Merge branch 'master' into 5.0.6

This commit is contained in:
Tom Eastep 2016-03-01 15:13:20 -08:00
commit 4e9f4742cb
92 changed files with 1456 additions and 1908 deletions

View File

@ -2,7 +2,7 @@
# #
# Script to install Shoreline Firewall Core Modules # Script to install Shoreline Firewall Core Modules
# #
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.net # Shorewall documentation is available at http://shorewall.net
# #

View File

@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
# #
# Show traffic control information # Show traffic control information
# #
show_tc() { show_tc1() {
show_one_tc() { show_one_tc() {
local device local device
@ -292,6 +292,19 @@ show_tc() {
} }
show_tc() {
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
echo
shift
if [ -z "$1" ]; then
$g_tool -t mangle -L -n -v | $output_filter
echo
fi
show_tc1 $1
}
# #
# Show classifier information # Show classifier information
# #
@ -928,6 +941,66 @@ show_actions() {
grep -Ev '^\#|^$' ${g_sharedir}/actions.std grep -Ev '^\#|^$' ${g_sharedir}/actions.std
fi fi
} }
show_chain() {
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
else
$g_tool -t $table -L $g_ipt_options | $output_filter
fi
}
show_chains() {
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
echo
show_reset
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
}
show_table() {
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t $table -L $g_ipt_options | $output_filter
}
show_nat() {
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t nat -L $g_ipt_options | $output_filter
}
show_macros() {
for directory in $(split $CONFIG_PATH); do
temp=
for macro in ${directory}/macro.*; do
case $macro in
*\*)
;;
*)
if [ -z "$temp" ]; then
echo
echo "Macros in $directory:"
echo
temp=Yes
fi
show_macro
;;
esac
done
done
}
# #
# Show Command Executor # Show Command Executor
# #
@ -1084,31 +1157,28 @@ show_command() {
;; ;;
nat) nat)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)" eval show_nat $g_pager
echo
show_reset
$g_tool -t nat -L $g_ipt_options | $output_filter
;; ;;
raw) raw)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
echo echo
show_reset show_reset
$g_tool -t raw -L $g_ipt_options | $output_filter $g_tool -t raw -L $g_ipt_options | $output_filter } $g_pager
;; ;;
rawpost) rawpost)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
echo echo
show_reset show_reset
$g_tool -t rawpost -L $g_ipt_options | $output_filter $g_tool -t rawpost -L $g_ipt_options | $output_filter } $g_pager
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
echo echo
show_reset show_reset
$g_tool -t mangle -L $g_ipt_options | $output_filter $g_tool -t mangle -L $g_ipt_options | $output_filter } $g_pager
;; ;;
log) log)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
@ -1128,22 +1198,13 @@ show_command() {
;; ;;
tc) tc)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)" eval show_tc $g_pager
echo
shift
if [ -z "$1" ]; then
$g_tool -t mangle -L -n -v | $output_filter
echo
fi
show_tc $1
;; ;;
classifiers|filters) classifiers|filters)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
echo echo
show_classifiers show_classifiers } $g_pager
;; ;;
zones) zones)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -1173,22 +1234,22 @@ show_command() {
determine_capabilities determine_capabilities
VERBOSITY=2 VERBOSITY=2
if [ -n "$g_filemode" ]; then if [ -n "$g_filemode" ]; then
report_capabilities1 eval report_capabilities1 $g_pager
else else
report_capabilities eval report_capabilities $g_pager
fi fi
;; ;;
ip) ip)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
echo echo
ip -$g_family addr list ip -$g_family addr list } $g_pager
;; ;;
routing) routing)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
echo echo
show_routing show_routing } $g_pager
;; ;;
config) config)
. ${g_sharedir}/configpath . ${g_sharedir}/configpath
@ -1210,33 +1271,23 @@ show_command() {
;; ;;
chain) chain)
shift shift
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)" eval show_chain $@ $g_pager
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
else
$g_tool -t $table -L $g_ipt_options | $output_filter
fi
;; ;;
vardir) vardir)
echo $VARDIR; echo $VARDIR;
;; ;;
policies) policies)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
echo echo
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies; [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies } $g_pager
;; ;;
ipa) ipa)
[ $g_family -eq 4 ] || usage 1 [ $g_family -eq 4 ] || usage 1
echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
echo echo
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
perip_accounting perip_accounting } $g_pager
;; ;;
marks) marks)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -1246,17 +1297,17 @@ show_command() {
;; ;;
nfacct) nfacct)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo echo
show_nfacct show_nfacct } $g_pager
;; ;;
arptables) arptables)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
resolve_arptables resolve_arptables
if [ -n "$arptables" -a -x $arptables ]; then if [ -n "$arptables" -a -x $arptables ]; then
echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
echo echo
$arptables -L -n -v $arptables -L -n -v } $g_pager
else else
error_message "Cannot locate the arptables executable" error_message "Cannot locate the arptables executable"
fi fi
@ -1270,9 +1321,9 @@ show_command() {
;; ;;
events) events)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" eval { echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo echo
show_events show_events } $g_pager
;; ;;
bl|blacklists) bl|blacklists)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -1298,7 +1349,7 @@ show_command() {
case $1 in case $1 in
actions) actions)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
show_actions | sort eval show_actions | sort $pager
return return
;; ;;
macro) macro)
@ -1315,25 +1366,7 @@ show_command() {
;; ;;
macros) macros)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
eval show_macros $g_pager
for directory in $(split $CONFIG_PATH); do
temp=
for macro in ${directory}/macro.*; do
case $macro in
*\*)
;;
*)
if [ -z "$temp" ]; then
echo
echo "Macros in $directory:"
echo
temp=Yes
fi
show_macro
;;
esac
done
done
return return
;; ;;
esac esac
@ -1353,20 +1386,11 @@ show_command() {
error_message "ERROR: Chain '$chain' is not recognized by $g_tool." error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
exit 1 exit 1
fi fi
done done
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" eval show_chains $@ $g_pager
echo
show_reset
for chain in $*; do
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
echo
done
else else
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)" eval show_table $g_pager
echo
show_reset
$g_tool -t $table -L $g_ipt_options | $output_filter
fi fi
;; ;;
esac esac
@ -1417,12 +1441,16 @@ dump_filter() {
;; ;;
esac esac
$command $filter eval $command $filter $g_pager
else else
cat - cat -
fi fi
} }
dump_filter_wrapper() {
eval dump_filter $g_pager
}
# #
# Dump Command Executor # Dump Command Executor
# #
@ -1633,14 +1661,14 @@ do_dump_command() {
if [ -n "$TC_ENABLED" ]; then if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control" heading "Traffic Control"
show_tc show_tc1
heading "TC Filters" heading "TC Filters"
show_classifiers show_classifiers
fi fi
} }
dump_command() { dump_command() {
do_dump_command $@ | dump_filter do_dump_command $@ | dump_filter_wrapper
} }
# #
@ -4040,6 +4068,7 @@ shorewall_cli() {
g_counters= g_counters=
g_loopback= g_loopback=
g_compiled= g_compiled=
g_pager=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1
@ -4194,6 +4223,19 @@ shorewall_cli() {
;; ;;
esac esac
if [ -t 1 ]; then
#
# Output is to a terminal -- use a pager on commands with verbose output
#
if qt mywhich less; then
g_pager='| less'
elif qt mywhich more; then
g_pager='| more'
else
g_pager=''
fi
fi
COMMAND=$1 COMMAND=$1
case "$COMMAND" in case "$COMMAND" in

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall # Script to back uninstall Shoreline Firewall
# #
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net
# #

View File

@ -2,7 +2,7 @@
# #
# Script to install Shoreline Firewall Init # Script to install Shoreline Firewall Init
# #
# (c) 2000-20114 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com) # (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
# #
# Shorewall documentation is available at http://shorewall.net # Shorewall documentation is available at http://shorewall.net

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall # Script to back uninstall Shoreline Firewall
# #
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #

View File

@ -2,7 +2,7 @@
# #
# Script to install Shoreline Firewall Lite # Script to install Shoreline Firewall Lite
# #
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.net # Shorewall documentation is available at http://shorewall.net
# #

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall # Script to back uninstall Shoreline Firewall
# #
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall - /usr/share/shorewall/macro.SNMPtrap # Shorewall - /usr/share/shorewall/macro.SNMPtrap
# #
# This macro handles SNMP traps. # This macro deprecated by SNMPtrap.
# #
############################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 162 SNMPtrap

View File

@ -0,0 +1,9 @@
#
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
#
# This macro handles SNMP traps.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 162

View File

@ -264,6 +264,7 @@ our %EXPORT_TAGS = (
have_address_variables have_address_variables
set_global_variables set_global_variables
save_dynamic_chains save_dynamic_chains
save_docker_rules
load_ipsets load_ipsets
create_save_ipsets create_save_ipsets
validate_nfobject validate_nfobject
@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) {
} }
# #
# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule # Clone an existing rule.
# reference and the old.
# #
sub clone_irule( $ ) { sub clone_irule( $ ) {
my $oldruleref = $_[0]; my $oldruleref = $_[0];
@ -2989,11 +2989,31 @@ sub initialize_chain_table($) {
} }
} }
my $chainref;
if ( $full ) { if ( $full ) {
# #
# Create this chain early in case it is needed by Policy actions # Create this chain early in case it is needed by Policy actions
# #
new_standard_chain 'reject'; new_standard_chain 'reject';
if ( $config{DOCKER} ) {
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
}
}
if ( my $docker = $config{DOCKER} ) {
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
$chainref = new_standard_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
$chainref = new_nat_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
} }
my $ruleref = transform_rule( $globals{LOGLIMIT} ); my $ruleref = transform_rule( $globals{LOGLIMIT} );
@ -8043,6 +8063,32 @@ sub emitr1( $$ ) {
# #
# Emit code to save the dynamic chains to hidden files in ${VARDIR} # Emit code to save the dynamic chains to hidden files in ${VARDIR}
# #
sub save_docker_rules($) {
my $tool = $_[0];
emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION)
);
if ( known_interface( 'docker0' ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) );
} else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) );
}
emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
qq(else),
qq( rm -f \$VARDIR/.nat_DOCKER),
qq( rm -f \$VARDIR/.nat_POSTROUTING),
qq( rm -f \$VARDIR/.filter_DOCKER),
qq( rm -f \$VARDIR/.filter_DOCKER-ISOLATION),
qq( rm -f \$VARDIR/.filter_FORWARD),
qq(fi)
)
}
sub save_dynamic_chains() { sub save_dynamic_chains() {
@ -8077,25 +8123,23 @@ else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi
EOF EOF
emit(''), save_docker_rules( $tool ) if $config{DOCKER};
} else { } else {
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
emit <<"EOF"; emit <<"EOF";
if chain_exists 'UPnP -t nat'; then if chain_exists 'UPnP -t nat'; then
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
else else
rm -f \${VARDIR}/.UPnP rm -f \${VARDIR}/.UPnP
fi fi
if chain_exists forwardUPnP; then if chain_exists forwardUPnP; then
$tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
else else
rm -f \${VARDIR}/.forwardUPnP rm -f \${VARDIR}/.forwardUPnP
fi fi
if chain_exists dynamic; then if chain_exists dynamic; then
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
else else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi
@ -8115,10 +8159,11 @@ EOF
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then), qq( if chain_exists dynamic; then),
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) ); qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
emit( '' ), save_docker_rules( $tool ) if $config{DOCKER};
} else { } else {
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then), qq( if chain_exists dynamic; then),
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) ); qq( $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
} }
emit <<"EOF"; emit <<"EOF";
@ -8421,7 +8466,7 @@ sub create_netfilter_load( $ ) {
my @chains; my @chains;
# #
# iptables-restore seems to be quite picky about the order of the builtin chains # Iptables-restore seems to be quite picky about the order of the builtin chains
# #
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
@ -8437,8 +8482,25 @@ sub create_netfilter_load( $ ) {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} ); my $name = $chainref->{name};
emit_unindented ":$chainref->{name} - [0:0]"; assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref; push @chains, $chainref;
} }
} }
@ -8524,8 +8586,24 @@ sub preview_netfilter_load() {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0, $chainref->{name} ); my $name = $chainref->{name};
print ":$chainref->{name} - [0:0]\n"; assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref; push @chains, $chainref;
} }
} }
@ -8710,13 +8788,11 @@ sub create_stop_load( $ ) {
emit ''; emit '';
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY, save_progress_message "Preparing $utility input...";
'',
'progress_message2 "Running $command..."',
'',
'$command <<__EOF__' );
$mode = CAT_MODE; emit "exec 3>\${VARDIR}/.${utility}-stop-input";
enter_cat_mode;
unless ( $test ) { unless ( $test ) {
my $date = localtime; my $date = localtime;
@ -8746,8 +8822,24 @@ sub create_stop_load( $ ) {
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} ); my $name = $chainref->{name};
emit_unindented ":$chainref->{name} - [0:0]"; assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) {
enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else {
emit_unindented ":$name - [0:0]";
}
push @chains, $chainref; push @chains, $chainref;
} }
} }
@ -8760,10 +8852,19 @@ sub create_stop_load( $ ) {
# #
# Commit the changes to the table # Commit the changes to the table
# #
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT'; emit_unindented 'COMMIT';
} }
emit_unindented '__EOF__'; enter_cmd_mode;
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
emit( '',
'progress_message2 "Running $command..."',
'',
"cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
);
# #
# Test result # Test result
# #

