $g_pager
;;
arptables)
[ $# -gt 1 ] && usage 1
resolve_arptables
if [ -n "$arptables" -a -x $arptables ]; then
echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
echo
$arptables -L -n -v
eval { echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
echo
$arptables -L -n -v } $g_pager
else
error_message "Cannot locate the arptables executable"
fi
@ -1270,9 +1321,9 @@ show_command() {
;;
events)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo
show_events
eval { echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo
show_events } $g_pager
;;
bl|blacklists)
[ $# -gt 1 ] && usage 1
@ -1298,7 +1349,7 @@ show_command() {
case $1 in
actions)
[ $# -gt 1 ] && usage 1
show_actions | sort
eval show_actions | sort $pager
return
;;
macro)
@ -1315,25 +1366,7 @@ show_command() {
;;
macros)
[ $# -gt 1 ] && usage 1
for directory in $(split $CONFIG_PATH); do
temp=
for macro in ${directory}/macro.*; do
case $macro in
*\*)
;;
*)
if [ -z "$temp" ]; then
echo
echo "Macros in $directory:"
echo
temp=Yes
fi
show_macro
;;
esac
done
done
eval show_macros $g_pager
return
;;
esac
@ -1353,20 +1386,11 @@ show_command() {
error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
exit 1
fi
done
done
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
echo
show_reset
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
eval show_chains $@ $g_pager
else
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t $table -L $g_ipt_options | $output_filter
eval show_table $g_pager
fi
;;
esac
@ -1417,12 +1441,16 @@ dump_filter() {
;;
esac
$command $filter
eval $command $filter $g_pager
else
cat -
fi
}
dump_filter_wrapper() {
eval dump_filter $g_pager
}
#
# Dump Command Executor
#
@ -1633,14 +1661,14 @@ do_dump_command() {
if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control"
show_tc
show_tc1
heading "TC Filters"
show_classifiers
fi
}
dump_command() {
do_dump_command $@ | dump_filter
do_dump_command $@ | dump_filter_wrapper
}
#
@ -4040,6 +4068,7 @@ shorewall_cli() {
g_counters=
g_loopback=
g_compiled=
g_pager=
VERBOSE=
VERBOSITY=1
@ -4194,6 +4223,19 @@ shorewall_cli() {
;;
esac
if [ -t 1 ]; then
#
# Output is to a terminal -- use a pager on commands with verbose output
#
if qt mywhich less; then
g_pager='| less'
elif qt mywhich more; then
g_pager='| more'
else
g_pager=''
fi
fi
COMMAND=$1
case "$COMMAND" in

2
Shorewall-core/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall
#
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#

2
Shorewall-init/install.sh
View File

@ -2,7 +2,7 @@
#
# Script to install Shoreline Firewall Init
#
# (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
#
# Shorewall documentation is available at http://shorewall.net

2
Shorewall-init/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall
#
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#

2
Shorewall-lite/install.sh
View File

@ -2,7 +2,7 @@
#
# Script to install Shoreline Firewall Lite
#
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#

2
Shorewall-lite/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall
#
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#

4
Shorewall/Macros/macro.SNMPTrap
View File

@ -1,9 +1,9 @@
#
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
#
# This macro handles SNMP traps.
# This macro deprecated by SNMPtrap.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 162
SNMPtrap

9
Shorewall/Macros/macro.SNMPtrap Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
#
# This macro handles SNMP traps.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 162

147
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -264,6 +264,7 @@ our %EXPORT_TAGS = (
have_address_variables
set_global_variables
save_dynamic_chains
save_docker_rules
load_ipsets
create_save_ipsets
validate_nfobject
@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) {
}
#
# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
# reference and the old.
# Clone an existing rule.
#
sub clone_irule( $ ) {
my $oldruleref = $_[0];
@ -2989,11 +2989,31 @@ sub initialize_chain_table($) {
}
}
my $chainref;
if ( $full ) {
#
# Create this chain early in case it is needed by Policy actions
#
new_standard_chain 'reject';
if ( $config{DOCKER} ) {
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
}
}
if ( my $docker = $config{DOCKER} ) {
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
$chainref = new_standard_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
$chainref = new_nat_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
}
my $ruleref = transform_rule( $globals{LOGLIMIT} );
@ -8043,6 +8063,32 @@ sub emitr1( $$ ) {
#
# Emit code to save the dynamic chains to hidden files in ${VARDIR}
#
sub save_docker_rules($) {
my $tool = $_[0];
emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION)
);
if ( known_interface( 'docker0' ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) );
} else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) );
}
emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
qq(else),
qq( rm -f \$VARDIR/.nat_DOCKER),
qq( rm -f \$VARDIR/.nat_POSTROUTING),
qq( rm -f \$VARDIR/.filter_DOCKER),
qq( rm -f \$VARDIR/.filter_DOCKER-ISOLATION),
qq( rm -f \$VARDIR/.filter_FORWARD),
qq(fi)
)
}
sub save_dynamic_chains() {
@ -8077,25 +8123,23 @@ else
rm -f \${VARDIR}/.dynamic
fi
EOF
emit(''), save_docker_rules( $tool ) if $config{DOCKER};
} else {
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
emit <<"EOF";
if chain_exists 'UPnP -t nat'; then
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
$utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
else
rm -f \${VARDIR}/.UPnP
fi
if chain_exists forwardUPnP; then
$tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
$utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
else
rm -f \${VARDIR}/.forwardUPnP
fi
if chain_exists dynamic; then
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
$utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
else
rm -f \${VARDIR}/.dynamic
fi
@ -8115,10 +8159,11 @@ EOF
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then),
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
emit( '' ), save_docker_rules( $tool ) if $config{DOCKER};
} else {
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then),
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
qq( $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
}
emit <<"EOF";
@ -8421,7 +8466,7 @@ sub create_netfilter_load( $ ) {
my @chains;
#
# iptables-restore seems to be quite picky about the order of the builtin chains
# Iptables-restore seems to be quite picky about the order of the builtin chains
#
for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain};
@ -8437,8 +8482,25 @@ sub create_netfilter_load( $ ) {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
emit_unindented ":$chainref->{name} - [0:0]";
my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref;
}
}
@ -8524,8 +8586,24 @@ sub preview_netfilter_load() {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
print ":$chainref->{name} - [0:0]\n";
my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref;
}
}
@ -8710,13 +8788,11 @@ sub create_stop_load( $ ) {
emit '';
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
'',
'progress_message2 "Running $command..."',
'',
'$command <<__EOF__' );
save_progress_message "Preparing $utility input...";
$mode = CAT_MODE;
emit "exec 3>\${VARDIR}/.${utility}-stop-input";
enter_cat_mode;
unless ( $test ) {
my $date = localtime;
@ -8746,8 +8822,24 @@ sub create_stop_load( $ ) {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
emit_unindented ":$chainref->{name} - [0:0]";
my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref;
}
}
@ -8760,10 +8852,19 @@ sub create_stop_load( $ ) {
#
# Commit the changes to the table
#
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT';
}
emit_unindented '__EOF__';
enter_cmd_mode;
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
emit( '',
'progress_message2 "Running $command..."',
'',
"cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
);
#
# Test result
#

10
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -261,7 +261,15 @@ sub generate_script_2() {
'# The library requires that ${VARDIR} exist',
'#',
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
);
);
if ( $config{DOCKER} ) {
emit( '',
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
emit( '' );
}
pop_indent;

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -736,6 +736,7 @@ sub initialize( $;$$) {
RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '',
POSTROUTING => 'POSTROUTING',
);
#
# From shorewall.conf file
@ -874,6 +875,7 @@ sub initialize( $;$$) {
WORKAROUNDS => undef ,
LEGACY_RESTART => undef ,
RESTART => undef ,
DOCKER => undef ,
#
# Packet Disposition
#
@ -5857,6 +5859,13 @@ sub get_configuration( $$$$ ) {
default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'WORKAROUNDS' , 'Yes';
default_yes_no 'DOCKER' , '';
if ( $config{DOCKER} ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
}
if ( supplied( $val = $config{RESTART} ) ) {
fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@ -6429,7 +6438,7 @@ sub generate_aux_config() {
if ( -f $fn ) {
emit( '',
'dump_filter() {' );
'dump_filter1() {' );
push_indent;
append_file( $fn,1 ) or emit 'cat -';
pop_indent;

46
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -628,6 +628,22 @@ sub process_stoppedrules() {
$result;
}
sub create_docker_rules() {
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
if ( known_interface('docker0') ) {
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
}
add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
}
sub setup_mss();
sub add_common_rules ( $ ) {
@ -646,6 +662,10 @@ sub add_common_rules ( $ ) {
my $level = $config{BLACKLIST_LOG_LEVEL};
my $tag = $globals{BLACKLIST_LOG_TAG};
my $rejectref = $filter_table->{reject};
#
# Insure that Docker jumps are early in the builtin chains
#
create_docker_rules if $config{DOCKER};
if ( $config{DYNAMIC_BLACKLIST} ) {
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
@ -1508,13 +1528,15 @@ sub add_interface_jumps {
# Add Nat jumps
#
for my $interface ( @_ ) {
addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
}
addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
if ( have_capability 'RAWPOST_TABLE' ) {
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
@ -2246,8 +2268,8 @@ sub generate_matrix() {
#
# Make sure that the 1:1 NAT jumps are last in PREROUTING
#
addnatjump 'PREROUTING' , 'nat_in';
addnatjump 'POSTROUTING' , 'nat_out';
addnatjump 'PREROUTING' , 'nat_in';
addnatjump $globals{POSTROUTING} , 'nat_out';
add_interface_jumps @interfaces unless $interface_jumps_added;
@ -2455,6 +2477,16 @@ EOF
EOF
if ( $config{DOCKER} ) {
push_indent;
emit( 'if [ $COMMAND = stop ]; then' );
push_indent;
save_docker_rules( $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}');
pop_indent;
emit( "fi\n");
pop_indent;
}
if ( have_capability( 'NAT_ENABLED' ) ) {
emit<<'EOF';
if [ -f ${VARDIR}/nat ]; then
@ -2504,6 +2536,10 @@ EOF
emit( 'undo_routing',
"restore_default_route $config{USE_DEFAULT_RT}"
);
#
# Insure that Docker jumps are early in the builtin chains
#
create_docker_rules if $config{DOCKER};
if ( $config{ADMINISABSENTMINDED} ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;

30
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
}
my $gatewaycase = '';
if ( $physical =~ /\+$/ ) {
return 0 if $pseudo;
fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
}
if ( $gateway eq 'detect' ) {
my $gatewaycase = '';
my $gw;
if ( ( $gw = lc $gateway ) eq 'detect' ) {
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface;
$gatewaycase = 'detect';
} elsif ( $gw eq 'none' ) {
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gatewaycase = 'none';
$gateway = '';
} elsif ( $gateway && $gateway ne '-' ) {
( $gateway, $mac ) = split_host_list( $gateway, 0 );
validate_address $gateway, 0;
@ -506,7 +511,7 @@ sub process_a_provider( $ ) {
$gatewaycase = 'specified';
} else {
$gatewaycase = 'none';
$gatewaycase = 'omitted';
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gateway = '';
}
@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
} elsif ( $option eq 'notrack' ) {
$track = 0;
} elsif ( $option =~ /^balance=(\d+)$/ ) {
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
fatal_error 'The balance setting must be non-zero' unless $1;
$balance = $1;
} elsif ( $option eq 'balance' || $option eq 'primary') {
fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$balance = 1;
} elsif ( $option eq 'loose' ) {
$loose = 1;
@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
$mtu = "mtu $1 ";
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
$default = $1;
$default_balance = 0;
fatal_error 'fallback must be non-zero' unless $default;
} elsif ( $option eq 'fallback' ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$default = -1;
$default_balance = 0;
} elsif ( $option eq 'local' ) {
@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
$track = 0 if $config{TRACK_PROVIDERS};
$default_balance = 0 if $config{USE_DEFAULT_RT};
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$load = sprintf "%1.8f", $1;
require_capability 'STATISTIC_MATCH', "load=$1", 's';
} elsif ( $option eq 'autosrc' ) {
@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
if ( $local ) {
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted';
fatal_error "'track' not valid with 'local'" if $track;
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
fatal_error "'persistent' is not valid with 'local" if $persistent;
} elsif ( $tproxy ) {
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
fatal_error "'track' not valid with 'tproxy'" if $track;
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
}
$balance = $default_balance unless $balance;
$balance = $default_balance unless $balance || $gatewaycase eq 'none';
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {
push_indent;
if ( $gatewaycase eq 'none' ) {
if ( $gatewaycase eq 'omitted' ) {
if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
} else {
@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
}
$provider_interfaces{$interface} = $table;
if ( $gatewaycase eq 'none' ) {
if ( $gatewaycase eq 'omitted' ) {
if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
} else {
@ -907,7 +917,7 @@ CEOF
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
);
);
}
if ( $duplicate ne '-' ) {

7
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1178,12 +1178,11 @@ sub finish_section ( $ ) {
#
# Internally, action invocations are uniquely identified by a 5-tuple that
# includes the action name, log level, log tag, calling chain and params.
# The pieces of the tuple are separated by ":".
# The pieces of the tuple are separated by ":". The calling chain is non-empty
# only when the action refers to @CALLER.
#
sub normalize_action( $$$ ) {
my $action = shift;
my $level = shift;
my $param = shift;
my ( $action, $level, $param ) = @_;
my $caller = ''; #We assume that the function doesn't use @CALLER
( $level, my $tag ) = split ':', $level;

19
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
},
},
ECN => {
defaultchain => POSTROUTING,
allowedchains => ALLCHAINS,
minparams => 0,
maxparams => 0,
function => sub() {
fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
if ( $proto eq '-' ) {
$proto = TCP;
} else {
$proto = resolve_proto( $proto ) || 0;
fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
}
$target = 'ECN --ecn-tcp-remove';
}
},
HL => {
defaultchain => FORWARD,
allowedchains => PREROUTING | FORWARD,

2
Shorewall/Perl/lib.core
View File

@ -1,4 +1,4 @@
# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
#
# This program is part of Shorewall.
#

2
Shorewall/Perl/prog.footer
View File

@ -125,6 +125,8 @@ g_sha1sum2=
g_counters=
g_compiled=
g_file=
g_docker=
g_dockernetwork=
initialize

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -146,6 +146,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -154,6 +154,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -150,6 +150,8 @@ DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DOCKER=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes

2
Shorewall/install.sh
View File

@ -2,7 +2,7 @@
#
# Script to install Shoreline Firewall
#
# (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#

12
Shorewall/manpages/shorewall-mangle.xml
View File

@ -339,6 +339,18 @@ DIVERTHA - - tcp</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ECN</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.6 as an alternative to entries in
<ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>

10
Shorewall/manpages/shorewall-providers.xml
View File

@ -130,7 +130,7 @@
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
role="bold">detect</emphasis>}</term>
role="bold">detect|none</emphasis>}</term>
<listitem>
<para>The IP address of the provider's gateway router. Beginning
@ -139,8 +139,12 @@
interface. When the MAC is not specified, Shorewall will detect the
MAC during firewall start or restart.</para>
<para>You can enter "detect" here and Shorewall will attempt to
detect the gateway automatically.</para>
<para>You can enter <emphasis role="bold">detect</emphasis> here and
Shorewall will attempt to detect the gateway automatically.</para>
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
role="bold">none</emphasis>. This causes creation of a routing table
with no default route in it.</para>
<para>For PPP devices, you may omit this column.</para>
</listitem>