View File

@ -261,7 +261,15 @@ sub generate_script_2() {
'# The library requires that ${VARDIR} exist', '# The library requires that ${VARDIR} exist',
'#', '#',
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
); );
if ( $config{DOCKER} ) {
emit( '',
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
emit( '' );
}
pop_indent; pop_indent;

View File

@ -736,6 +736,7 @@ sub initialize( $;$$) {
RPFILTER_LOG_TAG => '', RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '', INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '', UNTRACKED_LOG_TAG => '',
POSTROUTING => 'POSTROUTING',
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -874,6 +875,7 @@ sub initialize( $;$$) {
WORKAROUNDS => undef , WORKAROUNDS => undef ,
LEGACY_RESTART => undef , LEGACY_RESTART => undef ,
RESTART => undef , RESTART => undef ,
DOCKER => undef ,
# #
# Packet Disposition # Packet Disposition
# #
@ -5857,6 +5859,13 @@ sub get_configuration( $$$$ ) {
default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'WORKAROUNDS' , 'Yes'; default_yes_no 'WORKAROUNDS' , 'Yes';
default_yes_no 'DOCKER' , '';
if ( $config{DOCKER} ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
}
if ( supplied( $val = $config{RESTART} ) ) { if ( supplied( $val = $config{RESTART} ) ) {
fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/; fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@ -6429,7 +6438,7 @@ sub generate_aux_config() {
if ( -f $fn ) { if ( -f $fn ) {
emit( '', emit( '',
'dump_filter() {' ); 'dump_filter1() {' );
push_indent; push_indent;
append_file( $fn,1 ) or emit 'cat -'; append_file( $fn,1 ) or emit 'cat -';
pop_indent; pop_indent;

View File

@ -628,6 +628,22 @@ sub process_stoppedrules() {
$result; $result;
} }
sub create_docker_rules() {
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
if ( known_interface('docker0') ) {
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
}
add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
}
sub setup_mss(); sub setup_mss();
sub add_common_rules ( $ ) { sub add_common_rules ( $ ) {
@ -646,6 +662,10 @@ sub add_common_rules ( $ ) {
my $level = $config{BLACKLIST_LOG_LEVEL}; my $level = $config{BLACKLIST_LOG_LEVEL};
my $tag = $globals{BLACKLIST_LOG_TAG}; my $tag = $globals{BLACKLIST_LOG_TAG};
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};
#
# Insure that Docker jumps are early in the builtin chains
#
create_docker_rules if $config{DOCKER};
if ( $config{DYNAMIC_BLACKLIST} ) { if ( $config{DYNAMIC_BLACKLIST} ) {
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag); add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
@ -1508,13 +1528,15 @@ sub add_interface_jumps {
# Add Nat jumps # Add Nat jumps
# #
for my $interface ( @_ ) { for my $interface ( @_ ) {
addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
} }
addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
if ( have_capability 'RAWPOST_TABLE' ) { if ( have_capability 'RAWPOST_TABLE' ) {
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface}; insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
@ -2246,8 +2268,8 @@ sub generate_matrix() {
# #
# Make sure that the 1:1 NAT jumps are last in PREROUTING # Make sure that the 1:1 NAT jumps are last in PREROUTING
# #
addnatjump 'PREROUTING' , 'nat_in'; addnatjump 'PREROUTING' , 'nat_in';
addnatjump 'POSTROUTING' , 'nat_out'; addnatjump $globals{POSTROUTING} , 'nat_out';
add_interface_jumps @interfaces unless $interface_jumps_added; add_interface_jumps @interfaces unless $interface_jumps_added;
@ -2455,6 +2477,16 @@ EOF
EOF EOF
if ( $config{DOCKER} ) {
push_indent;
emit( 'if [ $COMMAND = stop ]; then' );
push_indent;
save_docker_rules( $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}');
pop_indent;
emit( "fi\n");
pop_indent;
}
if ( have_capability( 'NAT_ENABLED' ) ) { if ( have_capability( 'NAT_ENABLED' ) ) {
emit<<'EOF'; emit<<'EOF';
if [ -f ${VARDIR}/nat ]; then if [ -f ${VARDIR}/nat ]; then
@ -2504,6 +2536,10 @@ EOF
emit( 'undo_routing', emit( 'undo_routing',
"restore_default_route $config{USE_DEFAULT_RT}" "restore_default_route $config{USE_DEFAULT_RT}"
); );
#
# Insure that Docker jumps are early in the builtin chains
#
create_docker_rules if $config{DOCKER};
if ( $config{ADMINISABSENTMINDED} ) { if ( $config{ADMINISABSENTMINDED} ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;

View File

@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
$interface = $interfaceref->{name} unless $interfaceref->{wildcard}; $interface = $interfaceref->{name} unless $interfaceref->{wildcard};
} }
my $gatewaycase = '';
if ( $physical =~ /\+$/ ) { if ( $physical =~ /\+$/ ) {
return 0 if $pseudo; return 0 if $pseudo;
fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces"; fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
} }
if ( $gateway eq 'detect' ) { my $gatewaycase = '';
my $gw;
if ( ( $gw = lc $gateway ) eq 'detect' ) {
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface; $gateway = get_interface_gateway $interface;
$gatewaycase = 'detect'; $gatewaycase = 'detect';
} elsif ( $gw eq 'none' ) {
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gatewaycase = 'none';
$gateway = '';
} elsif ( $gateway && $gateway ne '-' ) { } elsif ( $gateway && $gateway ne '-' ) {
( $gateway, $mac ) = split_host_list( $gateway, 0 ); ( $gateway, $mac ) = split_host_list( $gateway, 0 );
validate_address $gateway, 0; validate_address $gateway, 0;
@ -506,7 +511,7 @@ sub process_a_provider( $ ) {
$gatewaycase = 'specified'; $gatewaycase = 'specified';
} else { } else {
$gatewaycase = 'none'; $gatewaycase = 'omitted';
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gateway = ''; $gateway = '';
} }
@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
} elsif ( $option eq 'notrack' ) { } elsif ( $option eq 'notrack' ) {
$track = 0; $track = 0;
} elsif ( $option =~ /^balance=(\d+)$/ ) { } elsif ( $option =~ /^balance=(\d+)$/ ) {
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6; fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
fatal_error 'The balance setting must be non-zero' unless $1; fatal_error 'The balance setting must be non-zero' unless $1;
$balance = $1; $balance = $1;
} elsif ( $option eq 'balance' || $option eq 'primary') { } elsif ( $option eq 'balance' || $option eq 'primary') {
fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$balance = 1; $balance = 1;
} elsif ( $option eq 'loose' ) { } elsif ( $option eq 'loose' ) {
$loose = 1; $loose = 1;
@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
} elsif ( $option =~ /^mtu=(\d+)$/ ) { } elsif ( $option =~ /^mtu=(\d+)$/ ) {
$mtu = "mtu $1 "; $mtu = "mtu $1 ";
} elsif ( $option =~ /^fallback=(\d+)$/ ) { } elsif ( $option =~ /^fallback=(\d+)$/ ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6; fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
$default = $1; $default = $1;
$default_balance = 0; $default_balance = 0;
fatal_error 'fallback must be non-zero' unless $default; fatal_error 'fallback must be non-zero' unless $default;
} elsif ( $option eq 'fallback' ) { } elsif ( $option eq 'fallback' ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$default = -1; $default = -1;
$default_balance = 0; $default_balance = 0;
} elsif ( $option eq 'local' ) { } elsif ( $option eq 'local' ) {
@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
$track = 0 if $config{TRACK_PROVIDERS}; $track = 0 if $config{TRACK_PROVIDERS};
$default_balance = 0 if $config{USE_DEFAULT_RT}; $default_balance = 0 if $config{USE_DEFAULT_RT};
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) { } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
$load = sprintf "%1.8f", $1; $load = sprintf "%1.8f", $1;
require_capability 'STATISTIC_MATCH', "load=$1", 's'; require_capability 'STATISTIC_MATCH', "load=$1", 's';
} elsif ( $option eq 'autosrc' ) { } elsif ( $option eq 'autosrc' ) {
@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)}; fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
if ( $local ) { if ( $local ) {
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted';
fatal_error "'track' not valid with 'local'" if $track; fatal_error "'track' not valid with 'local'" if $track;
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
fatal_error "'persistent' is not valid with 'local" if $persistent; fatal_error "'persistent' is not valid with 'local" if $persistent;
} elsif ( $tproxy ) { } elsif ( $tproxy ) {
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++; fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none'; fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
fatal_error "'track' not valid with 'tproxy'" if $track; fatal_error "'track' not valid with 'tproxy'" if $track;
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-'; fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-'; fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' ); warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
} }
$balance = $default_balance unless $balance; $balance = $default_balance unless $balance || $gatewaycase eq 'none';
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface}; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {
push_indent; push_indent;
if ( $gatewaycase eq 'none' ) { if ( $gatewaycase eq 'omitted' ) {
if ( $tproxy ) { if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
} else { } else {
@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
} }
$provider_interfaces{$interface} = $table; $provider_interfaces{$interface} = $table;
if ( $gatewaycase eq 'none' ) { if ( $gatewaycase eq 'omitted' ) {
if ( $tproxy ) { if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
} else { } else {
@ -907,7 +917,7 @@ CEOF
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id", emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
); );
} }
if ( $duplicate ne '-' ) { if ( $duplicate ne '-' ) {

View File

@ -1178,12 +1178,11 @@ sub finish_section ( $ ) {
# #
# Internally, action invocations are uniquely identified by a 5-tuple that # Internally, action invocations are uniquely identified by a 5-tuple that
# includes the action name, log level, log tag, calling chain and params. # includes the action name, log level, log tag, calling chain and params.
# The pieces of the tuple are separated by ":". # The pieces of the tuple are separated by ":". The calling chain is non-empty
# only when the action refers to @CALLER.
# #
sub normalize_action( $$$ ) { sub normalize_action( $$$ ) {
my $action = shift; my ( $action, $level, $param ) = @_;
my $level = shift;
my $param = shift;
my $caller = ''; #We assume that the function doesn't use @CALLER my $caller = ''; #We assume that the function doesn't use @CALLER
( $level, my $tag ) = split ':', $level; ( $level, my $tag ) = split ':', $level;

View File

@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
}, },
}, },
ECN => {
defaultchain => POSTROUTING,
allowedchains => ALLCHAINS,
minparams => 0,
maxparams => 0,
function => sub() {
fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
if ( $proto eq '-' ) {
$proto = TCP;
} else {
$proto = resolve_proto( $proto ) || 0;
fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
}
$target = 'ECN --ecn-tcp-remove';
}
},
HL => { HL => {
defaultchain => FORWARD, defaultchain => FORWARD,
allowedchains => PREROUTING | FORWARD, allowedchains => PREROUTING | FORWARD,

View File

@ -1,4 +1,4 @@
# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) # (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
# #
# This program is part of Shorewall. # This program is part of Shorewall.
# #

View File

@ -125,6 +125,8 @@ g_sha1sum2=
g_counters= g_counters=
g_compiled= g_compiled=
g_file= g_file=
g_docker=
g_dockernetwork=
initialize initialize

View File

@ -146,6 +146,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

View File

@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

View File

@ -154,6 +154,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

View File

@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

View File

@ -150,6 +150,8 @@ DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No
DONT_LOAD= DONT_LOAD=
DYNAMIC_BLACKLIST=Yes DYNAMIC_BLACKLIST=Yes

View File

@ -2,7 +2,7 @@
# #
# Script to install Shoreline Firewall # Script to install Shoreline Firewall
# #
# (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.net # Shorewall documentation is available at http://shorewall.net
# #

View File

@ -339,6 +339,18 @@ DIVERTHA - - tcp</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">ECN</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.6 as an alternative to entries in
<ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term> role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>

View File

@ -130,7 +130,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
role="bold">detect</emphasis>}</term> role="bold">detect|none</emphasis>}</term>
<listitem> <listitem>
<para>The IP address of the provider's gateway router. Beginning <para>The IP address of the provider's gateway router. Beginning
@ -139,8 +139,12 @@
interface. When the MAC is not specified, Shorewall will detect the interface. When the MAC is not specified, Shorewall will detect the
MAC during firewall start or restart.</para> MAC during firewall start or restart.</para>
<para>You can enter "detect" here and Shorewall will attempt to <para>You can enter <emphasis role="bold">detect</emphasis> here and
detect the gateway automatically.</para> Shorewall will attempt to detect the gateway automatically.</para>
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
role="bold">none</emphasis>. This causes creation of a routing table
with no default route in it.</para>
<para>For PPP devices, you may omit this column.</para> <para>For PPP devices, you may omit this column.</para>
</listitem> </listitem>

View File

@ -733,6 +733,23 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
the generated script will save Docker-generated rules before and
restore them after executing the <command>start</command>,
<command>stop</command>, <command>reload</command> and
<command>restart</command> commands. If set to <option>No</option>
(the default), the generated script will delete any Docker-generated
rules when executing those commands. See<ulink url="/Docker.html">
http://www.shorewall.net/Docker.html</ulink> for additional
information.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term> role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@ -763,8 +780,8 @@
<listitem> <listitem>
<para>Normally, when the SOURCE or DEST columns in <para>Normally, when the SOURCE or DEST columns in
shorewall-policy(5) contains 'all', a single policy chain is created shorewall-policy(5) contains 'all', a single policy chain is created
and the policy is enforced in that chain. For example, if the policy and thes policy is enforced in that chain. For example, if the
entry is<programlisting>#SOURCE DEST POLICY LOG policy entry is<programlisting>#SOURCE DEST POLICY LOG
# LEVEL # LEVEL
net all DROP info</programlisting>then the chain name is 'net-all' net all DROP info</programlisting>then the chain name is 'net-all'
('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall # Script to back uninstall Shoreline Firewall
# #
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net
# #

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall 6 Lite # Script to back uninstall Shoreline Firewall 6 Lite
# #
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #

View File

@ -119,13 +119,17 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
role="bold">detect</emphasis>}</term> role="bold">detect|none</emphasis>}</term>
<listitem> <listitem>
<para>The IP address of the provider's gateway router.</para> <para>The IP address of the provider's gateway router.</para>
<para>You can enter "detect" here and Shorewall6 will attempt to <para>You can enter <emphasis role="bold">detect</emphasis> here and
detect the gateway automatically.</para> Shorewall6 will attempt to detect the gateway automatically.</para>
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
role="bold">none</emphasis>. This causes creation of a routing table
with no default route in it.</para>
<para>For PPP devices, you may omit this column.</para> <para>For PPP devices, you may omit this column.</para>
</listitem> </listitem>

View File

@ -2,7 +2,7 @@
# #
# Script to back uninstall Shoreline Firewall 6 # Script to back uninstall Shoreline Firewall 6
# #
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) # (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net
# #

View File

@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
wireless). eth4 goes to my DMZ which holds a single server. Here is a wireless). eth4 goes to my DMZ which holds a single server. Here is a
diagram of the IPv4 network:</para> diagram of the IPv4 network:</para>
<graphic align="center" fileref="images/Network2009.png" /> <graphic align="center" fileref="images/Network2009.png"/>
<para>Here is the configuration after IPv6 is configured; the part in <para>Here is the configuration after IPv6 is configured; the part in
bold font is configured by the /etc/init.d/ipv6 script.</para> bold font is configured by the /etc/init.d/ipv6 script.</para>
@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
<para>Here is the resulting simple IPv6 Network:</para> <para>Here is the resulting simple IPv6 Network:</para>
<graphic align="center" fileref="images/Network2009b.png" /> <graphic align="center" fileref="images/Network2009b.png"/>
</section> </section>
<section> <section>
@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
<para>So the IPv4 network was transformed to this:</para> <para>So the IPv4 network was transformed to this:</para>
<graphic align="center" fileref="images/Network2009a.png" /> <graphic align="center" fileref="images/Network2009a.png"/>
<para>To implement the same IPv6 network as described above, I used this <para>To implement the same IPv6 network as described above, I used this
/etc/shorewall/interfaces file:</para> /etc/shorewall/interfaces file:</para>
@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
<para>That file produces the following IPv6 network.</para> <para>That file produces the following IPv6 network.</para>
<graphic align="center" fileref="images/Network2008c.png" /> <graphic align="center" fileref="images/Network2008c.png"/>
</section> </section>
<section> <section>
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
<para><filename>/etc/shorewall6/policy</filename>:</para> <para><filename>/etc/shorewall6/policy</filename>:</para>
<blockquote> <blockquote>
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
net all DROP info net all DROP info
loc net ACCEPT loc net ACCEPT
dmz net ACCEPT dmz net ACCEPT
@ -485,7 +485,7 @@ all all REJECT info</programlisting></para>
<para><filename>/etc/shorewall6/rules</filename>:</para> <para><filename>/etc/shorewall6/rules</filename>:</para>
<blockquote> <blockquote>
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER <para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
?SECTION ALL ?SECTION ALL
?SECTION ESTABLISHED ?SECTION ESTABLISHED
@ -493,7 +493,6 @@ all all REJECT info</programlisting></para>
?SECTION INVALID ?SECTION INVALID
?SECTION UNTRACKED ?SECTION UNTRACKED
?SECTION NEW ?SECTION NEW
# PORT PORT(S) DEST LIMIT GROUP
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #
@ -505,8 +504,7 @@ SSH(ACCEPT) loc $FW
# #
# Allow Ping everywhere # Allow Ping everywhere
# #
Ping(ACCEPT) all all</programlisting> Ping(ACCEPT) all all</programlisting></para>
</para>
</blockquote> </blockquote>
</section> </section>
</section> </section>
@ -652,7 +650,7 @@ interface eth2 {
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoIPv6Nets1.png" /> <graphic fileref="images/TwoIPv6Nets1.png"/>
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is communicate with the systems in the 2002:488:999::/64 network. This is

View File

@ -101,13 +101,11 @@
# both directions. # both directions.
# #
###################################################################################### ######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445 ACCEPT - - udp 135,445
ACCEPT - - udp 137:139 ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137 ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445 ACCEPT - - tcp 135,139,445</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>If you wish to modify one of the standard actions, do not modify <para>If you wish to modify one of the standard actions, do not modify
the definition in <filename the definition in <filename
@ -335,21 +333,11 @@ ACCEPT - - tcp 135,139,445
</orderedlist> </orderedlist>
<section> <section>
<title>Shorewall 4.4.16 and Later.</title> <title>Shorewall 5.0.0 and Later.</title>
<para>Beginning with Shorewall 4.4.16, the columns in action.template <para>In Shorewall 5.0, the columns in action.template are the same as
are the same as those in shorewall-rules (5). The first non-commentary those in shorewall-rules (5). There are no restrictions regarding which
line in the template must be</para> targets can be used within your action.</para>
<programlisting>FORMAT 2</programlisting>
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
below, and the above format is deprecated.</para>
<programlisting>?FORMAT 2</programlisting>
<para>When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para>
<para>The SOURCE and DEST columns in the action file may not include <para>The SOURCE and DEST columns in the action file may not include
zone names; those are given when the action is invoked.</para> zone names; those are given when the action is invoked.</para>
@ -361,22 +349,18 @@ ACCEPT - - tcp 135,139,445
<para>/etc/shorewall/action.A:</para> <para>/etc/shorewall/action.A:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
# PORT(S) PORT(S) DEST
FORMAT 2
$1 - - tcp 80 - 1.2.3.4</programlisting> $1 - - tcp 80 - 1.2.3.4</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
A(REDIRECT) net fw</programlisting> A(REDIRECT) net fw</programlisting>
<para>The above is equivalent to this rule:</para> <para>The above is equivalent to this rule:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
REDIRECT net - tcp 80 - 1.2.3.4</programlisting> REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
<para>You can 'omit' parameters by using '-'.</para> <para>You can 'omit' parameters by using '-'.</para>
@ -413,194 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
url="configuration_file_basics.htm#ActionVariables">Action Variables url="configuration_file_basics.htm#ActionVariables">Action Variables
section</ulink> of the Configuration Basics article.</para> section</ulink> of the Configuration Basics article.</para>
</section> </section>
<section>
<title>Shorewall 4.4.15 and Earlier.</title>
<para>Prior to 4.4.16, columns in the
<filename>action.template</filename> file were as follows:</para>
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
your action provided that the macro's expansion only results in the
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename>/usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
<quote>all</quote>.</para>
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must
be entered if any of the following fields are supplied. In that
case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote>-</quote> in this
column.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem>
<para>MARK</para>
<para><simplelist>
<member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
</simplelist></para>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify
anything in the subsequent columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
to the mark before testing.</member>
<member>:C — Designates a connection mark. If omitted, the
packet marks value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash
(<quote>-</quote>).</para>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in
column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section> </section>
<section id="Logging"> <section id="Logging">
@ -625,19 +421,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
<para>/etc/shorewall/action.foo</para> <para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22 ACCEPT - - tcp 22
bar:info</programlisting> bar:info</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug $FW net</programlisting> foo:debug $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if <para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para> foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22 ACCEPT:debug - - tcp 22
bar:info</programlisting> bar:info</programlisting>
</listitem> </listitem>
@ -651,19 +447,19 @@ bar:info</programlisting>
<para>/etc/shorewall/action.foo</para> <para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22 ACCEPT - - tcp 22
bar:info</programlisting> bar:info</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug! $FW net</programlisting> foo:debug! $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if <para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para> foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22 ACCEPT:debug - - tcp 22
bar:debug</programlisting> bar:debug</programlisting>
</listitem> </listitem>
@ -1113,22 +909,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute, role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
use this entry in <filename>/etc/shorewall/rules</filename>:</para> use this entry in <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting> Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
way:</para> way:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSHA,3,60):none net $FW tcp 22</programlisting> Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
<para>If you want dropped connections to be logged at the info level, use <para>If you want dropped connections to be logged at the info level, use
this rule instead:</para> this rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting> Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para> Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
<para>To summarize, you pass four pieces of information to the Limit <para>To summarize, you pass four pieces of information to the Limit

View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Anatomy of Shorewall 4.5</title> <title>Anatomy of Shorewall 5.0</title>
<authorgroup> <authorgroup>
<author> <author>
@ -43,7 +43,7 @@
<section id="Products"> <section id="Products">
<title>Products</title> <title>Products</title>
<para>Shorewall 4.5 consists of six packages.</para> <para>Shorewall 5.0 consists of six packages.</para>
<orderedlist> <orderedlist>
<listitem> <listitem>

View File

@ -74,12 +74,11 @@
<section> <section>
<title>Policy Rate Limiting</title> <title>Policy Rate Limiting</title>
<para>The LIMIT:BURST column in the <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
<filename>/etc/shorewall/policy</filename> file applies to TCP file applies to TCP connections that are subject to the policy. The
connections that are subject to the policy. The limiting is applied limiting is applied BEFORE the connection request is passed through the
BEFORE the connection request is passed through the rules generated by rules generated by entries in <filename>/etc/shorewall/rules</filename>.
entries in <filename>/etc/shorewall/rules</filename>. Those connections Those connections in excess of the limit are logged and dropped.</para>
in excess of the limit are logged and dropped.</para>
</section> </section>
<section> <section>

94
docs/Docker.xml Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Docker Support</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2016</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Shorewall 5.0.5 and Earlier</title>
<para>Both Docker and Shorewall assume that they 'own' the iptables
configuration. This leads to problems when Shorewall is restarted or
reloaded, because it drops all of the rules added by Docker. Fortunately,
the extensibility features in Shorewall allow users to <ulink
url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
their own solution</ulink> for saving the Docker-generated rules before
these operations and restoring them afterwards.</para>
</section>
<section>
<title>Shorewall 5.0.6 and Later</title>
<para>Beginning with Shorewall 5.0.6, Shorewall has native support for
simple Docker configurations. This support is enabled by setting
DOCKER=Yes in shorewall.conf. With this setting, the generated script
saves the Docker-created ruleset before executing a
<command>stop</command>, <command>start</command>,
<command>restart</command> or <command>reload</command> operation and
restores those rules along with the Shorewall-generated ruleset.</para>
<para>This support assumes that the default Docker bridge (docker0) is
being used. It is recommended that this bridge be defined to Shorewall in
<ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
As shown below, you can control inter-container communication using the
<option>bridge</option> and <option>routeback</option> options. If docker0
is not defined to Shorewall, then Shorewall will save and restore the
FORWARD chain rules involving that interface.</para>
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
<programlisting>DOCKER=Yes</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS
dock ipv4 #'dock' is just an example -- call it anything you like</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LEVEL
dock $FW REJECT
dock all ACCEPT</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS
dock docker0 bridge #Allow ICC (bridge implies routeback=1)</programlisting>
<para>or</para>
<programlisting>#ZONE INTERFACE OPTIONS
dock docker0 bridge,routeback=0 #Disallow ICC</programlisting>
</section>
</article>