21
Shorewall/manpages/shorewall.conf.xml
View File

@ -733,6 +733,23 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
the generated script will save Docker-generated rules before and
restore them after executing the <command>start</command>,
<command>stop</command>, <command>reload</command> and
<command>restart</command> commands. If set to <option>No</option>
(the default), the generated script will delete any Docker-generated
rules when executing those commands. See<ulink url="/Docker.html">
http://www.shorewall.net/Docker.html</ulink> for additional
information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@ -763,8 +780,8 @@
<listitem>
<para>Normally, when the SOURCE or DEST columns in
shorewall-policy(5) contains 'all', a single policy chain is created
and the policy is enforced in that chain. For example, if the policy
entry is<programlisting>#SOURCE DEST POLICY LOG
and thes policy is enforced in that chain. For example, if the
policy entry is<programlisting>#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info</programlisting>then the chain name is 'net-all'
('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall

2
Shorewall/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall
#
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#

2
Shorewall6-lite/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall 6 Lite
#
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#

10
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -119,13 +119,17 @@
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
role="bold">detect</emphasis>}</term>
role="bold">detect|none</emphasis>}</term>
<listitem>
<para>The IP address of the provider's gateway router.</para>
<para>You can enter "detect" here and Shorewall6 will attempt to
detect the gateway automatically.</para>
<para>You can enter <emphasis role="bold">detect</emphasis> here and
Shorewall6 will attempt to detect the gateway automatically.</para>
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
role="bold">none</emphasis>. This causes creation of a routing table
with no default route in it.</para>
<para>For PPP devices, you may omit this column.</para>
</listitem>

2
Shorewall6/uninstall.sh
View File

@ -2,7 +2,7 @@
#
# Script to back uninstall Shoreline Firewall 6
#
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#

18
docs/6to4.xml
View File

@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
wireless). eth4 goes to my DMZ which holds a single server. Here is a
diagram of the IPv4 network:</para>
<graphic align="center" fileref="images/Network2009.png" />
<graphic align="center" fileref="images/Network2009.png"/>
<para>Here is the configuration after IPv6 is configured; the part in
bold font is configured by the /etc/init.d/ipv6 script.</para>
@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
<para>Here is the resulting simple IPv6 Network:</para>
<graphic align="center" fileref="images/Network2009b.png" />
<graphic align="center" fileref="images/Network2009b.png"/>
</section>
<section>
@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
<para>So the IPv4 network was transformed to this:</para>
<graphic align="center" fileref="images/Network2009a.png" />
<graphic align="center" fileref="images/Network2009a.png"/>
<para>To implement the same IPv6 network as described above, I used this
/etc/shorewall/interfaces file:</para>
@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
<para>That file produces the following IPv6 network.</para>
<graphic align="center" fileref="images/Network2008c.png" />
<graphic align="center" fileref="images/Network2008c.png"/>
</section>
<section>
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
<para><filename>/etc/shorewall6/policy</filename>:</para>
<blockquote>
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
net all DROP info
loc net ACCEPT
dmz net ACCEPT
@ -485,7 +485,7 @@ all all REJECT info</programlisting></para>
<para><filename>/etc/shorewall6/rules</filename>:</para>
<blockquote>
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
?SECTION ALL
?SECTION ESTABLISHED
@ -493,7 +493,6 @@ all all REJECT info</programlisting></para>
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
@ -505,8 +504,7 @@ SSH(ACCEPT) loc $FW
#
# Allow Ping everywhere
#
Ping(ACCEPT) all all</programlisting>
</para>
Ping(ACCEPT) all all</programlisting></para>
</blockquote>
</section>
</section>
@ -652,7 +650,7 @@ interface eth2 {
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoIPv6Nets1.png" />
<graphic fileref="images/TwoIPv6Nets1.png"/>
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is

242
docs/Actions.xml
View File

@ -101,13 +101,11 @@
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
ACCEPT - - tcp 135,139,445</programlisting>
<para>If you wish to modify one of the standard actions, do not modify
the definition in <filename
@ -335,21 +333,11 @@ ACCEPT - - tcp 135,139,445
</orderedlist>
<section>
<title>Shorewall 4.4.16 and Later.</title>
<title>Shorewall 5.0.0 and Later.</title>
<para>Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<programlisting>FORMAT 2</programlisting>
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
below, and the above format is deprecated.</para>
<programlisting>?FORMAT 2</programlisting>
<para>When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para>
<para>In Shorewall 5.0, the columns in action.template are the same as
those in shorewall-rules (5). There are no restrictions regarding which
targets can be used within your action.</para>
<para>The SOURCE and DEST columns in the action file may not include
zone names; those are given when the action is invoked.</para>
@ -361,22 +349,18 @@ ACCEPT - - tcp 135,139,445
<para>/etc/shorewall/action.A:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
FORMAT 2
<programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
$1 - - tcp 80 - 1.2.3.4</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
A(REDIRECT) net fw</programlisting>
<para>The above is equivalent to this rule:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
<para>You can 'omit' parameters by using '-'.</para>
@ -413,194 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
url="configuration_file_basics.htm#ActionVariables">Action Variables
section</ulink> of the Configuration Basics article.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier.</title>
<para>Prior to 4.4.16, columns in the
<filename>action.template</filename> file were as follows:</para>
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
your action provided that the macro's expansion only results in the
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename>/usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
<quote>all</quote>.</para>
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must
be entered if any of the following fields are supplied. In that
case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote>-</quote> in this
column.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem>
<para>MARK</para>
<para><simplelist>
<member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
</simplelist></para>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify
anything in the subsequent columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
to the mark before testing.</member>
<member>:C — Designates a connection mark. If omitted, the
packet marks value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash
(<quote>-</quote>).</para>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in
column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section>
<section id="Logging">
@ -625,19 +421,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22
bar:info</programlisting>
</listitem>
@ -651,19 +447,19 @@ bar:info</programlisting>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug! $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22
bar:debug</programlisting>
</listitem>
@ -1113,22 +909,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
way:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
<para>If you want dropped connections to be logged at the info level, use
this rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
<para>To summarize, you pass four pieces of information to the Limit

4
docs/Anatomy.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Anatomy of Shorewall 4.5</title>
<title>Anatomy of Shorewall 5.0</title>
<authorgroup>
<author>
@ -43,7 +43,7 @@
<section id="Products">
<title>Products</title>
<para>Shorewall 4.5 consists of six packages.</para>
<para>Shorewall 5.0 consists of six packages.</para>
<orderedlist>
<listitem>

11
docs/ConnectionRate.xml
View File

@ -74,12 +74,11 @@
<section>
<title>Policy Rate Limiting</title>
<para>The LIMIT:BURST column in the
<filename>/etc/shorewall/policy</filename> file applies to TCP
connections that are subject to the policy. The limiting is applied
BEFORE the connection request is passed through the rules generated by
entries in <filename>/etc/shorewall/rules</filename>. Those connections
in excess of the limit are logged and dropped.</para>
<para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
file applies to TCP connections that are subject to the policy. The
limiting is applied BEFORE the connection request is passed through the
rules generated by entries in <filename>/etc/shorewall/rules</filename>.
Those connections in excess of the limit are logged and dropped.</para>
</section>
<section>

94
docs/Docker.xml Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Docker Support</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2016</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Shorewall 5.0.5 and Earlier</title>
<para>Both Docker and Shorewall assume that they 'own' the iptables
configuration. This leads to problems when Shorewall is restarted or
reloaded, because it drops all of the rules added by Docker. Fortunately,
the extensibility features in Shorewall allow users to <ulink
url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
their own solution</ulink> for saving the Docker-generated rules before
these operations and restoring them afterwards.</para>
</section>
<section>
<title>Shorewall 5.0.6 and Later</title>
<para>Beginning with Shorewall 5.0.6, Shorewall has native support for
simple Docker configurations. This support is enabled by setting
DOCKER=Yes in shorewall.conf. With this setting, the generated script
saves the Docker-created ruleset before executing a
<command>stop</command>, <command>start</command>,
<command>restart</command> or <command>reload</command> operation and
restores those rules along with the Shorewall-generated ruleset.</para>
<para>This support assumes that the default Docker bridge (docker0) is
being used. It is recommended that this bridge be defined to Shorewall in
<ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
As shown below, you can control inter-container communication using the
<option>bridge</option> and <option>routeback</option> options. If docker0
is not defined to Shorewall, then Shorewall will save and restore the
FORWARD chain rules involving that interface.</para>
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
<programlisting>DOCKER=Yes</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS
dock ipv4 #'dock' is just an example -- call it anything you like</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LEVEL
dock $FW REJECT
dock all ACCEPT</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS
dock docker0 bridge #Allow ICC (bridge implies routeback=1)</programlisting>
<para>or</para>
<programlisting>#ZONE INTERFACE OPTIONS
dock docker0 bridge,routeback=0 #Disallow ICC</programlisting>
</section>
</article>

74
docs/Documentation_Index.xml
View File

@ -265,7 +265,7 @@
</row>
<row>
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
<entry><ulink url="Docker.html">Docker</ulink></entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry>
@ -275,8 +275,7 @@
</row>
<row>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
<entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry>
@ -285,7 +284,8 @@
</row>
<row>
<entry><ulink url="Events.html">Events</ulink></entry>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="PacketHandling.html">Packet Processing in a
Shorewall-based Firewall</ulink></entry>
@ -294,8 +294,7 @@
</row>
<row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts (User Exits)</ulink></entry>
<entry><ulink url="Events.html">Events</ulink></entry>
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@ -304,8 +303,8 @@
</row>
<row>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts (User Exits)</ulink></entry>
<entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry>
@ -315,7 +314,8 @@
</row>
<row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="ports.htm">Port Information</ulink></entry>
@ -324,8 +324,7 @@
</row>
<row>
<entry><ulink
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink url="PortKnocking.html">Port Knocking
(deprecated)</ulink></entry>
@ -334,8 +333,8 @@
</row>
<row>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
and Other Uses of the 'Recent Match'</ulink></entry>
@ -344,18 +343,28 @@
</row>
<row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="FoolsFirewall.html">Fool's
Firewall</ulink></entry>
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
Guides</ulink></entry>
<entry/>
</row>
@ -364,8 +373,7 @@
<entry><ulink url="Helpers.html">Helpers/Helper
Modules</ulink></entry>
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
Guides</ulink></entry>
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
<entry/>
</row>
@ -374,14 +382,6 @@
<entry><ulink
url="Install.htm">Installation/Upgrade</ulink></entry>
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry><ulink
url="shorewall_prerequisites.htm">Requirements</ulink></entry>
@ -389,7 +389,7 @@
</row>
<row>
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry><ulink url="Shorewall_and_Routing.html">Routing and
Shorewall</ulink></entry>
@ -398,7 +398,7 @@
</row>
<row>
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
<entry><ulink url="Multiple_Zones.html">Routing on One
Interface</ulink></entry>
@ -407,18 +407,27 @@
</row>
<row>
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
<entry><ulink url="samba.htm">Samba</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="ISO-3661.html">ISO 3661 Country
Codes</ulink></entry>
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
<entry><ulink url="Shorewall-init.html">Shorewall
Init</ulink></entry>
<entry/>
</row>
@ -427,8 +436,8 @@
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
Filtering</ulink></entry>
<entry><ulink url="Shorewall-init.html">Shorewall
Init</ulink></entry>
<entry><ulink url="Shorewall-Lite.html">Shorewall
Lite</ulink></entry>
<entry/>
</row>
@ -437,8 +446,7 @@
<entry><ulink url="kernel.htm">Kernel
Configuration</ulink></entry>
<entry><ulink url="Shorewall-Lite.html">Shorewall
Lite</ulink></entry>
<entry/>
<entry/>
</row>

245
docs/Dynamic.xml
View File

@ -49,140 +49,12 @@
support is based on <ulink
url="http://ipset.netfilter.org/">ipset</ulink>. Most current
distributions have ipset, but you may need to install the <ulink
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
</section>
<section id="xtables-addons">
<title>Installing xtables-addons</title>
<para>If your distribution does not have an xtables-addons package, the
xtables-addons are fairly easy to install. You do not need to recompile
your kernel.</para>
<para><trademark>Debian</trademark> users can find xtables-addons-common
and xtables-addons-source packages in <firstterm>testing</firstterm>. The
kernel modules can be built and installed with the help of
module-assistant. As of this writing, these packages are in the
<firstterm>admin</firstterm> group rather than in the
<firstterm>network</firstterm> group!!??</para>
<para>For other users, the basic steps are as follows:</para>
<orderedlist>
<listitem>
<para>Install gcc and make</para>
</listitem>
<listitem>
<para>Install the headers for the kernel you are running. In some
distributions, such as <trademark>Debian</trademark> and
<trademark>Ubuntu</trademark>, the packet is called kernel-headers.
For other distrubutions, such as OpenSuSE, you must install the
kernel-source package.</para>
</listitem>
<listitem>
<para>download the iptables source tarball</para>
</listitem>
<listitem>
<para>untar the source</para>
</listitem>
<listitem>
<para>cd to the iptables source directory</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>as root, run 'make install'</para>
</listitem>
<listitem>
<para>Your new iptables binary will now be installed in
/usr/local/sbin. Modify shorewall.conf to specify
IPTABLES=/usr/local/sbin/iptables</para>
</listitem>
<listitem>
<para>Download the latest xtables-addons source tarball</para>
</listitem>
<listitem>
<para>Untar the xtables-addons source</para>
</listitem>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run './configure'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>Restart shorewall</para>
</listitem>
<listitem>
<para>'shorewall show capabilities' should now indicate<emphasis
role="bold"> Ipset Match: Available</emphasis></para>
</listitem>
</orderedlist>
<para>You will have to repeat steps 10-13 each time that you receive a
kernel upgrade from your distribution vendor. You can install
xtables-addons before booting to the new kernel as follows
(<emphasis>new-kernel-version</emphasis> is the version of the
newly-installed kernel - example <emphasis
role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
directory to get the full version name)</para>
<orderedlist>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run 'make clean'</para>
</listitem>
<listitem>
<para>run './configure
--with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
--with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons source directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>As root, run 'depmod -a
<emphasis>new-kernel-version'</emphasis></para>
</listitem>
</orderedlist>
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
package.</para>
</section>
<section>
<title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
<title>Dynamic Zones</title>
<para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
<filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@ -288,117 +160,6 @@ rsyncok:
</section>
</section>
<section id="Version-4.5.9">
<title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
<para>The method described in this section is still supported in the later
releases.</para>
<section id="defining1">
<title>Defining a Dynamic Zone</title>
<para>A dynamic zone is defined by using the keyword <emphasis
role="bold">dynamic</emphasis> in the zones host list.</para>
<para>Example:</para>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME TYPE OPTIONS
loc ipv4
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 - …
</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOSTS OPTIONS
webok eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
</blockquote>
<para>Once the above definition is added, Shorewall will automatically
create an ipset named <emphasis>webok_eth0</emphasis> the next time that
Shorewall is started or restarted. Shorewall will create an ipset of
type <firstterm>iphash</firstterm>. If you want to use a different type
of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
manually create that ipset yourself before the next Shorewall
start/restart.</para>
<para>The dynamic zone capability was added to Shorewall6 in Shorewall
4.4.21.</para>
</section>
<section id="adding1">
<title>Adding a Host to a Dynamic Zone</title>
<para>Adding a host to a dynamic zone is accomplished by adding the
host's IP address to the appropriate ipset. Shorewall provldes a command
for doing that:</para>
<blockquote>
<para><command>shorewall add</command> <replaceable>interface:address
...</replaceable> <replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall add eth0:192.168.3.4 webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipset</command> command must
be used directly.</para>
</section>
<section id="deleting">
<title>Deleting a Host from a Dynamic Zone</title>
<para>Deleting a host from a dynamic zone is accomplished by removing
the host's IP address from the appropriate ipset. Shorewall provldes a
command for doing that:</para>
<blockquote>
<para><command>shorewall delete</command>
<replaceable>interface:address ...</replaceable>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall delete eth0:192.168.3.4
webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipse t</command> command
must be used directly.</para>
</section>
<section id="listing1">
<title>Listing the Contents of a Dynamic Zone</title>
<para>The shorewall show command may be used to list the current
contents of a dynamic zone.</para>
<blockquote>
<para><command>shorewall show dynamic</command>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<programlisting><command>shorewall show dynamic webok</command>
eth0:
192.168.3.4
192.168.3.9</programlisting>
</blockquote>
</section>
</section>
<section id="start-stop">
<title>Dynamic Zone Contents and Shorewall stop/start/restart</title>