View File

@ -265,7 +265,7 @@
</row> </row>
<row> <row>
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry> <entry><ulink url="Docker.html">Docker</ulink></entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry> Shorewall</ulink></entry>
@ -275,8 +275,7 @@
</row> </row>
<row> <row>
<entry><ulink url="ECN.html">ECN Disabling by host or <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
subnet</ulink></entry>
<entry><ulink url="PacketMarking.html">Packet <entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry> Marking</ulink></entry>
@ -285,7 +284,8 @@
</row> </row>
<row> <row>
<entry><ulink url="Events.html">Events</ulink></entry> <entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="PacketHandling.html">Packet Processing in a <entry><ulink url="PacketHandling.html">Packet Processing in a
Shorewall-based Firewall</ulink></entry> Shorewall-based Firewall</ulink></entry>
@ -294,8 +294,7 @@
</row> </row>
<row> <row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension <entry><ulink url="Events.html">Events</ulink></entry>
Scripts (User Exits)</ulink></entry>
<entry><ulink url="ping.html">'Ping' Management</ulink></entry> <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@ -304,8 +303,8 @@
</row> </row>
<row> <row>
<entry><ulink <entry><ulink url="shorewall_extension_scripts.htm">Extension
url="fallback.htm">Fallback/Uninstall</ulink></entry> Scripts (User Exits)</ulink></entry>
<entry><ulink url="two-interface.htm#DNAT">Port <entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry> Forwarding</ulink></entry>
@ -315,7 +314,8 @@
</row> </row>
<row> <row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry> <entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="ports.htm">Port Information</ulink></entry> <entry><ulink url="ports.htm">Port Information</ulink></entry>
@ -324,8 +324,7 @@
</row> </row>
<row> <row>
<entry><ulink <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="PortKnocking.html">Port Knocking <entry><ulink url="PortKnocking.html">Port Knocking
(deprecated)</ulink></entry> (deprecated)</ulink></entry>
@ -334,8 +333,8 @@
</row> </row>
<row> <row>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the <entry><ulink
Same Interface</ulink></entry> url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="Events.html">Port Knocking, Auto Blacklisting <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
and Other Uses of the 'Recent Match'</ulink></entry> and Other Uses of the 'Recent Match'</ulink></entry>
@ -344,18 +343,28 @@
</row> </row>
<row> <row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry> <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink url="PPTP.htm">PPTP</ulink></entry> <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
<entry/> <entry/>
</row> </row>
<row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
<entry/>
</row>
<row> <row>
<entry><ulink url="FoolsFirewall.html">Fool's <entry><ulink url="FoolsFirewall.html">Fool's
Firewall</ulink></entry> Firewall</ulink></entry>
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry> <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
Guides</ulink></entry>
<entry/> <entry/>
</row> </row>
@ -364,8 +373,7 @@
<entry><ulink url="Helpers.html">Helpers/Helper <entry><ulink url="Helpers.html">Helpers/Helper
Modules</ulink></entry> Modules</ulink></entry>
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
Guides</ulink></entry>
<entry/> <entry/>
</row> </row>
@ -374,14 +382,6 @@
<entry><ulink <entry><ulink
url="Install.htm">Installation/Upgrade</ulink></entry> url="Install.htm">Installation/Upgrade</ulink></entry>
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
<entry/>
</row>
<row>
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry><ulink <entry><ulink
url="shorewall_prerequisites.htm">Requirements</ulink></entry> url="shorewall_prerequisites.htm">Requirements</ulink></entry>
@ -389,7 +389,7 @@
</row> </row>
<row> <row>
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry> <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry><ulink url="Shorewall_and_Routing.html">Routing and <entry><ulink url="Shorewall_and_Routing.html">Routing and
Shorewall</ulink></entry> Shorewall</ulink></entry>
@ -398,7 +398,7 @@
</row> </row>
<row> <row>
<entry><ulink url="ipsets.html">Ipsets</ulink></entry> <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
<entry><ulink url="Multiple_Zones.html">Routing on One <entry><ulink url="Multiple_Zones.html">Routing on One
Interface</ulink></entry> Interface</ulink></entry>
@ -407,18 +407,27 @@
</row> </row>
<row> <row>
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry> <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
<entry><ulink url="samba.htm">Samba</ulink></entry> <entry><ulink url="samba.htm">Samba</ulink></entry>
<entry/> <entry/>
</row> </row>
<row>
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
<entry/>
</row>
<row> <row>
<entry><ulink url="ISO-3661.html">ISO 3661 Country <entry><ulink url="ISO-3661.html">ISO 3661 Country
Codes</ulink></entry> Codes</ulink></entry>
<entry><ulink url="Events.html">Shorewall Events</ulink></entry> <entry><ulink url="Shorewall-init.html">Shorewall
Init</ulink></entry>
<entry/> <entry/>
</row> </row>
@ -427,8 +436,8 @@
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
Filtering</ulink></entry> Filtering</ulink></entry>
<entry><ulink url="Shorewall-init.html">Shorewall <entry><ulink url="Shorewall-Lite.html">Shorewall
Init</ulink></entry> Lite</ulink></entry>
<entry/> <entry/>
</row> </row>
@ -437,8 +446,7 @@
<entry><ulink url="kernel.htm">Kernel <entry><ulink url="kernel.htm">Kernel
Configuration</ulink></entry> Configuration</ulink></entry>
<entry><ulink url="Shorewall-Lite.html">Shorewall <entry/>
Lite</ulink></entry>
<entry/> <entry/>
</row> </row>

View File

@ -49,140 +49,12 @@
support is based on <ulink support is based on <ulink
url="http://ipset.netfilter.org/">ipset</ulink>. Most current url="http://ipset.netfilter.org/">ipset</ulink>. Most current
distributions have ipset, but you may need to install the <ulink distributions have ipset, but you may need to install the <ulink
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para> url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
</section> package.</para>
<section id="xtables-addons">
<title>Installing xtables-addons</title>
<para>If your distribution does not have an xtables-addons package, the
xtables-addons are fairly easy to install. You do not need to recompile
your kernel.</para>
<para><trademark>Debian</trademark> users can find xtables-addons-common
and xtables-addons-source packages in <firstterm>testing</firstterm>. The
kernel modules can be built and installed with the help of
module-assistant. As of this writing, these packages are in the
<firstterm>admin</firstterm> group rather than in the
<firstterm>network</firstterm> group!!??</para>
<para>For other users, the basic steps are as follows:</para>
<orderedlist>
<listitem>
<para>Install gcc and make</para>
</listitem>
<listitem>
<para>Install the headers for the kernel you are running. In some
distributions, such as <trademark>Debian</trademark> and
<trademark>Ubuntu</trademark>, the packet is called kernel-headers.
For other distrubutions, such as OpenSuSE, you must install the
kernel-source package.</para>
</listitem>
<listitem>
<para>download the iptables source tarball</para>
</listitem>
<listitem>
<para>untar the source</para>
</listitem>
<listitem>
<para>cd to the iptables source directory</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>as root, run 'make install'</para>
</listitem>
<listitem>
<para>Your new iptables binary will now be installed in
/usr/local/sbin. Modify shorewall.conf to specify
IPTABLES=/usr/local/sbin/iptables</para>
</listitem>
<listitem>
<para>Download the latest xtables-addons source tarball</para>
</listitem>
<listitem>
<para>Untar the xtables-addons source</para>
</listitem>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run './configure'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>Restart shorewall</para>
</listitem>
<listitem>
<para>'shorewall show capabilities' should now indicate<emphasis
role="bold"> Ipset Match: Available</emphasis></para>
</listitem>
</orderedlist>
<para>You will have to repeat steps 10-13 each time that you receive a
kernel upgrade from your distribution vendor. You can install
xtables-addons before booting to the new kernel as follows
(<emphasis>new-kernel-version</emphasis> is the version of the
newly-installed kernel - example <emphasis
role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
directory to get the full version name)</para>
<orderedlist>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run 'make clean'</para>
</listitem>
<listitem>
<para>run './configure
--with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
--with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons source directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>As root, run 'depmod -a
<emphasis>new-kernel-version'</emphasis></para>
</listitem>
</orderedlist>
</section> </section>
<section> <section>
<title>Dynamic Zones -- Shorewall 4.5.9 and Later</title> <title>Dynamic Zones</title>
<para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
<filename>/etc/shorewall/hosts</filename>, Shorewall would create a <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@ -288,117 +160,6 @@ rsyncok:
</section> </section>
</section> </section>
<section id="Version-4.5.9">
<title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
<para>The method described in this section is still supported in the later
releases.</para>
<section id="defining1">
<title>Defining a Dynamic Zone</title>
<para>A dynamic zone is defined by using the keyword <emphasis
role="bold">dynamic</emphasis> in the zones host list.</para>
<para>Example:</para>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME TYPE OPTIONS
loc ipv4
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 - …
</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOSTS OPTIONS
webok eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
</blockquote>
<para>Once the above definition is added, Shorewall will automatically
create an ipset named <emphasis>webok_eth0</emphasis> the next time that
Shorewall is started or restarted. Shorewall will create an ipset of
type <firstterm>iphash</firstterm>. If you want to use a different type
of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
manually create that ipset yourself before the next Shorewall
start/restart.</para>
<para>The dynamic zone capability was added to Shorewall6 in Shorewall
4.4.21.</para>
</section>
<section id="adding1">
<title>Adding a Host to a Dynamic Zone</title>
<para>Adding a host to a dynamic zone is accomplished by adding the
host's IP address to the appropriate ipset. Shorewall provldes a command
for doing that:</para>
<blockquote>
<para><command>shorewall add</command> <replaceable>interface:address
...</replaceable> <replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall add eth0:192.168.3.4 webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipset</command> command must
be used directly.</para>
</section>
<section id="deleting">
<title>Deleting a Host from a Dynamic Zone</title>
<para>Deleting a host from a dynamic zone is accomplished by removing
the host's IP address from the appropriate ipset. Shorewall provldes a
command for doing that:</para>
<blockquote>
<para><command>shorewall delete</command>
<replaceable>interface:address ...</replaceable>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall delete eth0:192.168.3.4
webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipse t</command> command
must be used directly.</para>
</section>
<section id="listing1">
<title>Listing the Contents of a Dynamic Zone</title>
<para>The shorewall show command may be used to list the current
contents of a dynamic zone.</para>
<blockquote>
<para><command>shorewall show dynamic</command>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<programlisting><command>shorewall show dynamic webok</command>
eth0:
192.168.3.4
192.168.3.9</programlisting>
</blockquote>
</section>
</section>
<section id="start-stop"> <section id="start-stop">
<title>Dynamic Zone Contents and Shorewall stop/start/restart</title> <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>

View File

@ -118,6 +118,10 @@
</tgroup> </tgroup>
</table></para> </table></para>
</example> </example>
<para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
ECN flags through use of the ECN action in <ulink
url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
</section> </section>
<lot/> <lot/>

View File

@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
<para><filename>etc/shorewall/rules</filename>:</para> <para><filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
SSHLIMIT net $FW tcp 22 </programlisting> SSHLIMIT net $FW tcp 22 </programlisting>
<caution> <caution>
@ -645,8 +644,7 @@ SSHLIMIT net $FW tcp 22
<para>To duplicate the SSHLIMIT entry in <para>To duplicate the SSHLIMIT entry in
<filename>/etc/shorewall/rules</filename> shown above:</para> <filename>/etc/shorewall/rules</filename> shown above:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
AutoBL(SSH,-,-,-,REJECT,warn)\ AutoBL(SSH,-,-,-,REJECT,warn)\
net $FW tcp 22 </programlisting> net $FW tcp 22 </programlisting>
</section> </section>
@ -688,8 +686,7 @@ Knock #Port Knocking</programlisting>
# #
?format 2 ?format 2
############################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DEST #ACTION SOURCE DEST PROTO DPORT
# PORT(S)
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
- - tcp 22 - - tcp 22
SetEvent(SSH,ACCEPT) - - tcp 1600 SetEvent(SSH,ACCEPT) - - tcp 1600
@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info) </programlisting>
<para><filename>etc/shorewall/rules</filename>:</para> <para><filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
Knock net $FW tcp 22,1599-1601 </programlisting> Knock net $FW tcp 22,1599-1601 </programlisting>
</section> </section>
@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '
<listitem> <listitem>
<para><emphasis role="bold">original_dest</emphasis> is the rule <para><emphasis role="bold">original_dest</emphasis> is the rule
ORIGINAL DEST</para> ORIGDEST</para>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
a single address?</title> a single address?</title>
<para><emphasis role="bold">Answer</emphasis>: Specify the external <para><emphasis role="bold">Answer</emphasis>: Specify the external
address that you want to redirect in the ORIGINAL DEST column.</para> address that you want to redirect in the ORIGDEST column.</para>
<para>Example:</para> <para>Example:</para>
@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
<para>You have a policy for traffic from <para>You have a policy for traffic from
<replaceable>zone1</replaceable> to <replaceable>zone1</replaceable> to
<replaceable>zone2</replaceable> that specifies TCP connection <replaceable>zone2</replaceable> that specifies TCP connection
rate limiting (value in the LIMIT:BURST column). The logged packet rate limiting (value in the LIMIT column). The logged packet
exceeds that limit and was dropped. Note that these log messages exceeds that limit and was dropped. Note that these log messages
themselves are severely rate-limited so that a syn-flood won't themselves are severely rate-limited so that a syn-flood won't
generate a secondary DOS because of excessive log message. These generate a secondary DOS because of excessive log message. These

View File

@ -345,23 +345,22 @@ xt_tcpudp 3328 0
HELPER rules allow specification of a helper for connections that are HELPER rules allow specification of a helper for connections that are
ACCEPTed by the applicable policy.</para> ACCEPTed by the applicable policy.</para>
<para> Example (loc-&gt;net policy is ACCEPT) - In <para>Example (loc-&gt;net policy is ACCEPT) - In
/etc/shorewall/rules:</para> /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST <programlisting>#ACTION SOURCE DEST
FTP(HELPER) loc - </programlisting> FTP(HELPER) loc - </programlisting>
<para>or equivalently </para> <para>or equivalently</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
HELPER loc - tcp 21 { helper=ftp }</programlisting> HELPER loc - tcp 21 { helper=ftp }</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
HELPERS column) can be taylored using the new HELPERS option in HELPERS column) can be taylored using the new HELPERS option in
shorewall.conf. </para> shorewall.conf.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
/etc/shorewall[6]/conntrack file. These rules are included conditionally /etc/shorewall[6]/conntrack file. These rules are included conditionally
based in the setting of AUTOHELPERS.</para> based in the setting of AUTOHELPERS.</para>
<para> Example:</para> <para>Example:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
?if $AUTOHELPERS &amp;&amp; __CT_TARGET ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
?if __FTP_HELPER ?if __FTP_HELPER
CT:helper:ftp all - tcp 21 CT:helper:ftp all - tcp 21
@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21
... ...
?endif</programlisting> ?endif</programlisting>
<para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
and 'ftp' is not listed in that setting. For example, if you only need FTP and 'ftp' is not listed in that setting. For example, if you only need FTP
access from your 'loc' zone, then add this rule outside of the outer-most access from your 'loc' zone, then add this rule outside of the outer-most
?if....?endif shown above.</para> ?if....?endif shown above.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
... ...
CT:helper:ftp loc - tcp 21</programlisting> CT:helper:ftp loc - tcp 21</programlisting>
<para> For an overview of Netfilter Helpers and Shorewall's support for <para>For an overview of Netfilter Helpers and Shorewall's support for
dealing with them, see <ulink dealing with them, see <ulink
url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para> url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
<para>See <ulink <para>See <ulink
url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink> url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
for additional information. </para> for additional information.</para>
</section> </section>
<section id="Ports"> <section id="Ports">
@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para> <para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting> DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net <para>That entry will accept ftp connections on port 12345 from the net
@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
<para><filename>/etc/shorewall/conntrack:</filename></para> <para><filename>/etc/shorewall/conntrack:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
... ...
CT:helper:ftp loc - tcp 12345</programlisting> CT:helper:ftp loc - tcp 12345</programlisting>
@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
<para>Otherwise, for FTP you need exactly <emphasis <para>Otherwise, for FTP you need exactly <emphasis
role="bold">one</emphasis> rule:</para> role="bold">one</emphasis> rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if
DNAT ACTION = DNAT</programlisting> DNAT ACTION = DNAT</programlisting>
<para>You need an entry in the ORIGINAL DESTINATION column only if the <para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
ACTION is DNAT, you have multiple external IP addresses and you want a you have multiple external IP addresses and you want a specific IP address
specific IP address to be forwarded to your server.</para> to be forwarded to your server.</para>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on with 20 (ftp-data) in the DPORT column. If you post your rules on the
the mailing list and they show 20 in the DEST PORT(S) column, we will know mailing list and they show 20 in the DPORT column, we will know that you
that you haven't read this article and will either ignore your post or haven't read this article and will either ignore your post or tell you to
tell you to RTFM.</para> RTFM.</para>
<para>Shorewall includes an FTP macro that simplifies creation of FTP <para>Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in rules. The macro source is in
@ -558,15 +552,13 @@ DNAT ACTION =
<para>Suppose that you run an FTP server on 192.168.1.5 in your local <para>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</para> zone using the standard port (21). You need this rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
FTP(DNAT) net loc:192.168.1.5</programlisting> FTP(DNAT) net loc:192.168.1.5</programlisting>
</example><example id="Example4"> </example><example id="Example4">
<title>Allow your DMZ FTP access to the Internet</title> <title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION FTP(ACCEPT) dmz net</programlisting>
FTP(ACCEPT) dmz net</programlisting>
</example></para> </example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle <para>Note that the FTP connection tracking in the kernel cannot handle
@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
<para>I see this problem occasionally with the FTP server in my DMZ. My <para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para> solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
ACCEPT:info dmz net tcp - 20</programlisting> ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my <para>The above rule accepts and logs all active mode connections from my

View File

@ -50,7 +50,7 @@
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" /> <graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
@ -91,7 +91,7 @@ vpn tun0 10.255.255.255</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para> <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
generic:tcp:1071 net 134.28.54.2 generic:tcp:1071 net 134.28.54.2
generic:47 net 134.28.54.2</programlisting> generic:47 net 134.28.54.2</programlisting>
@ -104,7 +104,7 @@ vpn tun0 192.168.1.255</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para> <para>In /etc/shorewall/tunnels on system B, we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
generic:tcp:1071 net 206.191.148.9 generic:tcp:1071 net 206.191.148.9
generic:47 net 206.191.148.9</programlisting> generic:47 net 206.191.148.9</programlisting>

View File

@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane ports=0</programlisting>
limit the scope of the helper. Suppose that your Linux FTP server is limit the scope of the helper. Suppose that your Linux FTP server is
in zone dmz and has address 70.90.191.123.</para> in zone dmz and has address 70.90.191.123.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S) PORT(2)
SECTION RELATED SECTION RELATED
ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535 ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server

View File

@ -62,7 +62,7 @@
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" /> <graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
@ -103,12 +103,12 @@ vpn ipv4</programlisting>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
vpn tosysb 10.255.255.255</programlisting> vpn tosysb</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para> <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipip net 134.28.54.2</programlisting> ipip net 134.28.54.2</programlisting>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@ -133,12 +133,12 @@ subnet=10.0.0.0/8
<emphasis role="bold">vpn</emphasis> zone. In <emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para> /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST <programlisting>#ZONE INTERFACE
vpn tosysa 192.168.1.255</programlisting> vpn tosysa</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para> <para>In /etc/shorewall/tunnels on system B, we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipip net 206.191.148.9</programlisting> ipip net 206.191.148.9</programlisting>
<para>And in the tunnel script on system B:</para> <para>And in the tunnel script on system B:</para>

View File

@ -267,16 +267,14 @@
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> <para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System A:</para> System A:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 134.28.54.2 ipsec net 134.28.54.2</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> <para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System B:</para> System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 ipsec net 206.162.148.9</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<note> <note>
@ -295,11 +293,9 @@ ipsec net 206.162.148.9
<para><filename><filename>/etc/shorewall/zones</filename></filename> <para><filename><filename>/etc/shorewall/zones</filename></filename>
Systems A and B:</para> Systems A and B:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
net ipv4 net ipv4
<emphasis role="bold">vpn ipv4</emphasis> <emphasis role="bold">vpn ipv4</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Remember the assumption that both systems A and B have eth0 as their <para>Remember the assumption that both systems A and B have eth0 as their
@ -315,14 +311,12 @@ net ipv4
<para><filename>/etc/shorewall/hosts</filename> — System A</para> <para><filename>/etc/shorewall/hosts</filename> — System A</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis> vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/hosts</filename> — System B</para> <para><filename>/etc/shorewall/hosts</filename> — System B</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis> vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Assuming that you want to give each local network free access to the <para>Assuming that you want to give each local network free access to the
@ -330,17 +324,17 @@ vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ips
<filename>/etc/shorewall/policy</filename> entries on each system:</para> <filename>/etc/shorewall/policy</filename> entries on each system:</para>
<blockquote> <blockquote>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT <programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
loc vpn ACCEPT loc vpn ACCEPT
vpn loc ACCEPT</programlisting> vpn loc ACCEPT</programlisting>
</blockquote> </blockquote>
<para>If you need access from each firewall to hosts in the other network, <para>If you need access from each firewall to hosts in the other network,
then you could add:</para> then you could add:</para>
<blockquote> <blockquote>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT <programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
$FW vpn ACCEPT</programlisting> $FW vpn ACCEPT</programlisting>
</blockquote> </blockquote>
<para>If you need access between the firewall's, you should describe the <para>If you need access between the firewall's, you should describe the
@ -348,7 +342,7 @@ $FW vpn ACCEPT</programlisting>
from System B, add this rule on system A:</para> from System B, add this rule on system A:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DESTINATION PROTO POLICY <programlisting>#ACTION SOURCE DEST PROTO POLICY
ACCEPT vpn:134.28.54.2 $FW</programlisting> ACCEPT vpn:134.28.54.2 $FW</programlisting>
</blockquote> </blockquote>
@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
through an ESP tunnel then the following entry would be through an ESP tunnel then the following entry would be
appropriate:</para> appropriate:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting> sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@ -493,25 +486,24 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A</para> <para><filename>/etc/shorewall/zones</filename> — System A</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
net ipv4 net ipv4
<emphasis role="bold">vpn ipsec</emphasis> <emphasis role="bold">vpn ipsec</emphasis>
loc ipv4 loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> </programlisting>
</blockquote> </blockquote>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2 <para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the but that cannot be determined in advance. In the
<filename>/etc/shorewall/tunnels</filename> file on system A, the <filename>/etc/shorewall/tunnels</filename> file on system A, the
following entry should be made:<blockquote> following entry should be made:<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 0.0.0.0/0 vpn ipsec net 0.0.0.0/0 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> </programlisting>
</blockquote></para> </blockquote></para>
<para><note> <para><note>
<para>the GATEWAY ZONE column contains the name of the zone <para>the GATEWAY_ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para> remote gateway is a standalone system.</para>
@ -524,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
<para><filename>/etc/shorewall/hosts</filename> — System A:</para> <para><filename>/etc/shorewall/hosts</filename> — System A:</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0 vpn eth0:0.0.0.0/0</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>You will need to configure your <quote>through the tunnel</quote> <para>You will need to configure your <quote>through the tunnel</quote>
@ -536,24 +527,20 @@ vpn eth0:0.0.0.0/0
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> - System B:</para> <para><filename>/etc/shorewall/zones</filename> - System B:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
vpn ipsec vpn ipsec
net ipv4 net ipv4
loc ipv4 loc ipv4</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para> <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 vpn ipsec net 206.162.148.9 vpn</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/hosts</filename> - System B:</para> <para><filename>/etc/shorewall/hosts</filename> - System B:</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0 vpn eth0:0.0.0.0/0</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>On system A, here are the IPsec files:</para> <para>On system A, here are the IPsec files:</para>
@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A</para> <para><filename>/etc/shorewall/zones</filename> — System A</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS et ipv4
net ipv4
vpn ipsec vpn ipsec
<emphasis role="bold">l2tp ipv4</emphasis> <emphasis role="bold">l2tp ipv4</emphasis>
loc ipv4 loc ipv4</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Since the L2TP will require the use of pppd, you will end up with <para>Since the L2TP will require the use of pppd, you will end up with
@ -737,8 +722,7 @@ loc ipv4
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter net eth0 detect routefilter
loc eth1 192.168.1.255 loc eth1 192.168.1.255
l2tp ppp+ - l2tp ppp+ -</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>The next thing that must be done is to adjust the policy so that the <para>The next thing that must be done is to adjust the policy so that the
@ -776,7 +760,7 @@ l2tp ppp+ -
<blockquote> <blockquote>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT $FW all ACCEPT
loc net ACCEPT loc net ACCEPT
loc l2tp ACCEPT # Allows local machines to connect to road warriors loc l2tp ACCEPT # Allows local machines to connect to road warriors
@ -784,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
l2tp net ACCEPT # Allows road warriors to connect to the Internet l2tp net ACCEPT # Allows road warriors to connect to the Internet
net all DROP info net all DROP info
# The FOLLOWING POLICY MUST BE LAST # The FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>The final step is to modify your rules file. There are three <para>The final step is to modify your rules file. There are three
@ -802,8 +785,7 @@ all all REJECT info
<blockquote> <blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S) PORT(S)
?SECTION ESTABLISHED ?SECTION ESTABLISHED
# Prevent IPsec bypass by hosts behind a NAT gateway # Prevent IPsec bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW L2TP(REJECT) net $FW
@ -815,8 +797,7 @@ ACCEPT vpn $FW udp 1701
HTTP(ACCEPT) loc $FW HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW HTTPS(ACCEPT) l2tp $FW</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
<blockquote> <blockquote>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net eth0 detect routefilter,dhcp,tcpflags net eth0 routefilter,dhcp,tcpflags</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
@ -910,8 +890,7 @@ net ipv4</programlisting>
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para> <para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS <programlisting>#ZONE HOST(S) OPTIONS
loc eth0:192.168.20.0/24 loc eth0:192.168.20.0/24</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
<para>It is worth noting that although <emphasis>loc</emphasis> is a <para>It is worth noting that although <emphasis>loc</emphasis> is a
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis> sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@ -921,15 +900,14 @@ loc eth0:192.168.20.0/24
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT $FW all ACCEPT
loc $FW ACCEPT loc $FW ACCEPT
net loc NONE net loc NONE
loc net NONE loc net NONE
net all DROP info net all DROP info
# The FOLLOWING POLICY MUST BE LAST # The FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>Since there are no cases where net&lt;-&gt;loc traffic should <para>Since there are no cases where net&lt;-&gt;loc traffic should
occur, NONE policies are used.</para> occur, NONE policies are used.</para>