4
docs/ECN.xml
View File

@ -118,6 +118,10 @@
</tgroup>
</table></para>
</example>
<para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
ECN flags through use of the ECN action in <ulink
url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
</section>
<lot/>

14
docs/Events.xml
View File

@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
<para><filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHLIMIT net $FW tcp 22 </programlisting>
<caution>
@ -645,8 +644,7 @@ SSHLIMIT net $FW tcp 22
<para>To duplicate the SSHLIMIT entry in
<filename>/etc/shorewall/rules</filename> shown above:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
AutoBL(SSH,-,-,-,REJECT,warn)\
net $FW tcp 22 </programlisting>
</section>
@ -688,8 +686,7 @@ Knock #Port Knocking</programlisting>
#
?format 2
###############################################################################
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
#ACTION SOURCE DEST PROTO DPORT
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
- - tcp 22
SetEvent(SSH,ACCEPT) - - tcp 1600
@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info) </programlisting>
<para><filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Knock net $FW tcp 22,1599-1601 </programlisting>
</section>
@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '
<listitem>
<para><emphasis role="bold">original_dest</emphasis> is the rule
ORIGINAL DEST</para>
ORIGDEST</para>
</listitem>
<listitem>

4
docs/FAQ.xml
View File

@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
a single address?</title>
<para><emphasis role="bold">Answer</emphasis>: Specify the external
address that you want to redirect in the ORIGINAL DEST column.</para>
address that you want to redirect in the ORIGDEST column.</para>
<para>Example:</para>
@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
<para>You have a policy for traffic from
<replaceable>zone1</replaceable> to
<replaceable>zone2</replaceable> that specifies TCP connection
rate limiting (value in the LIMIT:BURST column). The logged packet
rate limiting (value in the LIMIT column). The logged packet
exceeds that limit and was dropped. Note that these log messages
themselves are severely rate-limited so that a syn-flood won't
generate a secondary DOS because of excessive log message. These

59
docs/FTP.xml
View File

@ -345,23 +345,22 @@ xt_tcpudp 3328 0
HELPER rules allow specification of a helper for connections that are
ACCEPTed by the applicable policy.</para>
<para> Example (loc-&gt;net policy is ACCEPT) - In
<para>Example (loc-&gt;net policy is ACCEPT) - In
/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST
FTP(HELPER) loc - </programlisting>
<para>or equivalently </para>
<para>or equivalently</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
HELPER loc - tcp 21 { helper=ftp }</programlisting>
</listitem>
<listitem>
<para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
<para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
HELPERS column) can be taylored using the new HELPERS option in
shorewall.conf. </para>
shorewall.conf.</para>
</listitem>
</itemizedlist>
@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
/etc/shorewall[6]/conntrack file. These rules are included conditionally
based in the setting of AUTOHELPERS.</para>
<para> Example:</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
?if $AUTOHELPERS &amp;&amp; __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp all - tcp 21
@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21
...
?endif</programlisting>
<para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
<para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
and 'ftp' is not listed in that setting. For example, if you only need FTP
access from your 'loc' zone, then add this rule outside of the outer-most
?if....?endif shown above.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
...
CT:helper:ftp loc - tcp 21</programlisting>
<para> For an overview of Netfilter Helpers and Shorewall's support for
<para>For an overview of Netfilter Helpers and Shorewall's support for
dealing with them, see <ulink
url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
<para>See <ulink
url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
for additional information. </para>
for additional information.</para>
</section>
<section id="Ports">
@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net
@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
<para><filename>/etc/shorewall/conntrack:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
...
CT:helper:ftp loc - tcp 12345</programlisting>
@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
<para>Otherwise, for FTP you need exactly <emphasis
role="bold">one</emphasis> rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if
DNAT ACTION = DNAT</programlisting>
<para>You need an entry in the ORIGINAL DESTINATION column only if the
ACTION is DNAT, you have multiple external IP addresses and you want a
specific IP address to be forwarded to your server.</para>
<para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
you have multiple external IP addresses and you want a specific IP address
to be forwarded to your server.</para>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
the mailing list and they show 20 in the DEST PORT(S) column, we will know
that you haven't read this article and will either ignore your post or
tell you to RTFM.</para>
with 20 (ftp-data) in the DPORT column. If you post your rules on the
mailing list and they show 20 in the DPORT column, we will know that you
haven't read this article and will either ignore your post or tell you to
RTFM.</para>
<para>Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in
@ -558,15 +552,13 @@ DNAT ACTION =
<para>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
FTP(DNAT) net loc:192.168.1.5</programlisting>
</example><example id="Example4">
<title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
FTP(ACCEPT) dmz net</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
FTP(ACCEPT) dmz net</programlisting>
</example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle
@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
<para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my

6
docs/GenericTunnels.xml
View File

@ -50,7 +50,7 @@
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
@ -91,7 +91,7 @@ vpn tun0 10.255.255.255</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
generic:tcp:1071 net 134.28.54.2
generic:47 net 134.28.54.2</programlisting>
@ -104,7 +104,7 @@ vpn tun0 192.168.1.255</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
generic:tcp:1071 net 206.191.148.9
generic:47 net 206.191.148.9</programlisting>

3
docs/Helpers.xml
View File

@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane ports=0</programlisting>
limit the scope of the helper. Suppose that your Linux FTP server is
in zone dmz and has address 70.90.191.123.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(2)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
SECTION RELATED
ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server

14
docs/IPIP.xml
View File

@ -62,7 +62,7 @@
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
@ -103,12 +103,12 @@ vpn ipv4</programlisting>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tosysb 10.255.255.255</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
vpn tosysb</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipip net 134.28.54.2</programlisting>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@ -133,12 +133,12 @@ subnet=10.0.0.0/8
<emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST
vpn tosysa 192.168.1.255</programlisting>
<programlisting>#ZONE INTERFACE
vpn tosysa</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipip net 206.191.148.9</programlisting>
<para>And in the tunnel script on system B:</para>

100
docs/IPSEC-2.6.xml
View File

@ -267,16 +267,14 @@
<para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System A:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 134.28.54.2</programlisting>
<para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.162.148.9
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9</programlisting>
</blockquote>
<note>
@ -295,11 +293,9 @@ ipsec net 206.162.148.9
<para><filename><filename>/etc/shorewall/zones</filename></filename>
Systems A and B:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
net ipv4
<emphasis role="bold">vpn ipv4</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<emphasis role="bold">vpn ipv4</emphasis></programlisting>
</blockquote>
<para>Remember the assumption that both systems A and B have eth0 as their
@ -315,14 +311,12 @@ net ipv4
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
</blockquote>
<para>Assuming that you want to give each local network free access to the
@ -330,17 +324,17 @@ vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ips
<filename>/etc/shorewall/policy</filename> entries on each system:</para>
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
</blockquote>
<para>If you need access from each firewall to hosts in the other network,
then you could add:</para>
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
$FW vpn ACCEPT</programlisting>
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
$FW vpn ACCEPT</programlisting>
</blockquote>
<para>If you need access between the firewall's, you should describe the
@ -348,7 +342,7 @@ $FW vpn ACCEPT</programlisting>
from System B, add this rule on system A:</para>
<blockquote>
<programlisting>#ACTION SOURCE DESTINATION PROTO POLICY
<programlisting>#ACTION SOURCE DEST PROTO POLICY
ACCEPT vpn:134.28.54.2 $FW</programlisting>
</blockquote>
@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
through an ESP tunnel then the following entry would be
appropriate:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@ -493,25 +486,24 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
net ipv4
<emphasis role="bold">vpn ipsec</emphasis>
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
</blockquote>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the
<filename>/etc/shorewall/tunnels</filename> file on system A, the
following entry should be made:<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 0.0.0.0/0 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
</blockquote></para>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
<para>the GATEWAY_ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para>
@ -524,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:0.0.0.0/0</programlisting>
</blockquote>
<para>You will need to configure your <quote>through the tunnel</quote>
@ -536,24 +527,20 @@ vpn eth0:0.0.0.0/0
<blockquote>
<para><filename>/etc/shorewall/zones</filename> - System B:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec
net ipv4
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
loc ipv4</programlisting>
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.162.148.9 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 vpn</programlisting>
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:0.0.0.0/0</programlisting>
</blockquote>
<para>On system A, here are the IPsec files:</para>
@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
net ipv4
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
et ipv4
vpn ipsec
<emphasis role="bold">l2tp ipv4</emphasis>
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
loc ipv4</programlisting>
</blockquote>
<para>Since the L2TP will require the use of pppd, you will end up with
@ -737,8 +722,7 @@ loc ipv4
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter
loc eth1 192.168.1.255
l2tp ppp+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
l2tp ppp+ -</programlisting>
</blockquote>
<para>The next thing that must be done is to adjust the policy so that the
@ -776,7 +760,7 @@ l2tp ppp+ -
<blockquote>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT
loc net ACCEPT
loc l2tp ACCEPT # Allows local machines to connect to road warriors
@ -784,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
l2tp net ACCEPT # Allows road warriors to connect to the Internet
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
all all REJECT info</programlisting>
</blockquote>
<para>The final step is to modify your rules file. There are three
@ -802,8 +785,7 @@ all all REJECT info
<blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
?SECTION ESTABLISHED
# Prevent IPsec bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW
@ -815,8 +797,7 @@ ACCEPT vpn $FW udp 1701
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
HTTPS(ACCEPT) l2tp $FW</programlisting>
</blockquote>
</section>
@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
<blockquote>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 routefilter,dhcp,tcpflags</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
@ -910,8 +890,7 @@ net ipv4</programlisting>
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS
loc eth0:192.168.20.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
loc eth0:192.168.20.0/24</programlisting>
<para>It is worth noting that although <emphasis>loc</emphasis> is a
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@ -921,15 +900,14 @@ loc eth0:192.168.20.0/24
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT
loc $FW ACCEPT
net loc NONE
loc net NONE
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
all all REJECT info</programlisting>
<para>Since there are no cases where net&lt;-&gt;loc traffic should
occur, NONE policies are used.</para>

7
docs/Introduction.xml
View File

@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
<para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policies will:
<itemizedlist>
<listitem>
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
url="manpages/shorewall-rules.html"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW tcp 22</programlisting>
<para>So although you have a policy of ignoring all connection attempts

8
docs/Laptop.xml
View File

@ -68,10 +68,10 @@
optional interfaces for the 'net' zone in
<filename>/etc/shorewall/interfaces</filename>.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect optional,…
net wlan0 detect optional,…
net ppp0 - optional,…</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 optional,…
net wlan0 optional,…
net ppp0 optional,…</programlisting>
<para>With this configuration, access to the 'net' zone is possible
regardless of which of the interfaces is being used.</para>

18
docs/MAC_Validation.xml
View File

@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF 192.168.1.255 dhcp
dmz $DMZ_IF -
vpn tun+ -
Wifi $WIFI_IF - maclist,dhcp
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF dhcp
dmz $DMZ_IF
vpn tun+
Wifi $WIFI_IF maclist,dhcp</programlisting>
<para>/etc/shorewall/maclist:</para>
<para>etc/shorewall/maclist:</para>
<programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop</programlisting>
<para>As shown above, I used MAC Verification on my wireless zone that
was served by a Linksys WET11 wireless bridge.</para>

2
docs/Macros.xml
View File

@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445</programlist
</listitem>
<listitem>
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
<para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
<para>To use this column, you must include 'FORMAT 2' as the first
non-comment line in your macro file.</para>

8
docs/ManualChains.xml
View File

@ -195,16 +195,14 @@ sub Knock {
<para>The rule from the Port Knocking article:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601
</programlisting>
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};

54
docs/MultiISP.xml
View File

@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
net net DROP</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para>
@ -913,15 +913,13 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
later, you would make this entry in <ulink
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(2):P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
<para>Note that traffic from the firewall itself must be handled in a
different rule:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para>If you are running a Shorewall version earlier than 4.6.0, the
@ -929,14 +927,12 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
<para>And for traffic from the firewall:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
2 $FW 0.0.0.0/0 tcp 25</programlisting>
</section>
@ -951,8 +947,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORTS(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.3 tcp 25</programlisting>
<para>Continuing the above example, to forward only connection requests
@ -962,19 +957,16 @@ DNAT net loc:192.168.1.3 tcp 25</programlisting
<listitem>
<para>Qualify the SOURCE by ISP 1's interface:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORTS(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
<para>or</para>
</listitem>
<listitem>
<para>Specify the IP address of ISP 1 in the ORIGINAL DEST
column:</para>
<para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORTS(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.3 tcp 25 <emphasis
role="bold">- 206.124.146.176</emphasis></programlisting>
</listitem>
@ -2573,8 +2565,7 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
role="bold">avvanta</emphasis> provider.</para>
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
MARK(2) $FW 0.0.0.0/0 tcp 21
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
@ -2583,8 +2574,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
switching to using a mangle file (<command>shorewall update -t</command>
will do that for you). Here are the equivalent tcrules entries:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
2 $FW 0.0.0.0/0 tcp 21
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
2 $FW 0.0.0.0/0 tcp 119</programlisting>
@ -2603,8 +2593,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
<para>The same rules converted to use the mangle file are:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
MARK(2) $FW 0.0.0.0/0 tcp 21
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
@ -2612,8 +2601,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
<para>The remaining files are for a rather standard two-interface config
with a bridge as the local interface.</para>
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
@ -2623,17 +2611,17 @@ kvm all ACCEPT
net all DROP info
all all REJECT info</programlisting></para>
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
<para>interfaces:<programlisting>#ZONE INTERFACE OPTIONS
#
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
kvm br0 detect routeback #Virtual Machines</programlisting><note>
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
kvm br0 routeback #Virtual Machines</programlisting><note>
<para><filename class="devicefile">wlan0</filename> is the wireless
adapter in the notebook. Used when the laptop is in our home but not
connected to the wired network.</para>
</note></para>
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
eth0 192.168.0.0/24
wlan0 192.168.0.0/24</programlisting><note>
<para>Because the firewall has only a single external IP address, I
@ -2815,7 +2803,7 @@ dmz ip #LXC Containers</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS
<programlisting>#ZONE INTERFACE OPTIONS
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@ -2881,9 +2869,7 @@ root@gateway:~# </programlisting>
<para><filename>/etc/shorewall/mangle</filename> is not used to support
Multi-ISP:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
FORMAT 2
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
TTL(+1):P INT_IF -
SAME:P INT_IF - tcp 80,443
?if $PROXY &amp;&amp; ! $SQUID2