View File

@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
<para>The <filename <para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies: file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting>In the three-interface all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policies will: $FW net ACCEPT</programlisting> The above policies will:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
url="manpages/shorewall-rules.html"><filename url="manpages/shorewall-rules.html"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para> class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net $FW tcp 22</programlisting> ACCEPT net $FW tcp 22</programlisting>
<para>So although you have a policy of ignoring all connection attempts <para>So although you have a policy of ignoring all connection attempts

View File

@ -68,10 +68,10 @@
optional interfaces for the 'net' zone in optional interfaces for the 'net' zone in
<filename>/etc/shorewall/interfaces</filename>.</para> <filename>/etc/shorewall/interfaces</filename>.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net eth0 detect optional,… net eth0 optional,…
net wlan0 detect optional,… net wlan0 optional,…
net ppp0 - optional,…</programlisting> net ppp0 optional,…</programlisting>
<para>With this configuration, access to the 'net' zone is possible <para>With this configuration, access to the 'net' zone is possible
regardless of which of the interfaces is being used.</para> regardless of which of the interfaces is being used.</para>

View File

@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>
<para>/etc/shorewall/interfaces:</para> <para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF 192.168.1.255 dhcp loc $INT_IF dhcp
dmz $DMZ_IF - dmz $DMZ_IF
vpn tun+ - vpn tun+
Wifi $WIFI_IF - maclist,dhcp Wifi $WIFI_IF maclist,dhcp</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>/etc/shorewall/maclist:</para> <para>etc/shorewall/maclist:</para>
<programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional) <programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11 ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11 ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>As shown above, I used MAC Verification on my wireless zone that <para>As shown above, I used MAC Verification on my wireless zone that
was served by a Linksys WET11 wireless bridge.</para> was served by a Linksys WET11 wireless bridge.</para>

View File

@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445</programlist
</listitem> </listitem>
<listitem> <listitem>
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para> <para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
<para>To use this column, you must include 'FORMAT 2' as the first <para>To use this column, you must include 'FORMAT 2' as the first
non-comment line in your macro file.</para> non-comment line in your macro file.</para>

View File

@ -195,16 +195,14 @@ sub Knock {
<para>The rule from the Port Knocking article:</para> <para>The rule from the Port Knocking article:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601 SSHKnock net $FW tcp 22,1599,1600,1601
</programlisting> </programlisting>
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]}; PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};

View File

@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST <programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
net net DROP</programlisting> net net DROP</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para> <para><filename>/etc/shorewall/masq</filename>:</para>
@ -913,15 +913,13 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
later, you would make this entry in <ulink later, you would make this entry in <ulink
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para> url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
MARK(2):P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting> MARK(2):P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
<para>Note that traffic from the firewall itself must be handled in a <para>Note that traffic from the firewall itself must be handled in a
different rule:</para> different rule:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting> MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para>If you are running a Shorewall version earlier than 4.6.0, the <para>If you are running a Shorewall version earlier than 4.6.0, the
@ -929,14 +927,12 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink> url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
would be:</para> would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting> 2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
<para>And for traffic from the firewall:</para> <para>And for traffic from the firewall:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
2 $FW 0.0.0.0/0 tcp 25</programlisting> 2 $FW 0.0.0.0/0 tcp 25</programlisting>
</section> </section>
@ -951,8 +947,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORTS(S) DEST
DNAT net loc:192.168.1.3 tcp 25</programlisting> DNAT net loc:192.168.1.3 tcp 25</programlisting>
<para>Continuing the above example, to forward only connection requests <para>Continuing the above example, to forward only connection requests
@ -962,19 +957,16 @@ DNAT net loc:192.168.1.3 tcp 25</programlisting
<listitem> <listitem>
<para>Qualify the SOURCE by ISP 1's interface:</para> <para>Qualify the SOURCE by ISP 1's interface:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORTS(S) DEST
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting> DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
<para>or</para> <para>or</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Specify the IP address of ISP 1 in the ORIGINAL DEST <para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
column:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORTS(S) DEST
DNAT net loc:192.168.1.3 tcp 25 <emphasis DNAT net loc:192.168.1.3 tcp 25 <emphasis
role="bold">- 206.124.146.176</emphasis></programlisting> role="bold">- 206.124.146.176</emphasis></programlisting>
</listitem> </listitem>
@ -2573,8 +2565,7 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
role="bold">avvanta</emphasis> provider.</para> role="bold">avvanta</emphasis> provider.</para>
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER <filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
MARK(2) $FW 0.0.0.0/0 tcp 21 MARK(2) $FW 0.0.0.0/0 tcp 21
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para> MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
@ -2583,8 +2574,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
switching to using a mangle file (<command>shorewall update -t</command> switching to using a mangle file (<command>shorewall update -t</command>
will do that for you). Here are the equivalent tcrules entries:</para> will do that for you). Here are the equivalent tcrules entries:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
2 $FW 0.0.0.0/0 tcp 21 2 $FW 0.0.0.0/0 tcp 21
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp 2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
2 $FW 0.0.0.0/0 tcp 119</programlisting> 2 $FW 0.0.0.0/0 tcp 119</programlisting>
@ -2603,8 +2593,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
<para>The same rules converted to use the mangle file are:</para> <para>The same rules converted to use the mangle file are:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
MARK(2) $FW 0.0.0.0/0 tcp 21 MARK(2) $FW 0.0.0.0/0 tcp 21
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting> MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
@ -2612,8 +2601,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
<para>The remaining files are for a rather standard two-interface config <para>The remaining files are for a rather standard two-interface config
with a bridge as the local interface.</para> with a bridge as the local interface.</para>
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN OUT <para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS
# ONLY OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
@ -2623,17 +2611,17 @@ kvm all ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting></para> all all REJECT info</programlisting></para>
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY <para>interfaces:<programlisting>#ZONE INTERFACE OPTIONS
# #
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
kvm br0 detect routeback #Virtual Machines</programlisting><note> kvm br0 routeback #Virtual Machines</programlisting><note>
<para><filename class="devicefile">wlan0</filename> is the wireless <para><filename class="devicefile">wlan0</filename> is the wireless
adapter in the notebook. Used when the laptop is in our home but not adapter in the notebook. Used when the laptop is in our home but not
connected to the wired network.</para> connected to the wired network.</para>
</note></para> </note></para>
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC <para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
eth0 192.168.0.0/24 eth0 192.168.0.0/24
wlan0 192.168.0.0/24</programlisting><note> wlan0 192.168.0.0/24</programlisting><note>
<para>Because the firewall has only a single external IP address, I <para>Because the firewall has only a single external IP address, I
@ -2815,7 +2803,7 @@ dmz ip #LXC Containers</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@ -2881,9 +2869,7 @@ root@gateway:~# </programlisting>
<para><filename>/etc/shorewall/mangle</filename> is not used to support <para><filename>/etc/shorewall/mangle</filename> is not used to support
Multi-ISP:</para> Multi-ISP:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
# PORT(S) PORT(S)
FORMAT 2
TTL(+1):P INT_IF - TTL(+1):P INT_IF -
SAME:P INT_IF - tcp 80,443 SAME:P INT_IF - tcp 80,443
?if $PROXY &amp;&amp; ! $SQUID2 ?if $PROXY &amp;&amp; ! $SQUID2

View File

@ -114,7 +114,7 @@
of this discussion, it makes no difference.</para> of this discussion, it makes no difference.</para>
</note> </note>
<graphic fileref="images/MultiZone1.png" /> <graphic fileref="images/MultiZone1.png"/>
<section id="Standard"> <section id="Standard">
<title>Can You Use the Standard Configuration?</title> <title>Can You Use the Standard Configuration?</title>
@ -183,7 +183,7 @@
all hosts connected to eth1 and a second zone <quote>loc1</quote> all hosts connected to eth1 and a second zone <quote>loc1</quote>
(192.168.2.0/24) as a sub-zone.</para> (192.168.2.0/24) as a sub-zone.</para>
<graphic fileref="images/MultiZone1A.png" /> <graphic fileref="images/MultiZone1A.png"/>
<para><note> <para><note>
<para>The Router in the above diagram is assumed to NOT be doing <para>The Router in the above diagram is assumed to NOT be doing
@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para> <para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc eth1 -</programlisting> loc eth1 -</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para> <para><filename>/etc/shorewall/hosts</filename></para>
@ -234,7 +234,7 @@ loc1 loc NONE</programlisting>
<para>You define both zones in the /etc/shorewall/hosts file to create <para>You define both zones in the /etc/shorewall/hosts file to create
two disjoint zones.</para> two disjoint zones.</para>
<graphic fileref="images/MultiZone1B.png" /> <graphic fileref="images/MultiZone1B.png"/>
<para><note> <para><note>
<para>The Router in the above diagram is assumed to NOT be doing <para>The Router in the above diagram is assumed to NOT be doing
@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para> <para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST <programlisting>#ZONE INTERFACE OPTIONS
- eth1 192.168.1.255 - eth1 -
</programlisting> </programlisting>
<para><filename>/etc/shorewall/hosts</filename></para> <para><filename>/etc/shorewall/hosts</filename></para>
@ -274,7 +274,7 @@ loc2 loc1 NONE</programlisting>
<para>There are cases where a subset of the addresses associated with an <para>There are cases where a subset of the addresses associated with an
interface need special handling. Here's an example.</para> interface need special handling. Here's an example.</para>
<graphic fileref="images/MultiZone2.png" /> <graphic fileref="images/MultiZone2.png"/>
<para>In this example, addresses 192.168.1.8 - 192.168.1.15 <para>In this example, addresses 192.168.1.8 - 192.168.1.15
(192.168.1.8/29) are to be treated as their own zone (loc1).</para> (192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para> <para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST <programlisting>#ZONE INTERFACE
loc eth1 -</programlisting> loc eth1</programlisting>
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para> loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
@ -326,7 +326,7 @@ loc1 loc NONE</programlisting>
<quote>loc</quote> zone are configured with their default gateway set to <quote>loc</quote> zone are configured with their default gateway set to
the Shorewall router's RFC1918 address.</para> the Shorewall router's RFC1918 address.</para>
<para><graphic fileref="images/MultiZone3.png" /></para> <para><graphic fileref="images/MultiZone3.png"/></para>
<para><filename>/etc/shorewall/zones</filename></para> <para><filename>/etc/shorewall/zones</filename></para>
@ -336,8 +336,8 @@ loc:net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename></para> <para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net eth0 detect routefilter</programlisting> net eth0 routefilter</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para> <para><filename>/etc/shorewall/hosts</filename></para>