24
docs/Multiple_Zones.xml
View File

@ -114,7 +114,7 @@
of this discussion, it makes no difference.</para>
</note>
<graphic fileref="images/MultiZone1.png" />
<graphic fileref="images/MultiZone1.png"/>
<section id="Standard">
<title>Can You Use the Standard Configuration?</title>
@ -183,7 +183,7 @@
all hosts connected to eth1 and a second zone <quote>loc1</quote>
(192.168.2.0/24) as a sub-zone.</para>
<graphic fileref="images/MultiZone1A.png" />
<graphic fileref="images/MultiZone1A.png"/>
<para><note>
<para>The Router in the above diagram is assumed to NOT be doing
@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<programlisting>#ZONE INTERFACE OPTIONS
loc eth1 -</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
@ -234,7 +234,7 @@ loc1 loc NONE</programlisting>
<para>You define both zones in the /etc/shorewall/hosts file to create
two disjoint zones.</para>
<graphic fileref="images/MultiZone1B.png" />
<graphic fileref="images/MultiZone1B.png"/>
<para><note>
<para>The Router in the above diagram is assumed to NOT be doing
@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
- eth1 192.168.1.255
<programlisting>#ZONE INTERFACE OPTIONS
- eth1 -
</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
@ -274,7 +274,7 @@ loc2 loc1 NONE</programlisting>
<para>There are cases where a subset of the addresses associated with an
interface need special handling. Here's an example.</para>
<graphic fileref="images/MultiZone2.png" />
<graphic fileref="images/MultiZone2.png"/>
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
loc eth1 -</programlisting>
<programlisting>#ZONE INTERFACE
loc eth1</programlisting>
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
@ -326,7 +326,7 @@ loc1 loc NONE</programlisting>
<quote>loc</quote> zone are configured with their default gateway set to
the Shorewall router's RFC1918 address.</para>
<para><graphic fileref="images/MultiZone3.png" /></para>
<para><graphic fileref="images/MultiZone3.png"/></para>
<para><filename>/etc/shorewall/zones</filename></para>
@ -336,8 +336,8 @@ loc:net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 routefilter</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>

30
docs/MyNetwork.xml
View File

@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
<section>
<title>/etc/shorewall/action.Mirrors</title>
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
<para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
?COMMENT Accept traffic from Mirrors
?FORMAT 2
DEFAULTS -
@ -508,8 +507,7 @@ $1 $MIRRORS
<section>
<title>/etc/shorewall/action.tarpit</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
$LOG { rate=s:1/min }
TARPIT
</programlisting>
@ -520,7 +518,8 @@ TARPIT
<section id="zones">
<title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall
<para><programlisting>#ZONE TYPE
fw firewall
loc ip #Local Zone
net ipv4 #Internet
dmz ipv4 #LXC Containers
@ -531,7 +530,7 @@ smc:net ip #10.0.1.0/24
<section id="interfaces">
<title>/etc/shorewall/interfaces</title>
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<para><programlisting>#ZONE INTERFACE OPTIONS
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@ -552,8 +551,7 @@ smc COMC_IF:10.0.0.0/24
<section id="policy">
<title>/etc/shorewall/policy</title>
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW dmz REJECT $LOG
$FW net REJECT $LOG
?else
@ -577,8 +575,7 @@ all all REJECT:Reject $LOG
<section id="accounting">
<title>/etc/shorewall/accounting</title>
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC
?COMMENT
?SECTION PREROUTING
?SECTION INPUT
@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
<section id="blacklist">
<title>/etc/shorewall/blrules</title>
<para><programlisting>WHITELIST net:70.90.191.126 all
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
WHITELIST net:70.90.191.126 all
BLACKLIST net:+blacklist all
BLACKLIST net all udp 1023:1033,1434,5948,23773
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@ -714,8 +712,7 @@ br0 70.90.191.120/29 70.90.191.121
<title>/etc/shorewall/conntrack</title>
<para><programlisting>?FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
#ACTION SOURCE DEST PROTO DPORT SPORT
#
DROP net - udp 3551
NOTRACK net - tcp 23
@ -818,8 +815,7 @@ br0 - ComcastB 11000
<section id="routestopped">
<title>/etc/shorewall/stoppedrules</title>
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
ACCEPT INT_IF:172.20.1.0/24 $FW
NOTRACK COMB_IF - 41
NOTRACK $FW COMB_IF 41
@ -832,9 +828,7 @@ ACCEPT COMC_IF $FW udp 67:68</programlistin
<title>/etc/shorewall/rules</title>
<para><programlisting>################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
?if $VERSION &lt; 40500
?SHELL echo " ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
?endif

9
docs/NAT.xml
View File

@ -60,7 +60,7 @@
<para>The following figure represents a one-to-one NAT environment.</para>
<graphic fileref="images/staticnat.png" />
<graphic fileref="images/staticnat.png"/>
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@ -73,7 +73,7 @@
internal host(s) — such traffic is still subject to your policies and
rules.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
130.252.100.18 eth0 10.1.1.2 no no
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
@ -105,7 +105,7 @@
<quote>yes</quote> then you must NOT configure your own
alias(es).</para>
<para></para>
<para/>
</note>
<note>
@ -126,8 +126,7 @@
would need the following entry in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIG
# PORT(S) PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting>
</section>

42
docs/OPENVPN.xml
View File

@ -68,8 +68,8 @@
<orderedlist>
<listitem>
<para>It is widely supported -- I run it on both Linux and Windows
XP.</para>
<para>It is widely supported -- I run it on both Linux and
Windows.</para>
</listitem>
<listitem>
@ -97,7 +97,7 @@
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
@ -118,8 +118,7 @@
<para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipv4</programlisting>
</blockquote>
@ -130,7 +129,7 @@ vpn ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename> on system
A:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<programlisting>#ZONE INTERFACE OPTIONS
vpn tun0</programlisting>
</blockquote>
@ -138,7 +137,7 @@ vpn tun0</programlisting>
the following:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn net 134.28.54.2</programlisting>
</blockquote>
@ -150,7 +149,7 @@ openvpn net 134.28.54.2</programlisting>
<blockquote>
<para>/etc/shorewall/tunnels with port 7777:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:7777 net 134.28.54.2</programlisting>
</blockquote>
@ -161,7 +160,7 @@ openvpn:7777 net 134.28.54.2</programlisting>
<blockquote>
<para>/etc/shorewall/tunnels using TCP:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:tcp net 134.28.54.2</programlisting>
</blockquote>
@ -170,7 +169,7 @@ openvpn:tcp net 134.28.54.2</programlisting>
<blockquote>
<para>/etc/shorewall/tunnels using TCP port 7777:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:tcp:7777 net 134.28.54.2</programlisting>
</blockquote>
@ -206,7 +205,7 @@ vpn tun0 </programlisting>
have:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn net 206.191.148.9</programlisting>
</blockquote>
@ -249,7 +248,7 @@ vpn loc ACCEPT</programlisting>
<para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
the setup in the following diagram:</para>
<graphic fileref="images/Mobile.png" />
<graphic fileref="images/Mobile.png"/>
<para>On the gateway system (System A), we need a zone to represent the
remote clients — we'll call that zone <quote>road</quote>.</para>
@ -257,8 +256,7 @@ vpn loc ACCEPT</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
road ipv4</programlisting>
</blockquote>
@ -269,7 +267,7 @@ road ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename> on system
A:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<programlisting>#ZONE INTERFACE OPTIONS
road tun+</programlisting>
</blockquote>
@ -277,7 +275,7 @@ road tun+</programlisting>
the following:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 0.0.0.0/0</programlisting>
</blockquote>
@ -288,7 +286,7 @@ openvpn:1194 net 0.0.0.0/0</programlisting>
uses NAT.</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:1194 net 0.0.0.0/0</programlisting>
</blockquote>
@ -363,7 +361,7 @@ home tun0</programlisting>
the following:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 206.162.148.9</programlisting>
</blockquote>
@ -372,7 +370,7 @@ openvpn:1194 net 206.162.148.9</programlisting>
prefer:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnclient:1194 net 206.162.148.9</programlisting>
</blockquote>
@ -443,7 +441,7 @@ verb 3</programlisting>
192.168.1.0/24, there will be times when your roadwarriors need to access
your lan from a remote location that uses that same network.</para>
<graphic align="center" fileref="images/Mobile1.png" />
<graphic align="center" fileref="images/Mobile1.png"/>
<para>This may be accomplished by configuring a second server on your
firewall that uses a different port and by using <ulink
@ -719,7 +717,7 @@ TUNNEL_IF=gif0
<para>Add this entry to <ulink
url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:1194 net 0.0.0.0/0</programlisting>
</listitem>
</orderedlist>
@ -736,7 +734,7 @@ openvpnserver:1194 net 0.0.0.0/0</programlisting>
<para>Consider the following case:</para>
<graphic align="center" fileref="images/bridge4.png" />
<graphic align="center" fileref="images/bridge4.png"/>
<para>Part of the 192.168.1.0/24 network is in one location and part in
another. The two LANs can be bridged with OpenVPN as described in this

49
docs/OpenVZ.xml
View File

@ -141,17 +141,16 @@ server:~ # </programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
#ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS
net ipv4
vz ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 - proxyarp=1
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
#ZONE INTERFACE OPTIONS
net eth0 proxyarp=1
vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
</section>
<section>
@ -159,8 +158,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
<para>If you run Shorewall Multi-ISP support on the host, you should
arrange for traffic to your containers to use the main routing table. In
the configuration shown here, this entry in /etc/shorewall/rtrules
is appropriate:</para>
the configuration shown here, this entry in /etc/shorewall/rtrules is
appropriate:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.178 main 1000</programlisting>
@ -290,7 +289,7 @@ done.
<para>The network diagram is shown below.</para>
<graphic fileref="images/Network2009c.png" />
<graphic fileref="images/Network2009c.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para>
@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4 #Internet
loc ipv4 #Local wired Zone
@ -472,11 +470,11 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=venet0</emphasis>
...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
role="bold">proxyarp=1</emphasis>
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
<emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
...</programlisting>This is a multi-ISP configuration so entries are required
in <filename>/etc/shorewall/rtrules</filename>:</para>
@ -501,8 +499,7 @@ loc $INT_IF detect dhcp,logmartians=1,routefilter=1
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4</programlisting>
@ -526,7 +523,7 @@ net <emphasis role="bold">venet0 </emphasis> detect dhcp,tc
<para>The network diagram is shown below.</para>
<graphic fileref="images/Network2010.png" />
<graphic fileref="images/Network2010.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para>
@ -768,8 +765,7 @@ NAME="server"
<para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4 #Internet
loc ipv4 #Local wired Zone
@ -783,10 +779,10 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=vzbr0</emphasis>
...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
...</programlisting></para>
<para><filename>/etc/shorewall/proxyarp:</filename></para>
@ -813,15 +809,14 @@ dmz $VPS_IF detect logmartians=0,routefilter=0,nets
<para><filename>/etc/shorewall/zones:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces:</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
</section>
</section>
</article>

30
docs/PacketMarking.xml
View File

@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<itemizedlist>
<listitem>
<para>Rules are conditionally executed based on whether the current
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
USER, TEST, LENGTH and TOS columns.</para>
</listitem>
<listitem>
@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>The relationship between these options is shown in this
diagram.</para>
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
<para>The default values of these options are determined by the settings
of other options as follows:</para>
@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/mangle</filename> file.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8</programlisting>
<para>Let's take a look at each rule:</para>
@ -554,33 +552,25 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
<filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1</programlisting>
<para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</programlisting>
<para>And here is <filename>/etc/shorewall/tcdevices</filename> and
<filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
eth3 1.3mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth3 10 full full 1 tcp-ack,tos-minimize-delay
eth3 20 9*full/10 9*full/10 2 default
eth3 30 6*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
eth3 30 6*full/10 6*full/10 3</programlisting>
<para>I've annotated the following output with comments beginning with
"&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses

14
docs/PortKnocking.xml
View File

@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent --name
Internet, add this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
can just add a log level as in:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
</listitem>
@ -146,18 +146,16 @@ SSHKnock:info net $FW tcp 22,1599,1600,1601<
206.124.146.178 to internal system 192.168.1.5. In
/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
<note>
<para>You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
This rule will be quite secure provided that you specify
'routefilter' on your external interface and have
NULL_ROUTE_RFC1918=Yes in
that you omit the ORIGDEST entry on the second SSHKnock rule. This
rule will be quite secure provided that you specify 'routefilter' on
your external interface and have NULL_ROUTE_RFC1918=Yes in
<filename>shorewall.conf</filename>.</para>
</note>
</listitem>

7
docs/ProxyARP.xml
View File

@ -84,7 +84,7 @@
<para>The following figure represents a Proxy ARP environment.</para>
<graphic align="center" fileref="images/proxyarp.png" />
<graphic align="center" fileref="images/proxyarp.png"/>
<para>Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper
@ -129,7 +129,7 @@
irrelevant, one approach you can take is to make that address the same as
the address of your external interface!</para>
<graphic align="center" fileref="images/proxyarp1.png" />
<graphic align="center" fileref="images/proxyarp1.png"/>
<para>In the diagram above, <filename class="devicefile">eth1</filename>
has been given the address 130.252.100.17, the same as
@ -142,8 +142,7 @@
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
then you would need this entry in /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net loc:130.252.100.19 tcp 80</programlisting>
<warning>

120
docs/QOSExample.xml
View File

@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>
<para>The tcdevices file describes the two devices:</para>
<programlisting>#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
<programlisting>#NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0
2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting>
</section>
@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
<para>The tcclasses file defines the class hierarchy for both
devices:</para>
<programlisting>#IFACE: MARK RATE: CEIL PRIORITY OPTIONS
#CLASS DMAX:UMAX
1 1 ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
1 1 ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
1 2 ${UP_RT_PRIO_RATE}kbit:\
${UP_RT_PRIO_DMAX}:\
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
${UP_UL_PRIO_RATE}kbit 1
1 2 ${UP_RT_PRIO_RATE}kbit:\
${UP_RT_PRIO_DMAX}:\
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
${UP_UL_PRIO_RATE}kbit 1
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
min=$UP_NORMAL_RED_min,\
max=$UP_NORMAL_RED_max,\
burst=$UP_NORMAL_RED_burst,\
probability=$UP_NORMAL_RED_PROB,\
ecn)
1 4 - ${UP_LS_P2P_RATE}kbit:\
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
min=$UP_P2P_RED_min,\
max=$UP_P2P_RED_max,\
burst=$UP_P2P_RED_burst,\
probability=$UP_P2P_RED_PROB,\
ecn)
1 5 - ${UP_LS_BULK_RATE}kbit:\
${UP_UL_BULK_RATE}kbit 1 default,\
red=(limit=$UP_BULK_RED_limit,\
min=$UP_BULK_RED_min,\
max=$UP_BULK_RED_max,\
burst=$UP_BULK_RED_burst,\
probability=$UP_BULK_RED_PROB,\
ecn)
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
min=$UP_NORMAL_RED_min,\
max=$UP_NORMAL_RED_max,\
burst=$UP_NORMAL_RED_burst,\
probability=$UP_NORMAL_RED_PROB,\
ecn)
1 4 - ${UP_LS_P2P_RATE}kbit:\
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
min=$UP_P2P_RED_min,\
max=$UP_P2P_RED_max,\
burst=$UP_P2P_RED_burst,\
probability=$UP_P2P_RED_PROB,\
ecn)
1 5 - ${UP_LS_BULK_RATE}kbit:\
${UP_UL_BULK_RATE}kbit 1 default,\
red=(limit=$UP_BULK_RED_limit,\
min=$UP_BULK_RED_min,\
max=$UP_BULK_RED_max,\
burst=$UP_BULK_RED_burst,\
probability=$UP_BULK_RED_PROB,\
ecn)
2:10 - ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
2:10 - ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
${DOWN_RT_PRIO_DMAX}:\
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
${DOWN_RT_PRIO_DMAX}:\
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
min=$DOWN_NORMAL_RED_min,\
max=$DOWN_NORMAL_RED_max,\
burst=$DOWN_NORMAL_RED_burst,\
probability=$DOWN_NORMAL_RED_PROB)
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
min=$DOWN_P2P_RED_min,\
max=$DOWN_P2P_RED_max,\
burst=$DOWN_P2P_RED_burst,\
probability=$DOWN_P2P_RED_PROB)
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
${DOWN_UL_BULK_RATE}kbit 1 default,\
red=(limit=$DOWN_BULK_RED_limit,\
min=$DOWN_BULK_RED_min,\
max=$DOWN_BULK_RED_max,\
burst=$DOWN_BULK_RED_burst,\
probability=$DOWN_BULK_RED_PROB)</programlisting>
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
min=$DOWN_NORMAL_RED_min,\
max=$DOWN_NORMAL_RED_max,\
burst=$DOWN_NORMAL_RED_burst,\
probability=$DOWN_NORMAL_RED_PROB)
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
min=$DOWN_P2P_RED_min,\
max=$DOWN_P2P_RED_max,\
burst=$DOWN_P2P_RED_burst,\
probability=$DOWN_P2P_RED_PROB)
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
${DOWN_UL_BULK_RATE}kbit 1 default,\
red=(limit=$DOWN_BULK_RED_limit,\
min=$DOWN_BULK_RED_min,\
max=$DOWN_BULK_RED_max,\
burst=$DOWN_BULK_RED_burst,\
probability=$DOWN_BULK_RED_PROB)</programlisting>
</section>
<section>
@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>
<para>The mangle file classifies upload packets:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
# PORT(S) PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST
RESTORE:T - - - - - - !0:C
CONTINUE:T - - - - - - !0
2:T - - icmp
@ -319,8 +316,7 @@ SAVE:T - - - - - -
<para>The tcfilters file classifies download packets:</para>
<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH
#CLASS PORT(S) PORT(S)
<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH
#
# These classify download traffic
#

11
docs/Shorewall-5.xml
View File

@ -240,15 +240,15 @@
</listitem>
<listitem>
<para>DEST PORT(S)</para>
<para>DPORT</para>
</listitem>
<listitem>
<para>SOURCE PORT(S)</para>
<para>SPORT</para>
</listitem>
<listitem>
<para>ORIGINAL DEST</para>
<para>ORIGDEST</para>
</listitem>
<listitem>
@ -284,8 +284,9 @@
</listitem>
</itemizedlist>
<para>Notice that the first five columns of both sets are the
same.</para>
<para>Notice that the first five columns of both sets are the same
(although the port-valued column names have changed, the contents are
the same).</para>
<para>In Shorewall 5, support for format-1 macros and actions has been
dropped and all macros and actions will be processed as if ?FORMAT 2

65
docs/Shorewall_Squid_Usage.xml
View File

@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177
</programlisting>
@ -175,10 +174,9 @@ REDIRECT loc 3128 tcp www - !206.124.146.
Squid.</para>
<para>If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.</para>
ORIGDEST column in your REDIRECT rule.</para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>People frequently ask <emphasis>How can I exclude certain
@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
from the proxy. Your rules would then be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24
@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
role="bold">(squid)</emphasis> is running under the <emphasis
role="bold">proxy</emphasis> user Id. We add these rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
# PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - <emphasis
role="bold"> !proxy</emphasis></programlisting>
@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
<listitem>
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>If you are still using a tcrules file, you should consider
switching to using a mangle file (<command>shorewall update
-t</command> (<command>shorewall update</command> on
Shorewall 5.0 and later) will do that for you). Corresponding
-t</command> (<command>shorewall update</command> on Shorewall 5.0
and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
</listitem>
@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
</listitem>
<listitem>
@ -294,8 +288,7 @@ loc eth1 detect <emphasis role="bold">routeback,routefilter=0,
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
</section>
@ -316,14 +309,12 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
<listitem>
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT
202:P eth1 0.0.0.0/0 tcp 80</programlisting>
</listitem>
@ -331,8 +322,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
</listitem>
<listitem>
@ -363,7 +354,7 @@ loc eth2 detect <emphasis role="bold">routefilter=0,logmartian
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443</programlisting>
@ -371,7 +362,7 @@ ACCEPT SZ net tcp 80,443</programlisting>
<title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title>
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443</programlisting></para>
</example>
@ -406,8 +397,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
<para><filename>/etc/shorewall/interfaces:</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- lo - -</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
- lo -</programlisting>
<para><filename>/etc/shorewall/providers</filename>:</para>
@ -422,17 +413,13 @@ Tproxy 1 - - lo - tproxy</programli
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
eth1 and net interface is eth0):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding <filename>/etc/shorewall/tcrules</filename>
are:</para>
<para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
#MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
@ -445,16 +432,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
on port 80, then you need to exclude it from TPROXY. Suppose that your
web server listens on 192.0.2.144; then:</para>
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
#MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
</note>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 80
ACCEPT $FW net tcp 80</programlisting>

25
docs/Shorewall_and_Aliased_Interfaces.xml
View File

@ -166,7 +166,7 @@ iface eth0 inet static
<example id="SSH">
<title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example>
</section>
@ -179,15 +179,14 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
zone at 192.168.1.3. That is accomplished by a single rule in the
<filename>/etc/shorewall/rules</filename> file:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
<para>If I wished to forward tcp port 10000 on that virtual interface to
port 22 on local host 192.168.1.3, the rule would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting>
</section>
@ -202,7 +201,7 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20
eth0 192.168.1.0/24 206.124.146.178</programlisting>
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DEST PORT(S)
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
<para>Shorewall can create the alias (additional address) for you if you
@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
would have the following in
<filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
<para>Shorewall can create the alias (additional address) for you if you
@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
<para>In either case, to create rules in
@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
</example>
</section>
@ -305,8 +304,8 @@ loc ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
ACCEPT rules for the traffic that you want to permit.</para>
@ -327,8 +326,8 @@ loc2 ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- eth1 - </programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
- eth1 </programlisting>
<para>In <filename>/etc/shorewall/hosts</filename>:</para>

5
docs/Shorewall_and_Routing.xml
View File

@ -68,7 +68,7 @@
<para>The following diagram shows the relationship between routing
decisions and Netfilter.</para>
<graphic align="center" fileref="images/Netfilter.png" />
<graphic align="center" fileref="images/Netfilter.png"/>
<para>The light blue boxes indicate where routing decisions are made. Upon
exit from one of these boxes, if the packet is being sent to another
@ -208,8 +208,7 @@
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
206.124.146.177 eth1 eth0 No</programlisting>
<para>The above entry will cause Shorewall to execute the following
command:</para>

23
docs/SimpleBridge.xml
View File

@ -86,7 +86,7 @@
<para>The following diagram shows a firewall for two bridged LAN
segments.</para>
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
<para>This is fundamentally the Two-interface Firewall described in the
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
@ -108,10 +108,11 @@
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect ...
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
role="bold">routeback</emphasis>,...</programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 ...
loc <emphasis role="bold">br0</emphasis> <emphasis
role="bold">routeback,bridge</emphasis>,...</programlisting>
<para>So the key points here are:</para>
@ -128,8 +129,9 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
</listitem>
<listitem>
<para>The <emphasis role="bold">routeback</emphasis> option is
specified for <filename class="devicefile">br0</filename>.</para>
<para>The <emphasis role="bold">routeback</emphasis> and <emphasis
role="bold">bridge</emphasis> options is specified for <filename
class="devicefile">br0</filename>.</para>
</listitem>
<listitem>
@ -138,13 +140,6 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
</listitem>
</itemizedlist>
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
should also specify the <emphasis role="bold">bridge</emphasis>
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect ...
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
unchanged:</para>

5
docs/UPnP.xml
View File

@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
<para>Example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
role="bold">upnp</emphasis></programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
<para>If your loc-&gt;fw policy is not ACCEPT then you need this
rule:</para>

12
docs/Universal.xml
View File

@ -202,7 +202,7 @@
<filename>/etc/shorewall/macro.*</filename>, the general format of a
rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important>
@ -214,7 +214,7 @@
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Web(ACCEPT) net $FW
IMAP(ACCEPT)net $FW</programlisting>
</example>
@ -225,14 +225,14 @@ IMAP(ACCEPT)net $FW</programlisting>
general format of a rule in <filename>/etc/shorewall/rules</filename>
is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143</programlisting></para>
</example>
@ -320,7 +320,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
<para>Then at a root prompt, type:</para>
<blockquote>
<para><command>/sbin/shorewall restart</command></para>
<para><command>/sbin/shorewall reload</command></para>
</blockquote>
</section>
@ -345,7 +345,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
<para>Then at a root prompt, type:</para>
<blockquote>
<para><command>/sbin/shorewall restart</command></para>
<para><command>/sbin/shorewall reload</command></para>
</blockquote>
</section>
</section>

40
docs/VPN.xml
View File

@ -46,7 +46,7 @@
The two most common means for doing this are IPSEC and PPTP. The basic
setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png" />
<graphic fileref="images/VPN.png"/>
<para>A system with an RFC 1918 address needs to access a remote network
through a remote gateway. For this example, we will assume that the local
@ -87,15 +87,15 @@
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PROTO</entry>
<entry align="center">PORT</entry>
<entry align="center">DPORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">SPORT</entry>
<entry align="center">ORIGINAL DEST</entry>
<entry align="center">ORIGDEST</entry>
</row>
</thead>
@ -109,11 +109,11 @@
<entry>50</entry>
<entry></entry>
<entry/>
<entry></entry>
<entry/>
<entry></entry>
<entry/>
</row>
<row>
@ -127,9 +127,9 @@
<entry>500</entry>
<entry></entry>
<entry/>
<entry></entry>
<entry/>
</row>
</tbody>
</tgroup>
@ -146,15 +146,15 @@
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PROTO</entry>
<entry align="center">PORT</entry>
<entry align="center">DPORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">SPORT</entry>
<entry align="center">ORIGINAL DEST</entry>
<entry align="center">ORIGDEST</entry>
</row>
</thead>
@ -170,9 +170,9 @@
<entry>4500</entry>
<entry></entry>
<entry/>
<entry></entry>
<entry/>
</row>
<row>
@ -186,9 +186,9 @@
<entry>500</entry>
<entry></entry>
<entry/>
<entry></entry>
<entry/>
</row>
</tbody>
</tgroup>

37
docs/VPNBasics.xml
View File

@ -115,7 +115,7 @@
<para>Incoming traffic is similar.</para>
<graphic align="center" fileref="images/VPNBasics.png" />
<graphic align="center" fileref="images/VPNBasics.png"/>
</section>
<section id="Shorewall">
@ -203,8 +203,8 @@ loc ipv4
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTION
net eth0 - tcpflags,routefilter
<programlisting>#ZONE INTERFACE OPTION
net eth0 tcpflags,routefilter
loc eth1 -
<emphasis role="bold">rem ppp0 -</emphasis></programlisting>
</section>
@ -216,7 +216,7 @@ loc eth1 -
client(s) and the local zone. You can do that with a couple of
policies:</para>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST/LIMIT
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL BURST
rem loc ACCEPT
loc rem ACCEPT</programlisting>
@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTION
net eth0 - tcpflags,routefilter
<programlisting>#ZONE INTERFACE OPTION
net eth0 tcpflags,routefilter
loc eth1 -
<emphasis role="bold">- tun+ -</emphasis></programlisting>
@ -291,15 +291,14 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec Z1 1.2.3.4 Z2</programlisting>
</blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT $FW Z1:1.2.3.4 udp 500
ACCEPT Z1:1.2.3.4 $FW udp 500
ACCEPT $FW Z1:1.2.3.4 50
@ -322,15 +321,14 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
pptpserver Z1 1.2.3.4</programlisting>
</blockquote>
<para>/<filename>etc/shorewall/rules</filename>:</para>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT Z1:1.2.3.4 $FW tcp 1723
ACCEPT $FW Z1:1.2.3.4 47
@ -347,15 +345,14 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
@ -364,15 +361,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnclient:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT Z1:1.2.3.4 $FW udp - <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
@ -381,15 +377,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp - <emphasis>port</emphasis></programlisting>

17
docs/Vserver.xml
View File

@ -122,7 +122,7 @@ gateway:~#</programlisting>
<para>This is a diagram of the network configuration here at Shorewall.net
during the summer of 2010:</para>
<graphic align="center" fileref="images/Network2010a.png" />
<graphic align="center" fileref="images/Network2010a.png"/>
<para>I created a zone for the vservers as follows:</para>
@ -138,8 +138,9 @@ vpn ipv4 #OpenVPN clients
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<emphasis role="bold">net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
<emphasis role="bold">net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
...</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
@ -164,8 +165,7 @@ drct eth4:dynamic
<para><filename>/etc/shorewall6/zones</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv6
loc ipv6
@ -175,8 +175,9 @@ vpn ipv6
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<emphasis role="bold">net sit1 detect tcpflags,forward=1,nosmurfs,routeback</emphasis>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
<emphasis role="bold">net sit1 tcpflags,forward=1,nosmurfs,routeback</emphasis>
...</programlisting>
<para><filename>/etc/shorewall6/hosts</filename>:</para>
@ -204,7 +205,7 @@ vpn ipv6
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
is as shown below:</para>
<graphic align="center" fileref="images/Network2011.png" />
<graphic align="center" fileref="images/Network2011.png"/>
<para>This change was accompanied by the following additions to
<filename>/etc/shorewall6/proxyndp</filename>:</para>