View File

@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
<section> <section>
<title>/etc/shorewall/action.Mirrors</title> <title>/etc/shorewall/action.Mirrors</title>
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
# PORT PORT(S) DEST LIMIT
?COMMENT Accept traffic from Mirrors ?COMMENT Accept traffic from Mirrors
?FORMAT 2 ?FORMAT 2
DEFAULTS - DEFAULTS -
@ -508,8 +507,7 @@ $1 $MIRRORS
<section> <section>
<title>/etc/shorewall/action.tarpit</title> <title>/etc/shorewall/action.tarpit</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
$LOG { rate=s:1/min } $LOG { rate=s:1/min }
TARPIT TARPIT
</programlisting> </programlisting>
@ -520,7 +518,8 @@ TARPIT
<section id="zones"> <section id="zones">
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall <para><programlisting>#ZONE TYPE
fw firewall
loc ip #Local Zone loc ip #Local Zone
net ipv4 #Internet net ipv4 #Internet
dmz ipv4 #LXC Containers dmz ipv4 #LXC Containers
@ -531,7 +530,7 @@ smc:net ip #10.0.1.0/24
<section id="interfaces"> <section id="interfaces">
<title>/etc/shorewall/interfaces</title> <title>/etc/shorewall/interfaces</title>
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><programlisting>#ZONE INTERFACE OPTIONS
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0 loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@ -552,8 +551,7 @@ smc COMC_IF:10.0.0.0/24
<section id="policy"> <section id="policy">
<title>/etc/shorewall/policy</title> <title>/etc/shorewall/policy</title>
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
$FW dmz REJECT $LOG $FW dmz REJECT $LOG
$FW net REJECT $LOG $FW net REJECT $LOG
?else ?else
@ -577,8 +575,7 @@ all all REJECT:Reject $LOG
<section id="accounting"> <section id="accounting">
<title>/etc/shorewall/accounting</title> <title>/etc/shorewall/accounting</title>
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC <para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC
# PORT(S) PORT(S) GROUP
?COMMENT ?COMMENT
?SECTION PREROUTING ?SECTION PREROUTING
?SECTION INPUT ?SECTION INPUT
@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
<section id="blacklist"> <section id="blacklist">
<title>/etc/shorewall/blrules</title> <title>/etc/shorewall/blrules</title>
<para><programlisting>WHITELIST net:70.90.191.126 all <para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
WHITELIST net:70.90.191.126 all
BLACKLIST net:+blacklist all BLACKLIST net:+blacklist all
BLACKLIST net all udp 1023:1033,1434,5948,23773 BLACKLIST net all udp 1023:1033,1434,5948,23773
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@ -714,8 +712,7 @@ br0 70.90.191.120/29 70.90.191.121
<title>/etc/shorewall/conntrack</title> <title>/etc/shorewall/conntrack</title>
<para><programlisting>?FORMAT 2 <para><programlisting>?FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ #ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S) PORT(S) GROUP
# #
DROP net - udp 3551 DROP net - udp 3551
NOTRACK net - tcp 23 NOTRACK net - tcp 23
@ -818,8 +815,7 @@ br0 - ComcastB 11000
<section id="routestopped"> <section id="routestopped">
<title>/etc/shorewall/stoppedrules</title> <title>/etc/shorewall/stoppedrules</title>
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE <para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
# PORT(S) PORT(S)
ACCEPT INT_IF:172.20.1.0/24 $FW ACCEPT INT_IF:172.20.1.0/24 $FW
NOTRACK COMB_IF - 41 NOTRACK COMB_IF - 41
NOTRACK $FW COMB_IF 41 NOTRACK $FW COMB_IF 41
@ -832,9 +828,7 @@ ACCEPT COMC_IF $FW udp 67:68</programlistin
<title>/etc/shorewall/rules</title> <title>/etc/shorewall/rules</title>
<para><programlisting>################################################################################################################################################################################################ <para><programlisting>################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
################################################################################################################################################################################################
?if $VERSION &lt; 40500 ?if $VERSION &lt; 40500
?SHELL echo " ERROR: Shorewall version is too low" &gt;&amp;2; exit 1 ?SHELL echo " ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
?endif ?endif

View File

@ -60,7 +60,7 @@
<para>The following figure represents a one-to-one NAT environment.</para> <para>The following figure represents a one-to-one NAT environment.</para>
<graphic fileref="images/staticnat.png" /> <graphic fileref="images/staticnat.png"/>
<para>One-to-one NAT can be used to make the systems with the 10.1.1.* <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@ -73,7 +73,7 @@
internal host(s) — such traffic is still subject to your policies and internal host(s) — such traffic is still subject to your policies and
rules.</para> rules.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
130.252.100.18 eth0 10.1.1.2 no no 130.252.100.18 eth0 10.1.1.2 no no
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para> 130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
@ -105,7 +105,7 @@
<quote>yes</quote> then you must NOT configure your own <quote>yes</quote> then you must NOT configure your own
alias(es).</para> alias(es).</para>
<para></para> <para/>
</note> </note>
<note> <note>
@ -126,8 +126,7 @@
would need the following entry in would need the following entry in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIG <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting> ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting>
</section> </section>

View File

@ -68,8 +68,8 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>It is widely supported -- I run it on both Linux and Windows <para>It is widely supported -- I run it on both Linux and
XP.</para> Windows.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -97,7 +97,7 @@
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" /> <graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
@ -118,8 +118,7 @@
<para><filename>/etc/shorewall/zones</filename> — Systems A &amp; <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para> B</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
vpn ipv4</programlisting> vpn ipv4</programlisting>
</blockquote> </blockquote>
@ -130,7 +129,7 @@ vpn ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename> on system <para>In <filename>/etc/shorewall/interfaces</filename> on system
A:</para> A:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
vpn tun0</programlisting> vpn tun0</programlisting>
</blockquote> </blockquote>
@ -138,7 +137,7 @@ vpn tun0</programlisting>
the following:</para> the following:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn net 134.28.54.2</programlisting> openvpn net 134.28.54.2</programlisting>
</blockquote> </blockquote>
@ -150,7 +149,7 @@ openvpn net 134.28.54.2</programlisting>
<blockquote> <blockquote>
<para>/etc/shorewall/tunnels with port 7777:</para> <para>/etc/shorewall/tunnels with port 7777:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:7777 net 134.28.54.2</programlisting> openvpn:7777 net 134.28.54.2</programlisting>
</blockquote> </blockquote>
@ -161,7 +160,7 @@ openvpn:7777 net 134.28.54.2</programlisting>
<blockquote> <blockquote>
<para>/etc/shorewall/tunnels using TCP:</para> <para>/etc/shorewall/tunnels using TCP:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:tcp net 134.28.54.2</programlisting> openvpn:tcp net 134.28.54.2</programlisting>
</blockquote> </blockquote>
@ -170,7 +169,7 @@ openvpn:tcp net 134.28.54.2</programlisting>
<blockquote> <blockquote>
<para>/etc/shorewall/tunnels using TCP port 7777:</para> <para>/etc/shorewall/tunnels using TCP port 7777:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:tcp:7777 net 134.28.54.2</programlisting> openvpn:tcp:7777 net 134.28.54.2</programlisting>
</blockquote> </blockquote>
@ -206,7 +205,7 @@ vpn tun0 </programlisting>
have:</para> have:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn net 206.191.148.9</programlisting> openvpn net 206.191.148.9</programlisting>
</blockquote> </blockquote>
@ -249,7 +248,7 @@ vpn loc ACCEPT</programlisting>
<para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
the setup in the following diagram:</para> the setup in the following diagram:</para>
<graphic fileref="images/Mobile.png" /> <graphic fileref="images/Mobile.png"/>
<para>On the gateway system (System A), we need a zone to represent the <para>On the gateway system (System A), we need a zone to represent the
remote clients — we'll call that zone <quote>road</quote>.</para> remote clients — we'll call that zone <quote>road</quote>.</para>
@ -257,8 +256,7 @@ vpn loc ACCEPT</programlisting>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A:</para> <para><filename>/etc/shorewall/zones</filename> — System A:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
road ipv4</programlisting> road ipv4</programlisting>
</blockquote> </blockquote>
@ -269,7 +267,7 @@ road ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename> on system <para>In <filename>/etc/shorewall/interfaces</filename> on system
A:</para> A:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
road tun+</programlisting> road tun+</programlisting>
</blockquote> </blockquote>
@ -277,7 +275,7 @@ road tun+</programlisting>
the following:</para> the following:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 0.0.0.0/0</programlisting> openvpn:1194 net 0.0.0.0/0</programlisting>
</blockquote> </blockquote>
@ -288,7 +286,7 @@ openvpn:1194 net 0.0.0.0/0</programlisting>
uses NAT.</para> uses NAT.</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:1194 net 0.0.0.0/0</programlisting> openvpnserver:1194 net 0.0.0.0/0</programlisting>
</blockquote> </blockquote>
@ -363,7 +361,7 @@ home tun0</programlisting>
the following:</para> the following:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 206.162.148.9</programlisting> openvpn:1194 net 206.162.148.9</programlisting>
</blockquote> </blockquote>
@ -372,7 +370,7 @@ openvpn:1194 net 206.162.148.9</programlisting>
prefer:</para> prefer:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnclient:1194 net 206.162.148.9</programlisting> openvpnclient:1194 net 206.162.148.9</programlisting>
</blockquote> </blockquote>
@ -443,7 +441,7 @@ verb 3</programlisting>
192.168.1.0/24, there will be times when your roadwarriors need to access 192.168.1.0/24, there will be times when your roadwarriors need to access
your lan from a remote location that uses that same network.</para> your lan from a remote location that uses that same network.</para>
<graphic align="center" fileref="images/Mobile1.png" /> <graphic align="center" fileref="images/Mobile1.png"/>
<para>This may be accomplished by configuring a second server on your <para>This may be accomplished by configuring a second server on your
firewall that uses a different port and by using <ulink firewall that uses a different port and by using <ulink
@ -719,7 +717,7 @@ TUNNEL_IF=gif0
<para>Add this entry to <ulink <para>Add this entry to <ulink
url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para> url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:1194 net 0.0.0.0/0</programlisting> openvpnserver:1194 net 0.0.0.0/0</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -736,7 +734,7 @@ openvpnserver:1194 net 0.0.0.0/0</programlisting>
<para>Consider the following case:</para> <para>Consider the following case:</para>
<graphic align="center" fileref="images/bridge4.png" /> <graphic align="center" fileref="images/bridge4.png"/>
<para>Part of the 192.168.1.0/24 network is in one location and part in <para>Part of the 192.168.1.0/24 network is in one location and part in
another. The two LANs can be bridged with OpenVPN as described in this another. The two LANs can be bridged with OpenVPN as described in this

View File

@ -141,17 +141,16 @@ server:~ # </programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>############################################################################### <programlisting>###############################################################################
#ZONE TYPE OPTIONS IN OUT #ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS
# OPTIONS OPTIONS
net ipv4 net ipv4
vz ipv4</programlisting> vz ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>############################################################################### <programlisting>###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE OPTIONS
net eth0 - proxyarp=1 net eth0 proxyarp=1
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting> vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
</section> </section>
<section> <section>
@ -159,8 +158,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
<para>If you run Shorewall Multi-ISP support on the host, you should <para>If you run Shorewall Multi-ISP support on the host, you should
arrange for traffic to your containers to use the main routing table. In arrange for traffic to your containers to use the main routing table. In
the configuration shown here, this entry in /etc/shorewall/rtrules the configuration shown here, this entry in /etc/shorewall/rtrules is
is appropriate:</para> appropriate:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY <programlisting>#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.178 main 1000</programlisting> - 206.124.146.178 main 1000</programlisting>
@ -290,7 +289,7 @@ done.
<para>The network diagram is shown below.</para> <para>The network diagram is shown below.</para>
<graphic fileref="images/Network2009c.png" /> <graphic fileref="images/Network2009c.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual <para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para> Environments (containers).</para>
@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
@ -472,11 +470,11 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=venet0</emphasis> <emphasis role="bold">VPS_IF=venet0</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
role="bold">proxyarp=1</emphasis> role="bold">proxyarp=1</emphasis>
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis> <emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
...</programlisting>This is a multi-ISP configuration so entries are required ...</programlisting>This is a multi-ISP configuration so entries are required
in <filename>/etc/shorewall/rtrules</filename>:</para> in <filename>/etc/shorewall/rtrules</filename>:</para>
@ -501,8 +499,7 @@ loc $INT_IF detect dhcp,logmartians=1,routefilter=1
<para>/etc/shorewall/zones:</para> <para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4</programlisting> net ipv4</programlisting>
@ -526,7 +523,7 @@ net <emphasis role="bold">venet0 </emphasis> detect dhcp,tc
<para>The network diagram is shown below.</para> <para>The network diagram is shown below.</para>
<graphic fileref="images/Network2010.png" /> <graphic fileref="images/Network2010.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual <para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para> Environments (containers).</para>
@ -768,8 +765,7 @@ NAME="server"
<para><filename><filename>/etc/shorewall/zones</filename>:</filename></para> <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
@ -783,10 +779,10 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=vzbr0</emphasis> <emphasis role="bold">VPS_IF=vzbr0</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0 net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
...</programlisting></para> ...</programlisting></para>
<para><filename>/etc/shorewall/proxyarp:</filename></para> <para><filename>/etc/shorewall/proxyarp:</filename></para>
@ -813,15 +809,14 @@ dmz $VPS_IF detect logmartians=0,routefilter=0,nets
<para><filename>/etc/shorewall/zones:</filename></para> <para><filename>/etc/shorewall/zones:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4</programlisting> net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces:</filename></para> <para><filename>/etc/shorewall/interfaces:</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting> net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
</section> </section>
</section> </section>
</article> </article>