86
docs/XenMyWay-Routed.xml
View File

@ -105,7 +105,7 @@
<para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" />
<graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para>
@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
<para>With the three Xen domains up and running, the system looks as
shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4a.png" />
<graphic align="center" fileref="images/Xen4a.png"/>
<para>The zones correspond to the Shorewall zones in the Dom0
configuration.</para>
@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
a bridged OpenVPN server for the wireless network in our home. Here is
the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4a.png" />
<graphic align="center" fileref="images/network4a.png"/>
<para>The three laptops can be directly attached to the LAN as shown
above or they can be attached wirelessly -- their IP addresses are the
@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall #The firewall itself.
net ipv4 #Internet
loc ipv4 #Local wired Zone
dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
wifi ipv4 #Local Wireless Zone</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW $FW ACCEPT
$FW net ACCEPT
loc net ACCEPT
@ -549,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE</programlisting>
all all REJECT $LOG</programlisting>
<para><filename>Note that the firewall&lt;-&gt;local network interface
is wide open so from a security point of view, the firewall system is
@ -572,9 +567,7 @@ EXT_IF=eth0
WIFI_IF=eth2
TEST_IF=eth4
OMAK=&lt;IP address at our second home&gt;
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
OMAK=&lt;IP address at our second home&gt;</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para>
@ -591,16 +584,14 @@ loc $TEST_IF detect optional
loc $TEST1_IF detect optional
wifi $WIFI_IF detect dhcp,maclist,mss=1400
vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
COMMENT One-to-one NAT
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to
@ -609,7 +600,7 @@ COMMENT One-to-one NAT
rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
COMMENT Handle DSL 'Modem'
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
COMMENT Masquerade Local Network
$EXT_IF 192.168.1.0/24 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
$EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes
192.168.1.7 $TEST_IF $INT_IF yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/blacklist</filename>:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
@ -893,28 +869,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes
#
DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para>
<para><filename>etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.</programlisting></para>
</blockquote>
<para>The <filename class="devicefile">tap0</filename> device used by

107
docs/XenMyWay.xml
View File

@ -72,7 +72,7 @@
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
as shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen1.png" />
<graphic align="center" fileref="images/Xen1.png"/>
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
the bridge and virtual interfaces from Dom0 itself. That distinction is
@ -169,7 +169,7 @@
<para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" />
<graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para>
@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para>With all three Xen domains up and running, the system looks as
shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4.png" />
<graphic align="center" fileref="images/Xen4.png"/>
<para>The zones correspond to the Shorewall zones in the firewall DomU
configuration.</para>
@ -430,39 +430,24 @@ done</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
dmz ipv4</programlisting>
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
of an ACCEPT all-&gt;all policy):</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
dmz all REJECT info
all dmz REJECT info
all all ACCEPT
#LAST LINE -- DO NOT REMOVE</programlisting>
all all ACCEPT</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc xenbr0 192.168.1.255 dhcp,routeback
dmz xenbr1 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
dmz xenbr1 - routeback</programlisting>
</blockquote>
</section>
@ -478,7 +463,7 @@ SECTION NEW
for our two laptops and a bridged OpenVPN server for the wireless
network in our home. Here is the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4.png" />
<graphic align="center" fileref="images/network4.png"/>
<para>The two laptops can be directly attached to the LAN as shown above
or they can be attached wirelessly -- their IP addresses are the same in
@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4 #Internet
loc ipv4 #Local wired Zone
dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
wifi ipv4 #Local Wireless Zone</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW $FW ACCEPT
$FW net ACCEPT
loc net ACCEPT
@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE</programlisting>
all all REJECT $LOG</programlisting>
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
@ -591,9 +571,7 @@ DMZ_IF=eth1
EXT_IF=eth3
WIFI_IF=eth4
OMAK=&lt;IP address at our second home&gt;
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
OMAK=&lt;IP address at our second home&gt;</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para>
@ -607,15 +585,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to
@ -624,45 +601,39 @@ vpn tun+ -
rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF 192.168.0.0/22 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
$EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW
<programlisting>?SECTION NEW
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
@ -815,28 +786,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes
#
DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
$EXT_IF 1300kbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
</programlisting></para>
</blockquote>
<para>The tap0 device used by the bridged OpenVPN server is bridged to

290
docs/blacklisting_support.xml
View File

@ -85,14 +85,13 @@
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
standard and custom macros as well as standard and custom actions. See
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
details.</para>
<ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
for details.</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORTS(S)
SECTION BLACKLIST
<programlisting>#ACTION SOURCE DEST PROTO DPORT
WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033
@ -107,243 +106,74 @@ DROP net:200.55.14.18 all
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
command supports a <option>-b</option> option that causes your legacy
blacklisting configuration to use the blrules file.</para>
<note>
<para>If you prefer to keep your blacklisting rules in your rules file
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
(5)), you can place them in the BLACKLIST section of that file rather
than in blrules.</para>
</note>
</section>
<section>
<title>Legacy Blacklisting</title>
<title>Dynamic Blacklisting</title>
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
and dynamic. The dynamic variety is still appropriate for
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
deprecated.</para>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para>
<important>
<para><emphasis role="bold">By default, only the source address is
checked against the blacklists</emphasis>. Blacklists only stop
blacklisted hosts from connecting to you — they do not stop you or your
users from connecting to blacklisted hosts .</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
<emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<variablelist>
<varlistentry>
<term>UPDATE</term>
<itemizedlist>
<listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
destination address. See <ulink
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
for details.</para>
</listitem>
</varlistentry>
</variablelist>
</important>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<important>
<para><emphasis role="bold">Dynamic Shorewall blacklisting is not
appropriate for blacklisting 1,000s of different addresses. Static
Blacklisting can handle large blacklists but only if you use
ipsets</emphasis>. Without ipsets, the blacklists will take forever to
load, and will have a very negative effect on firewall
performance.</para>
</important>
<listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<section id="Static">
<title>Static Blacklisting</title>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<para>Shorewall static blacklisting support has the following
configuration parameters:</para>
<para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
<command>stop/start</command> sequences and over
<command>restart</command> and <emphasis
role="bold">reload</emphasis>.</para>
</listitem>
<itemizedlist>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in
<ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem>
<listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be dropped and logged
by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist
in <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.</para>
</listitem>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
Shorewall 4.4.12 and later).</para>
</listitem>
</itemizedlist>
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
was supported.</para>
<para>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
connections before loading the blacklist rules. While this may allow
connections from blacklisted hosts to slip by during construction of the
blacklist, it can substantially reduce the time that all new connections
are disabled during "shorewall [re]start".</para>
<para>Beginning with Shorewall 2.4.0, you can use <ulink
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
an example:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>In this example, there is a portmap ipset
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
destination ports included in the ipset. There are also
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
ipsets that allow blacklisting networks and individual IP addresses.
Note that [src,dst] is specified so that individual entries in the sets
can be bound to other portmap ipsets to allow blacklisting
(<emphasis>source address</emphasis>, <emphasis>destination
port</emphasis>) combinations. For example:</para>
<programlisting>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against
the entries in the blacklist file that follow. Whitelist entries are
created using the <emphasis role="bold">whitelist</emphasis> option
(OPTIONS column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic">
<title>Dynamic Blacklisting</title>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite]
commands. <emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<itemizedlist>
<listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped
by the firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained
over <command>stop/start</command> sequences and over
<command>restart</command>.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
<listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be dropped and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>logreject [to|from}<emphasis>&lt;ip address
list&gt;</emphasis> - causes packets from the listed IP addresses to
be rejected and logged by the firewall. Logging will occur at the
level specified by the BLACKLIST_LOGLEVEL setting at the last
[re]start (logging will be at the 'info' level if no
BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para>
<example id="Ignore">
<title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<example id="Allow">
<title>Re-enable packets from a system</title>
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
<example>
<title>Displaying the Dynamic Blacklist</title>
<programlisting> <command>shorewall show dynamic</command></programlisting>
<para>Displays the 'dynamic' chain which contains rules for the
dynamic blacklist. The <firstterm>source</firstterm> column contains
the set of blacklisted addresses.</para>
</example>
</section>
<listitem>
<para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be rejected and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>
</section>
</article>

76
docs/bridge-Shorewall-perl.xml
View File

@ -134,7 +134,7 @@
the bridge would work exactly the same if public IP addresses were used
(remember that the bridge doesn't deal with IP addresses).</para>
<graphic fileref="images/bridge.png" />
<graphic fileref="images/bridge.png"/>
<para>There are a several key differences in this setup and a normal
Shorewall configuration:</para>
@ -180,7 +180,7 @@
systems connected to that switch. All of the systems on the local side of
the <emphasis role="bold">router</emphasis> would still be configured with
IP addresses in 192.168.1.0/24 as shown below.<graphic
fileref="images/bridge3.png" /></para>
fileref="images/bridge3.png"/></para>
</section>
<section id="Bridge">
@ -571,8 +571,7 @@ rc-update add bridge boot
fw firewall
world ipv4
net:world bport
loc:world bport
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
loc:world bport</programlisting>
<para>The <emphasis>world</emphasis> zone can be used when defining rules
whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@ -581,11 +580,10 @@ loc:world bport
<para>A conventional two-zone policy file is appropriate here —
<filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
all all REJECT info</programlisting>
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -596,11 +594,10 @@ all all REJECT info
is connected to <filename class="devicefile">eth0</filename> and the
switch to <filename class="devicefile">eth1</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
world br0 detect bridge
<programlisting>#ZONE INTERFACE OPTIONS
world br0 bridge
net br0:eth0
loc br0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
loc br0:eth1</programlisting>
<para>The <emphasis>world</emphasis> zone is associated with the bridge
itself which is defined with the <emphasis role="bold">bridge</emphasis>
@ -616,8 +613,7 @@ loc br0:eth1
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
<programlisting>#INTERFACE HOST(S) OPTIONS
br0 192.168.1.0/24 routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
br0 192.168.1.0/24 routeback</programlisting>
<para>The <filename>/etc/shorewall/rules</filename> file from the
two-interface sample is a good place to start for defining a set of
@ -645,9 +641,9 @@ br0 192.168.1.0/24 routeback
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
<programlisting> #ZONE INTERFACE OPTIONS
world br0 bridge
world br1 bridge
z1 br0:p+
z2 br1:p+</programlisting>
@ -657,11 +653,11 @@ br0 192.168.1.0/24 routeback
configuration may be defined using the following in
<filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:x+ - physical=p+
z2 br1:y+ - physical=p+</programlisting>
<programlisting> #ZONE INTERFACE OPTIONS
world br0 bridge
world br1 bridge
z1 br0:x+ physical=p+
z2 br1:y+ physical=p+</programlisting>
<para>In this configuration, 'x+' is the logical name for ports p+ on
bridge br0 while 'y+' is the logical name for ports p+ on bridge
@ -673,8 +669,7 @@ br0 192.168.1.0/24 routeback
<para>Example from /etc/shorewall/rules:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting> #ACTION SOURCE DEST PROTO DPORT
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
</section>
@ -683,7 +678,7 @@ br0 192.168.1.0/24 routeback
<para>A system running Shorewall doesn't have to be exclusively a bridge
or a router -- it can act as both, which is also know as a brouter. Here's
an example:<graphic fileref="images/bridge2.png" /></para>
an example:<graphic fileref="images/bridge2.png"/></para>
<para>This is basically the same setup as shown in the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
@ -710,11 +705,11 @@ loc ipv4</programlisting>
<listitem>
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
pub br0 detect routefilter,bridge
follows:<programlisting>#ZONE INTERFACE OPTIONS
pub br0 routefilter,bridge
net br0:eth0
dmz br0:eth2
loc eth1 detect</programlisting></para>
loc eth1</programlisting></para>
</listitem>
<listitem>
@ -761,9 +756,7 @@ all all REJECT info</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
#
PORT(S) PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT all all icmp 8
ACCEPT loc $DMZ tcp 25,53,80,443,...
ACCEPT loc $DMZ udp 53
@ -784,7 +777,7 @@ ACCEPT $FW $DMZ tcp 53 </
<para>This configuration is shown in the following diagram.</para>
<graphic align="center" fileref="images/veth1.png" />
<graphic align="center" fileref="images/veth1.png"/>
<para>In this configuration, veth0 is assigned the internal IP address;
br0 does not have an IP address.</para>
@ -872,8 +865,7 @@ iface veth0 inet static
<para>For this configuration, we need several additional zones as shown
here:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
zone1 bport
@ -943,22 +935,19 @@ all all REJECT:info</programlisting>
<para>Rules allowing traffic from the net to zone2 look like this:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
ACCEPT col zone2 tcp 22 - - - - <emphasis
role="bold">net</emphasis></programlisting>
<para>or more compactly:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
role="bold">net</emphasis></programlisting>
<para>Similarly, rules allowing traffic from the firewall to zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
role="bold">fw</emphasis></programlisting>
@ -969,8 +958,7 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
DNAT- net loc:172.168.4.45 tcp 80
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
role="bold">net</emphasis></programlisting>
@ -979,15 +967,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
role="bold">zonei</emphasis> zones to the <emphasis
role="bold">net</emphasis> zone look like this:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
ACCEPT loc net tcp 21 - - - - <emphasis
role="bold">zone1</emphasis></programlisting>
<para>And to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
ACCEPT zone2 col tcp - - - - <emphasis
role="bold">zone2</emphasis></programlisting>
</section>

48
docs/configuration_file_basics.xml
View File

@ -464,8 +464,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
@ -483,8 +482,7 @@ ACCEPT net:\
<para>A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
<emphasis role="bold">#</emphasis>ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
@ -765,8 +763,7 @@ ACCEPT net:\
<para>Example (rules file):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
<para>Here's the same line in several equivalent formats:</para>
@ -1133,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE params.mgmt   
 
   # params unique to this host here
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
  
   ----- end params -----
   shorewall/rules.mgmt:
@ -1154,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE rules.mgmt    
 
   # rules unique to this host here
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  
   ----- end rules -----</programlisting>
@ -1166,14 +1162,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
gateway:/etc/shorewall # </programlisting></para>
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
<para>/etc/shorewall/rules:<programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
<para>If you are the sort to put such an entry in your rules file even
though /etc/shorewall/rules.d might not exist or might be empty, then
you probably want:</para>
<programlisting>SECTION NEW
<programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
<para>Beginning with Shorewall 4.5.2, in files other than
@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
<variablelist>
<varlistentry>
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
<term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
<listitem>
<para>If <replaceable>comment</replaceable> is present, it will
@ -1363,8 +1359,7 @@ gateway:~ #
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT RATE USER
?COMMENT SSH
PARAM - - tcp 22 </programlisting>
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
@ -1771,7 +1766,7 @@ SSH(ACCEPT) net:$MYIP $FW
</listitem>
</itemizedlist>
<para>They may also appear in the ORIGINAL DEST column of:</para>
<para>They may also appear in the ORIGDEST column of:</para>
<itemizedlist>
<listitem>
@ -2318,8 +2313,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
<para>So this rule may work for five minutes then suddently stop
working:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<para>If your firewall rules include DNS names then:</para>
@ -2418,7 +2412,7 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<itemizedlist>
<listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter
<para>Must not have any embedded white space.+<programlisting> Valid: routefilter,dhcp,arpfilter
Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
</listitem>
@ -2608,7 +2602,7 @@ redirect =&gt; 137</programlisting>
to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you
@ -2790,8 +2784,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
on.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
role="bold">primary_down</emphasis> </programlisting>
</blockquote>
@ -2822,17 +2815,16 @@ DNAT net dmz:$BACKUP tcp 80 - -
<para>Here is an example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
<programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
role="bold">physical=eth0</emphasis>
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
role="bold">physical=eth2</emphasis>
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
role="bold">physical=eth1</emphasis>
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis
dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
role="bold">physical=venet0</emphasis>
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis
role="bold">physical=tun+</emphasis></programlisting>
loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
<para>In this example, COM_IF is a logical interface name that refers to
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is

6
docs/dhcp.xml
View File

@ -154,15 +154,13 @@
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
the server zone:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT ZONEA ZONEB udp 67:68
ACCEPT ZONEB ZONEA udp 67:68</programlisting>
<para>Alternatively, use the DHCPfwd macro:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
</listitem>

8
docs/ipsets.xml
View File

@ -107,13 +107,13 @@
<para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
<para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+blacklist</programlisting></para>
<para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
DROP net:+blacklist</programlisting></para>
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>The name of the ipset can be optionally followed by a
comma-separated list of flags enclosed in square brackets ([...]). Each

16
docs/netmap.xml
View File

@ -54,7 +54,7 @@
<para>Shorewall NETMAP support is designed to supply a solution. The basic
situation is as shown in the following diagram.<graphic
fileref="images/netmap.png" /></para>
fileref="images/netmap.png"/></para>
<para>While the link between the two firewalls is shown here as a VPN, it
could be any type of interconnection that allows routing of <ulink
@ -163,8 +163,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.23.2)</emphasis> -
<term><emphasis role="bold">DPORT (Optional - Added in Shorewall
4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
@ -190,8 +190,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.23.2)</emphasis> -
<term><emphasis role="bold">SPORT (Optional - Added in Shorewall
4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.27</entry>
<entry></entry>
<entry/>
</row>
<row>
@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.4</entry>
<entry></entry>
<entry/>
</row>
</tbody>
</tgroup>
@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
<para>IPv6 Netmap has been verified at shorewall.net using the
configuration shown below.</para>
<graphic align="center" fileref="images/Network2011b.png" />
<graphic align="center" fileref="images/Network2011b.png"/>
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
block is 2001:470:b:227::/64.</para>

8
docs/ping.xml
View File

@ -55,7 +55,7 @@
policy for z1 to z2 is not ACCEPT, you need a rule in
<filename>/etc/shorewall/rules</filename> of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) z1 z2</programlisting>
<example id="Example1">
@ -63,7 +63,7 @@ Ping(ACCEPT) z1 z2</programlisting>
<para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) loc $FW</programlisting>
</example>
@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2</programlisting>
<example id="Example2">
@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
<para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW</programlisting>
</example>

82
docs/ports.xml
View File

@ -61,7 +61,7 @@
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION
<programlisting>#ACTION SOURCE DEST
DNS(ACCEPT) dmz net</programlisting>
</note>
@ -74,12 +74,12 @@ DNS(ACCEPT) dmz net</programlisting>
<para>Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
FTP(DNAT) net dmz:192.168.1.4 </programlisting>
</note>
</section>
@ -93,7 +93,7 @@ FTP(DNAT) net dmz:192.168.1.4 </programlisting>
anymore.</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -110,14 +110,14 @@ Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
port(s)</emphasis></emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
BitTorrent(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
<section id="DNS">
<title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
<para>Note that if you are setting up a DNS server that supports recursive
@ -128,7 +128,7 @@ DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNS(ACCEPT) all dmz
DNS(ACCEPT) dmz net </programlisting>
@ -174,7 +174,7 @@ DNS(ACCEPT) dmz net </programlisting>
<para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Edonkey(DNAT) net loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too.
DNAT net loc:192.168.1.4 tcp 4711</programlisting>
@ -183,7 +183,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
<section id="FTP">
<title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more
@ -212,14 +212,14 @@ FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
<listitem>
<para>Your loc-&gt;net policy is ACCEPT</para>
</listitem>
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
</section>
<section id="ICQ">
<title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</section>
@ -236,7 +236,7 @@ ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting>
<para>This information is valid only for Shorewall 3.2 or later.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
IMAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP
IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlisting>
</section>
@ -244,7 +244,7 @@ IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlis
<section id="IPSEC">
<title>IPSEC</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 51
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 500
@ -263,9 +263,9 @@ ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</e
<para>This information is valid only for Shorewall 3.2 or later.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
LDAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> #Insecure LDAP</emphasis>
LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting>
</section>
<section id="MySQL">
@ -284,14 +284,14 @@ LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &
how to deal with the consequences, you have been warned.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
MySQL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> </emphasis></programlisting>
</section>
<section id="NFS">
<title>NFS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d udp</programlisting>
@ -302,14 +302,14 @@ ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis
<section id="NTP">
<title>NTP (Network Time Protocol)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
NTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
<section id="PCA">
<title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -325,7 +325,7 @@ PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
<para>This information is valid only for Shorewall 3.2 or later</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
POP3(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Secure
POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlisting>
</section>
@ -333,7 +333,7 @@ POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlist
<section id="PPTP">
<title>PPTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> 47
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 1723</programlisting>
@ -344,14 +344,14 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<section id="Rdate">
<title>rdate</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Rdate(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
<section id="rsync">
<title>rsync</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -363,16 +363,16 @@ Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
firewall and is using the default ports</emphasis>.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
REDIRECT loc 5060 udp 5060
ACCEPT net fw udp 5060
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis></emphasis></programlisting>
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting>
</section>
<section id="SSH">
<title>SSH/SFTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
</section>
@ -380,7 +380,7 @@ SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
Sharing)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SMB(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis>
SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis></programlisting>
@ -394,7 +394,7 @@ SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt
<para>This information is valid only for Shorewall 3.2 or later.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SMTP(ACCEPT)<emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure SMTP
SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #SMTP over SSL (TLS)</programlisting>
</section>
@ -402,7 +402,7 @@ SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
<section id="SNMP">
<title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -418,7 +418,7 @@ SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
role="bold">svnserve mode only.</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -430,7 +430,7 @@ SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
insecure</emphasis>, don't use it.</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -447,14 +447,14 @@ Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination
that the <filename>/etc/shorewall/modules</filename> file released with
recent Shorewall versions contains entries for these modules.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 69</programlisting>
</section>
<section id="Traceroute">
<title>Traceroute</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Good for 10 hops</programlisting>
<para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
@ -464,7 +464,7 @@ Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw ...</programlisting>
@ -473,7 +473,7 @@ ACCEPT fw ...</programlisting>
<section id="NNTP">
<title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
NNTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisting>
@ -493,13 +493,13 @@ NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisti
<para>the following rule handles VNC traffic for VNC displays 0 -
9.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
VNC(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
</programlisting>
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
@ -519,7 +519,7 @@ VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
<para>This information is valid for Shorewall 3.2 or later.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
HTTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP
HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisting>
</section>
@ -527,7 +527,7 @@ HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisti
<section id="Webmin">
<title>Webmin</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>Webmin
use TCP port 10000.</para>
</section>
@ -535,7 +535,7 @@ Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination
<section id="Whois">
<title>Whois</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting></para>
</section>
@ -546,7 +546,7 @@ Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
&lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt; udp 177 #XDMCP
ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>&gt; tcp 6000:6009 #X Displays 0-9</programlisting>
</section>

6
docs/samba.xml
View File

@ -44,15 +44,13 @@
<para>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
SMB(ACCEPT) $FW loc
SMB(ACCEPT) loc $FW</programlisting>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
SMB(ACCEPT) Z1 Z2
SMB(ACCEPT) Z2 Z1</programlisting>

15
docs/shorewall_features.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Shorewall 4.4/4.5/4.6 Features</title>
<title>Shorewall 5.0 Features</title>
<author>
<firstname>Tom</firstname>
@ -16,7 +16,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2014</year>
<year>2001-2016</year>
<holder>Thomas M Eastep</holder>
</copyright>
@ -32,13 +32,6 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</emphasis></para>
</caution>
<section id="Features">
<title>Features</title>
@ -278,6 +271,10 @@
<listitem>
<para><ulink url="LXC.html">LXC</ulink></para>
</listitem>
<listitem>
<para>Docker (Shorewall 5.0.6 and later)</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>

24
docs/shorewall_logging.xml
View File

@ -314,14 +314,34 @@ gateway:/etc/shorewall# </programl
<para><filename>/etc/shorewall/shorewall.conf</filename>:
<programlisting>MACLIST_LOG_LEVEL=NFLOG(1,0,1)</programlisting></para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlisting><important>
<para>Shorewall considers <emphasis role="bold">ULOG(...)</emphasis>
and <emphasis role="bold">NFLOG(...)</emphasis> to be <emphasis
role="bold">log levels</emphasis>, just like info, debug, etc. even
though they are not defined by syslog.</para>
</important></para>
<para>Here is a copy of a ulogd.conf file that logs to
/var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
<programlisting>[global]
user="ulogd"
logfile="/var/log/ulogd/ulogd.log"
loglevel=7
plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
[firewall]
file="/var/log/firewall"
sync=1</programlisting>
</section>
</section>

89
docs/shorewall_setup_guide.xml
View File

@ -106,19 +106,13 @@
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
class="directory">/etc/shorewall</filename> directory is almost empty.
This is intentional. The released configuration file skeletons may be
found on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall-common/default-config/modules to
<filename class="directory">/etc/shorewall</filename> even if you do
not modify those files.</para>
</warning></para>
<para>As each file is introduced, I suggest that you look through the
@ -269,8 +263,7 @@ dmz ipv4</programlisting>
<filename>/etc/shorewall/policy</filename> file had the following
policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>
@ -416,10 +409,11 @@ all all REJECT info</programlisting>
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
</ulink>file, that file would might contain:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
dmz eth2 detect</programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0
loc eth1
dmz eth2</programlisting>
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para>
@ -435,10 +429,11 @@ dmz eth2 detect</programlisting>
<example id="multi">
<title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
loc eth2 detect</programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
loc eth1
loc eth2</programlisting>
</example>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>If one of your daughter's friends at address <emphasis
@ -1424,8 +1418,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses (place it in the
ORIGINAL DEST column in the rule above) but Shorewall will not add
that address to the firewall's external interface for you.</para>
ORIGDEST column in the rule above) but Shorewall will not add that
address to the firewall's external interface for you.</para>
<important>
<para>When testing DNAT rules like those shown above, you must test
@ -1489,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
file.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting>
@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
You would do that by adding an entry in <filename><ulink
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
<para>With this entry in place, you daughter has her own IP address
@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
to use a DNAT rule for you daughter's web server -- you would rather
just use an ACCEPT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para>A word of warning is in order here. ISPs typically configure
@ -1719,14 +1712,13 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
rules.</para>
<note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
this section, they won't be shown</para>
<para>Since the SPORT and ORIGDEST. Columns aren't used in this
section, they won't be shown</para>
</note>
<para>You probably want to allow ping between your zones:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request</programlisting>
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
Web Server on DMZ 1. The rules that you would need are:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
#Internet
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
<para>If you run a public DNS server on 192.0.2.177, you would need to
add the following rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
scp utility can also do publishing and software update
distribution.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting>
@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the
<para><filename>/etc/shorewall/interfaces</filename> (The
<quote>options</quote> will be very site-specific).</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter
loc eth1 detect
dmz eth2 detect</programlisting>
<para>The setup described here requires that your network interfaces be
brought up before Shorewall can start. This opens a short window during
which you have no firewall protection. If you replace
<quote>detect</quote> with the actual broadcast addresses in the entries
above, you can bring up Shorewall before you bring up your network
interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.0.2.255
loc eth1 192.168.201.7
dmz eth2 192.168.202.7</programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 routefilter
loc eth1
dmz eth2</programlisting>
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><filename>/etc/shorewall/rules</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request

16
docs/simple_traffic_shaping.xml
View File

@ -194,7 +194,7 @@ eth0 External</programlisting>
band 2.</para>
<note>
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
<para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
column must contain '-'.</para>
</note>
</listitem>
@ -203,14 +203,14 @@ eth0 External</programlisting>
<para>Assign traffic from a particular IP address to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para>
<note>
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
columns must be empty.</para>
</note>
</listitem>
@ -219,7 +219,7 @@ eth0 External</programlisting>
<para>Assign traffic to/from a particular application to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band
@ -230,7 +230,7 @@ eth0 External</programlisting>
<para>Assign traffic that uses a particular Netfilter helper to a
particular priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - - - sip</programlisting>
<para>In this example, SIP and associated RTP traffic will be assigned
@ -318,11 +318,11 @@ tun0 Internal</programlisting>
<para>Example:</para>
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
</programlisting>etc/shorewall/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3
@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
<para>etc/shorewall6/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries

19
docs/standalone.xml
View File

@ -277,7 +277,7 @@ net ipv4</programlisting>
<para>The <filename>/etc/shorewall/policy</filename> file included with
the one-interface sample has the following policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT
net all DROP info
all all REJECT info</programlisting>
@ -517,20 +517,19 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important>
<para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
later).</para>
role="bold">?SECTION NEW</emphasis>.</para>
</important>
<example id="Example1">
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(ACCEPT) net $FW
IMAP(ACCEPT)net $FW</programlisting>
</example>
@ -546,14 +545,14 @@ IMAP(ACCEPT)net $FW</programlisting>
a pre-defined macro that meets your requirements. In that case the general
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143</programlisting></para>
</example>
@ -566,7 +565,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SSH(ACCEPT) net $FW </programlisting>
</important>
@ -615,7 +614,7 @@ SSH(ACCEPT) net $FW </programlisting>
(<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <quote><command>shorewall restart</command></quote> command. If you
the <quote><command>shorewall reload</command></quote> command. If you
want to totally remove any trace of Shorewall from your Netfilter
configuration, use <quote><command>shorewall
clear</command></quote>.</para>
@ -639,7 +638,7 @@ SSH(ACCEPT) net $FW </programlisting>
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an <emphasis><ulink
reload</command></quote>; it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate
configuration</ulink></emphasis> and test it using the <ulink
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall

27
docs/starting_and_stopping_shorewall.xml
View File

@ -165,7 +165,7 @@
<listitem>
<para>If you change your configuration and want to install the
changes, use the <command>shorewall restart </command>command.</para>
changes, use the <command>shorewall reload </command>command.</para>
</listitem>
</itemizedlist>
@ -616,7 +616,7 @@
<row>
<entry align="center">/sbin/shorewall Command</entry>
<entry align="center">Resulting /usr/share/shorewall/firewall
<entry align="center">Resulting /var/lib/shorewall/firewall
Command</entry>
<entry align="center">Effect if the Command Succeeds</entry>
@ -646,6 +646,15 @@
firewall are accepted.</entry>
</row>
<row>
<entry>shorewall reload</entry>
<entry>firewall reload</entry>
<entry>Very similar to start, replacing the existing ruleset with
one that reflects the current configuration file contents.</entry>
</row>
<row>
<entry>shorewall restart</entry>
@ -721,15 +730,15 @@
transition while the compiler is running. If compilation fails, the state
remains unchanged.</para>
<para>Also, <command>shorewall start</command> and <command>shorewall
restart</command> involve compilation followed by execution of the
compiled script. So it is the compiled script that performs the state
transition in these commands rather than
<command>/usr/share/shorewall/firewall</command>.</para>
<para>Also, <command>shorewall start</command>, <command>shorewall
reload</command> and <command>shorewall restart</command> involve
compilation followed by execution of the compiled script. So it is the
compiled script that performs the state transition in these commands
rather than <command>/usr/share/shorewall/firewall</command>.</para>
<para>The compiled script is placed in <filename
class="directory">/var/lib/shorewall</filename> and is named either
<filename>.start</filename> or <filename>.restart</filename> depending on
the command.</para>
<filename>.start</filename>, .reload or <filename>.restart</filename>
depending on the command.</para>
</section>
</article>

104
docs/three-interface.xml
View File

@ -90,7 +90,7 @@
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure>
@ -148,19 +148,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an ADSL Modem and you use PPTP to communicate with a
server in that modem, you must make the <ulink
@ -176,7 +175,7 @@
<filename>/etc/shorewall</filename> -- for simple setups, you will only
need to deal with a few of these as described in this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>After you have installed Shorewall, locate the three-interface
Sample configuration:</para>
@ -210,7 +209,7 @@
</listitem>
<listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
@ -248,8 +247,7 @@
a set of zones. In the three-interface sample configuration, the following
zone names are used:</para>
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4
@ -305,7 +303,7 @@ dmz ipv4</programlisting>Zone names are defined in
<para>The <filename>/etc/shorewall/policy</filename> file included with
the three-interface sample has the following policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>
@ -315,7 +313,7 @@ all all REJECT info</programlisting>
commented out. If you want your firewall system to have full access to
servers on the Internet, uncomment that line.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting>
</important>
@ -351,7 +349,7 @@ $FW net ACCEPT</programlisting>
local network from a security perspective. If you want to do this, add
these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT
$FW loc ACCEPT</programlisting>
@ -363,7 +361,7 @@ $FW loc ACCEPT</programlisting>
<emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
file and make any changes that you wish.</para>
@ -377,7 +375,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure>
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename
@ -463,7 +461,7 @@ root@lists:~# </programlisting>
exactly one default route via your ISP's Router.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall three-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>, the
@ -528,7 +526,7 @@ root@lists:~# </programlisting>
<title>Example sub-network</title>
<tgroup cols="2">
<colspec align="left" />
<colspec align="left"/>
<tbody>
<row>
@ -573,7 +571,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (Local Computers 1 &amp; 2) should be
configured with their default gateway set to the IP address of the
@ -596,7 +594,7 @@ root@lists:~# </programlisting>
<mediaobject>
<imageobject>
<imagedata fileref="images/dmz2.png" />
<imagedata fileref="images/dmz2.png"/>
</imageobject>
<caption><para>The default gateway for the DMZ computers would be
@ -652,7 +650,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename>
file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename
class="devicefile">eth0</filename> then you do not need to modify the file
@ -665,7 +663,7 @@ root@lists:~# </programlisting>
modify the SOURCE column to list just your local interface (10.10.10.0/24
in the above example).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external IP is static, you can enter it in the third column
in the <filename
@ -673,7 +671,7 @@ root@lists:~# </programlisting>
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes processing
outgoing packets a little more efficient.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para>
fileref="images/openlogo-nd-25.png"/></para>
<para><emphasis role="bold">If you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the
@ -736,7 +734,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -776,7 +774,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -801,7 +799,7 @@ root@lists:~# </programlisting>
<para>The general form of a simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
If you don't specify the <emphasis><varname>&lt;server
port&gt;</varname></emphasis>, it is assumed to be the same as
@ -816,7 +814,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
<title>You run a Web Server on DMZ Computer 2 and you want to forward
incoming TCP port 80 to that system</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(DNAT) net dmz:10.10.11.2
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
<listitem>
@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
must use DNAT from the loc zone as well (see below).</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
<para>where <replaceable>external-ip-address</replaceable> is the
@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
</listitem>
@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
<para>If you want to be able to access your server from the local
network using your external address, then if you have a static
external IP you can replace the loc-&gt;dmz rule above
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
you have a dynamic IP then you must ensure that your external
interface is up before starting Shorewall and you must take steps
@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis>&lt;
<listitem>
<para>Make your <literal>loc-&gt;dmz</literal> rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
</listitem>
</orderedlist></para>
@ -886,7 +880,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</itemizedlist></para>
</example>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, add the DNAT and ACCEPT rules for your
servers.</para>
@ -924,7 +918,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<listitem>
<para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>You can configure a <emphasis>Caching Name Server</emphasis>
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<filename>/etc/shorewall/rules</filename>.</para>
</listitem>
</itemizedlist> If you run the name server on the firewall:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) loc $FW
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) loc dmz:10.10.11.1
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
<filename>/etc/shorewall/rules</filename>. The first example above (name
server on the firewall) could also have been coded as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 53
ACCEPT loc $FW udp 53
ACCEPT dmz $FW tcp 53
@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 </programlist
<title>Other Connections</title>
<para>The three-interface sample includes the following rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
from your firewall and may be removed if you commented out the line in
<filename>/etc/shorewall/policy</filename> allowing all connections from
the firewall to the Internet.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
an SSH server on your firewall and in each of your DMZ systems and to
connect to those servers from your local systems.</para>
<para>If you wish to enable other connections between your systems, the
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para>
<para>The general format when not using a defined macro
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para>
<example id="Example2">
@ -1009,12 +1003,12 @@ ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&g
<para>Using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) net $FW</programlisting>
<para>Not using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW tcp 53
ACCEPT net $FW udp 53 </programlisting>
@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 </programlisting>
<important>
<para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) net $FW</programlisting></para>
</important>
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
users will want to add the following two rules to be compatible with
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW udp 53
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
<listitem>
@ -1045,7 +1039,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
</listitem>
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
remove other connections as required.</para>
@ -1110,7 +1104,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -1119,7 +1113,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
firewall, you can enable Shorewall startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important>
fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para>
@ -1138,11 +1132,11 @@ ACCEPT net $FW tcp 80 </programlisting><it
(<ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <command>shorewall restart</command> command. If you want to totally
the <command>shorewall reload</command> command. If you want to totally
remove any trace of Shorewall from your Netfilter configuration, use
<command>shorewall clear</command>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The three-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (your local network)
@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate
reload</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para>
</warning></para>
@ -1239,7 +1233,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>

61
docs/traffic_shaping.xml
View File

@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit</programlisting>
packets arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(1) eth1 0.0.0.0/0 all
MARK(2) eth2 0.0.0.0/0 all
MARK(2) eth3 0.0.0.0/0 all
@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
<para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
<para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
@ -956,8 +956,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
/etc/shorewall/tcdevices should be assigned to the class with mark
value 10.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example>
@ -975,8 +974,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
means unclassified. Traffic originating on the firewall is not covered
by this example.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -1002,8 +1000,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded).</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
@ -1235,7 +1232,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWIDTH OUT_BANDWIDTH
eth0 100mbit 100mbit</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
@ -1293,7 +1290,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<section id="realtcd">
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 5000kbit 500kbit</programlisting>
</section>
@ -1309,8 +1306,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
<section id="realtcr">
<title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# mark traffic which should have a lower priority with a 3:
@ -1347,23 +1343,14 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the
mangle file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all
MARK(3) 0.0.0.0/0 60.0.0.0/24 all
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
<para>Corresponding tcrules file entries are:</para>
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
</section>
</section>
@ -1378,7 +1365,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
<section id="simpletcd">
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para>
@ -1403,8 +1390,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<section id="simpletcr">
<title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
MARK(2):F 192.168.2.23 0.0.0.0/0 all
@ -1412,8 +1398,7 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para>Corresponding tcrules file:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
2:F 192.168.2.23 0.0.0.0/0 all
@ -1472,13 +1457,12 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
eth0 - 1000kbit hfsc</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
# DMAX:UMAX
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
1:10 1 500kbit full 1
1:20 2 500kbit full 1
1:10:11 3 400kbit:53ms:1500b full 2
@ -1649,8 +1633,7 @@ ip link set ifb0 up</command></programlisting>
<para>Example: <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting>
<para>Requests redirected by this rule will have destination IP
@ -1721,7 +1704,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry>
<varlistentry>
<term>DEST PORT(S)</term>
<term>DPORT</term>
<listitem>
<para>Comma-separated list of destination port names or numbers.
@ -1731,7 +1714,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry>
<varlistentry>
<term>SOURCE PORT</term>
<term>SPORT</term>
<listitem>
<para>Comma-separated list of source port names or numbers. May
@ -1810,8 +1793,7 @@ qt ip link set dev ifb0 up</programlisting></para>
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
<para><programlisting>
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
# INTERFACES
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
1:eth0 - 384kbit classify
2:ifb0 - 1300kbit - eth0</programlisting>
<filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -1820,8 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
1:130 - 2*full/10 6*full/10 3
2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay
2:120 - 2*full/10 6*full/10 2 default
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE
#CLASS PORT(S) PORT(S)
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT
#
# OUTGOING TRAFFIC
#

106
docs/two-interface.xml
View File

@ -74,7 +74,7 @@
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" />
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure> <caution>
@ -121,19 +121,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -146,7 +145,7 @@
<section id="Concepts">
<title>Shorewall Concepts</title>
<para></para>
<para/>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
@ -154,7 +153,7 @@
this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /><important>
format="GIF"/><important>
<para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, locate the two-interfaces samples:</para>
@ -189,10 +188,10 @@
<listitem>
<para><graphic align="left"
fileref="images/openlogo-nd-25.png" />If you installed using a
fileref="images/openlogo-nd-25.png"/>If you installed using a
Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis>
class="directory">/usr/share/doc/shorewall/examples/two-interfaces</filename>.</emphasis>
You do not need the shorewall-doc package to have access to the
samples.</para>
@ -230,8 +229,7 @@
a set of zones. In the two-interface sample configuration, the following
zone names are used:</para>
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4</programlisting>Zones are defined in the <ulink
@ -289,13 +287,13 @@ loc ipv4</programlisting>Zones are defined in the <ulink
<para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the two-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policy will:
<itemizedlist>
<listitem>
@ -333,11 +331,11 @@ $FW net ACCEPT</programlisting> The above policy will:
local network from a security perspective. If you want to do this, add
these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT
$FW loc ACCEPT</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
@ -349,7 +347,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" />
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject>
</mediaobject>
@ -393,7 +391,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
internal interface.</emphasis> Your firewall should have exactly one
default route via your ISP's Router.</para>
</warning> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>The Shorewall two-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename> and the
@ -533,7 +531,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their default gateway to be the
@ -550,7 +548,7 @@ root@lists:~# </programlisting>
<para id="Diagram">The remainder of this guide will assume that you have
configured your network as shown here: <mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
<imagedata align="center" fileref="images/basics1.png" format="PNG"/>
</imageobject>
</mediaobject> The default gateway for computer's 1 &amp; 2 would be
<systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
@ -607,7 +605,7 @@ root@lists:~# </programlisting>
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
<acronym>IP</acronym> is static.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename
class="devicefile">eth0</filename>, you do not need to modify the file
@ -616,7 +614,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
change the first column to the name of your external interface.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external <acronym>IP</acronym> is static, you can enter it
in the third column in the <filename
@ -626,7 +624,7 @@ root@lists:~# </programlisting>
column 3 (SNAT) makes the processing of outgoing packets a little more
efficient.</para>
<graphic align="left" fileref="images/openlogo-nd-25.png" />
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
<para>I<emphasis role="bold">f you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the
@ -689,7 +687,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -729,7 +727,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -758,7 +756,7 @@ root@lists:~# </programlisting>
a server in the <emphasis>loc</emphasis> zone, the general form of a
simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para><emphasis role="bold">If you want to forward traffic from the
<emphasis>loc</emphasis> zone to a server in the
@ -784,14 +782,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
<para>You run a Web Server on computer 2 in <link
linkend="Diagram">the above diagram</link> and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(DNAT) net loc:10.10.10.2</programlisting></para>
</example> <example id="Example2" label="2">
<title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on <link
linkend="Diagram">computer 1</link> so you want to forward incoming
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DPORT
FTP(DNAT) net loc:10.10.10.1</programlisting> For
<acronym>FTP</acronym>, you will also need to have
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
@ -829,11 +827,11 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
server, try the following rule and try connecting to port
5000.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem>
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>At this point, modify <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> to
@ -881,7 +879,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem>
<listitem>
<para><anchor id="cachingdns" /> You can configure a
<para><anchor id="cachingdns"/> You can configure a
<emphasis>Caching Name Server</emphasis> on your firewall.
<trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
caching name server (the <acronym>RPM</acronym> also requires the
@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
network to the firewall; you do that by adding the following rules
in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT)loc $FW</programlisting></para>
</listitem>
</itemizedlist></para>
@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW</programlisting></para>
<title>Other Connections</title>
<para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename
@ -922,7 +920,7 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
<para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
faster if you code your rules directly rather than using macros. The the
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT $FW net tcp 53</programlisting></para>
@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53</programlisting></para>
your needs, you can either define the macro yourself or you can simply
code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3">
<title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(ACCEPT) net $FW
Web(ACCEPT) loc $FW </programlisting>Those two rules would of
course be in addition to the rules listed above under <quote><link
@ -957,14 +955,14 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
shell access to your firewall from the Internet, use
<acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
format="GIF"/>Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Now edit your <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
@ -1030,7 +1028,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -1038,7 +1036,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important>
fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para>
@ -1056,11 +1054,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace
reload</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The two-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (the local network)
@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate
reload</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para>
</warning></para>
@ -1158,7 +1156,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>
@ -1202,9 +1200,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</caution></para>
<para>Your new network will look similar to what is shown in the following
figure.<graphic align="center" fileref="images/basics2.png" /></para>
figure.<graphic align="center" fileref="images/basics2.png"/></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN.
@ -1217,7 +1215,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
traffic may flow freely between the local wired network and the wireless
network.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>There are only two changes that need to be made to the Shorewall
configuration:</para>
@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
network interface. If the wireless interface is <filename
class="devicefile">wlan0</filename>, the entry might look like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc wlan0 detect maclist</programlisting>
<programlisting>#ZONE INTERFACE OPTIONS
loc wlan0 maclist</programlisting>
<para>As shown in the above entry, I recommend using the <ulink
url="MAC_Validation.html">maclist option</ulink> for the wireless
@ -1248,7 +1246,7 @@ loc wlan0 detect maclist</programlisting>
from the wireless network to the Internet. If you file looks like
this:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK
eth0 10.0.0.0/8,\
169.254.0.0/16,\
172.16.0.0/12,\

4
docs/whitelisting_under_shorewall.xml
View File

@ -120,7 +120,7 @@ loc eth2:0.0.0.0/0</programlisting>
<bridgehead renderas="sect4">Policy File</bridgehead>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL
<emphasis role="bold">ops all ACCEPT
all ops CONTINUE</emphasis>
loc net ACCEPT
@ -134,7 +134,7 @@ all all REJECT info</programlisting>
<bridgehead renderas="sect4">Rules File</bridgehead>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT loc!ops 3128 tcp http</programlisting>
<para>This is the rule that transparently redirects web traffic to the