View File

@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Rules are conditionally executed based on whether the current <para>Rules are conditionally executed based on whether the current
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S), packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para> USER, TEST, LENGTH and TOS columns.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>The relationship between these options is shown in this <para>The relationship between these options is shown in this
diagram.</para> diagram.</para>
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" /> <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
<para>The default values of these options are determined by the settings <para>The default values of these options are determined by the settings
of other options as follows:</para> of other options as follows:</para>
@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>Here's the example (slightly expanded) from the comments at the top <para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/mangle</filename> file.</para> of the <filename>/etc/shorewall/mangle</filename> file.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS
# PORT(S)
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8</programlisting>
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>Let's take a look at each rule:</para> <para>Let's take a look at each rule:</para>
@ -554,33 +552,25 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
<filename>/etc/shorewall/providers</filename>:</para> <filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
<para>Here is <filename>/etc/shorewall/mangle</filename>:</para> <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server #over the server
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para>And here is <filename>/etc/shorewall/tcdevices</filename> and <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
<filename>/etc/shorewall/tcclasses</filename>:</para> <filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
eth3 1.3mbit 384kbit eth3 1.3mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 10 full full 1 tcp-ack,tos-minimize-delay
eth3 20 9*full/10 9*full/10 2 default eth3 20 9*full/10 9*full/10 2 default
eth3 30 6*full/10 6*full/10 3 eth3 30 6*full/10 6*full/10 3</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para>I've annotated the following output with comments beginning with <para>I've annotated the following output with comments beginning with
"&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses

View File

@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent --name
Internet, add this rule in Internet, add this rule in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting> SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
can just add a log level as in:</para> can just add a log level as in:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting> SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
</listitem> </listitem>
@ -146,18 +146,16 @@ SSHKnock:info net $FW tcp 22,1599,1600,1601<
206.124.146.178 to internal system 192.168.1.5. In 206.124.146.178 to internal system 192.168.1.5. In
/etc/shorewall/rules:</para> /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting> SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
<note> <note>
<para>You can use SSHKnock with DNAT on earlier releases provided <para>You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHKnock rule. that you omit the ORIGDEST entry on the second SSHKnock rule. This
This rule will be quite secure provided that you specify rule will be quite secure provided that you specify 'routefilter' on
'routefilter' on your external interface and have your external interface and have NULL_ROUTE_RFC1918=Yes in
NULL_ROUTE_RFC1918=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</note> </note>
</listitem> </listitem>

View File

@ -84,7 +84,7 @@
<para>The following figure represents a Proxy ARP environment.</para> <para>The following figure represents a Proxy ARP environment.</para>
<graphic align="center" fileref="images/proxyarp.png" /> <graphic align="center" fileref="images/proxyarp.png"/>
<para>Proxy ARP can be used to make the systems with addresses <para>Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper 130.252.100.18 and 130.252.100.19 appear to be on the upper
@ -129,7 +129,7 @@
irrelevant, one approach you can take is to make that address the same as irrelevant, one approach you can take is to make that address the same as
the address of your external interface!</para> the address of your external interface!</para>
<graphic align="center" fileref="images/proxyarp1.png" /> <graphic align="center" fileref="images/proxyarp1.png"/>
<para>In the diagram above, <filename class="devicefile">eth1</filename> <para>In the diagram above, <filename class="devicefile">eth1</filename>
has been given the address 130.252.100.17, the same as has been given the address 130.252.100.17, the same as
@ -142,8 +142,7 @@
you have configured to be in the <emphasis role="bold">loc</emphasis> zone you have configured to be in the <emphasis role="bold">loc</emphasis> zone
then you would need this entry in /etc/shorewall/rules:</para> then you would need this entry in /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT
ACCEPT net loc:130.252.100.19 tcp 80</programlisting> ACCEPT net loc:130.252.100.19 tcp 80</programlisting>
<warning> <warning>

View File

@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>
<para>The tcdevices file describes the two devices:</para> <para>The tcdevices file describes the two devices:</para>
<programlisting>#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED <programlisting>#NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
#INTERFACE INTERFACES
1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0 1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0
2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting> 2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting>
</section> </section>
@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
<para>The tcclasses file defines the class hierarchy for both <para>The tcclasses file defines the class hierarchy for both
devices:</para> devices:</para>
<programlisting>#IFACE: MARK RATE: CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
#CLASS DMAX:UMAX 1 1 ${UP_SC_VOIP_RATE}kbit:\
1 1 ${UP_SC_VOIP_RATE}kbit:\ ${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_DMAX}:\ ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
1 2 ${UP_RT_PRIO_RATE}kbit:\ 1 2 ${UP_RT_PRIO_RATE}kbit:\
${UP_RT_PRIO_DMAX}:\ ${UP_RT_PRIO_DMAX}:\
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\ ${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
${UP_UL_PRIO_RATE}kbit 1 ${UP_UL_PRIO_RATE}kbit 1
1 3 - ${UP_LS_NORMAL_RATE}kbit:\ 1 3 - ${UP_LS_NORMAL_RATE}kbit:\
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\ ${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
min=$UP_NORMAL_RED_min,\ min=$UP_NORMAL_RED_min,\
max=$UP_NORMAL_RED_max,\ max=$UP_NORMAL_RED_max,\
burst=$UP_NORMAL_RED_burst,\ burst=$UP_NORMAL_RED_burst,\
probability=$UP_NORMAL_RED_PROB,\ probability=$UP_NORMAL_RED_PROB,\
ecn) ecn)
1 4 - ${UP_LS_P2P_RATE}kbit:\ 1 4 - ${UP_LS_P2P_RATE}kbit:\
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\ ${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
min=$UP_P2P_RED_min,\ min=$UP_P2P_RED_min,\
max=$UP_P2P_RED_max,\ max=$UP_P2P_RED_max,\
burst=$UP_P2P_RED_burst,\ burst=$UP_P2P_RED_burst,\
probability=$UP_P2P_RED_PROB,\ probability=$UP_P2P_RED_PROB,\
ecn) ecn)
1 5 - ${UP_LS_BULK_RATE}kbit:\ 1 5 - ${UP_LS_BULK_RATE}kbit:\
${UP_UL_BULK_RATE}kbit 1 default,\ ${UP_UL_BULK_RATE}kbit 1 default,\
red=(limit=$UP_BULK_RED_limit,\ red=(limit=$UP_BULK_RED_limit,\
min=$UP_BULK_RED_min,\ min=$UP_BULK_RED_min,\
max=$UP_BULK_RED_max,\ max=$UP_BULK_RED_max,\
burst=$UP_BULK_RED_burst,\ burst=$UP_BULK_RED_burst,\
probability=$UP_BULK_RED_PROB,\ probability=$UP_BULK_RED_PROB,\
ecn) ecn)
2:10 - ${UP_SC_VOIP_RATE}kbit:\ 2:10 - ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\ ${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\ 2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
${DOWN_RT_PRIO_DMAX}:\ ${DOWN_RT_PRIO_DMAX}:\
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1 ${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\ 2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\ ${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
min=$DOWN_NORMAL_RED_min,\ min=$DOWN_NORMAL_RED_min,\
max=$DOWN_NORMAL_RED_max,\ max=$DOWN_NORMAL_RED_max,\
burst=$DOWN_NORMAL_RED_burst,\ burst=$DOWN_NORMAL_RED_burst,\
probability=$DOWN_NORMAL_RED_PROB) probability=$DOWN_NORMAL_RED_PROB)
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\ 2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\ ${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
min=$DOWN_P2P_RED_min,\ min=$DOWN_P2P_RED_min,\
max=$DOWN_P2P_RED_max,\ max=$DOWN_P2P_RED_max,\
burst=$DOWN_P2P_RED_burst,\ burst=$DOWN_P2P_RED_burst,\
probability=$DOWN_P2P_RED_PROB) probability=$DOWN_P2P_RED_PROB)
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\ 2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
${DOWN_UL_BULK_RATE}kbit 1 default,\ ${DOWN_UL_BULK_RATE}kbit 1 default,\
red=(limit=$DOWN_BULK_RED_limit,\ red=(limit=$DOWN_BULK_RED_limit,\
min=$DOWN_BULK_RED_min,\ min=$DOWN_BULK_RED_min,\
max=$DOWN_BULK_RED_max,\ max=$DOWN_BULK_RED_max,\
burst=$DOWN_BULK_RED_burst,\ burst=$DOWN_BULK_RED_burst,\
probability=$DOWN_BULK_RED_PROB)</programlisting> probability=$DOWN_BULK_RED_PROB)</programlisting>
</section> </section>
<section> <section>
@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>
<para>The mangle file classifies upload packets:</para> <para>The mangle file classifies upload packets:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S) PORT(S)
RESTORE:T - - - - - - !0:C RESTORE:T - - - - - - !0:C
CONTINUE:T - - - - - - !0 CONTINUE:T - - - - - - !0
2:T - - icmp 2:T - - icmp
@ -319,8 +316,7 @@ SAVE:T - - - - - -
<para>The tcfilters file classifies download packets:</para> <para>The tcfilters file classifies download packets:</para>
<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH <programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH
#CLASS PORT(S) PORT(S)
# #
# These classify download traffic # These classify download traffic
# #

View File

@ -240,15 +240,15 @@
</listitem> </listitem>
<listitem> <listitem>
<para>DEST PORT(S)</para> <para>DPORT</para>
</listitem> </listitem>
<listitem> <listitem>
<para>SOURCE PORT(S)</para> <para>SPORT</para>
</listitem> </listitem>
<listitem> <listitem>
<para>ORIGINAL DEST</para> <para>ORIGDEST</para>
</listitem> </listitem>
<listitem> <listitem>
@ -284,8 +284,9 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Notice that the first five columns of both sets are the <para>Notice that the first five columns of both sets are the same
same.</para> (although the port-valued column names have changed, the contents are
the same).</para>
<para>In Shorewall 5, support for format-1 macros and actions has been <para>In Shorewall 5, support for format-1 macros and actions has been
dropped and all macros and actions will be processed as if ?FORMAT 2 dropped and all macros and actions will be processed as if ?FORMAT 2

View File

@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177 REDIRECT loc 3128 tcp www - !206.124.146.177
</programlisting> </programlisting>
@ -175,10 +174,9 @@ REDIRECT loc 3128 tcp www - !206.124.146.
Squid.</para> Squid.</para>
<para>If needed, you may just add the additional hosts/networks to the <para>If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.</para> ORIGDEST column in your REDIRECT rule.</para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para> REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>People frequently ask <emphasis>How can I exclude certain <para>People frequently ask <emphasis>How can I exclude certain
@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
from the proxy. Your rules would then be:</para> from the proxy. Your rules would then be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\ REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24 3128 tcp www - !206.124.146.177,130.252.100.0/24
@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
role="bold">(squid)</emphasis> is running under the <emphasis role="bold">(squid)</emphasis> is running under the <emphasis
role="bold">proxy</emphasis> user Id. We add these rules:</para> role="bold">proxy</emphasis> user Id. We add these rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/ <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT(S) DEST LIMIT GROUP
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - <emphasis REDIRECT $FW 3128 tcp www - - - <emphasis
role="bold"> !proxy</emphasis></programlisting> role="bold"> !proxy</emphasis></programlisting>
@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
<listitem> <listitem>
<para>In <filename>/etc/shorewall/mangle</filename> add:</para> <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S)
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting> MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>If you are still using a tcrules file, you should consider <para>If you are still using a tcrules file, you should consider
switching to using a mangle file (<command>shorewall update switching to using a mangle file (<command>shorewall update
-t</command> (<command>shorewall update</command> on -t</command> (<command>shorewall update</command> on Shorewall 5.0
Shorewall 5.0 and later) will do that for you). Corresponding and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:</para> /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DPORT
# PORT(S)
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting> 202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>
@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>In <filename> <filename>/etc/shorewall/interfaces</filename> <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
</filename>:</para> </filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting> loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -294,8 +288,7 @@ loc eth1 detect <emphasis role="bold">routeback,routefilter=0,
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting> DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
</section> </section>
@ -316,14 +309,12 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
<listitem> <listitem>
<para>In <filename>/etc/shorewall/mangle</filename> add:</para> <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting> MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para> <para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DPORT
# PORT(S)
202:P eth1 0.0.0.0/0 tcp 80</programlisting> 202:P eth1 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>
@ -331,8 +322,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>In <filename> <filename>/etc/shorewall/interfaces</filename> <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
</filename>:</para> </filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting> loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -363,7 +354,7 @@ loc eth2 detect <emphasis role="bold">routefilter=0,logmartian
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT Z SZ tcp SP ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443</programlisting> ACCEPT SZ net tcp 80,443</programlisting>
@ -371,7 +362,7 @@ ACCEPT SZ net tcp 80,443</programlisting>
<title>Squid on the firewall listening on port 8080 with access from the <title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title> <quote>loc</quote> zone:</title>
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 8080 ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443</programlisting></para> ACCEPT $FW net tcp 80,443</programlisting></para>
</example> </example>
@ -406,8 +397,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
<para><filename>/etc/shorewall/interfaces:</filename></para> <para><filename>/etc/shorewall/interfaces:</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
- lo - -</programlisting> - lo -</programlisting>
<para><filename>/etc/shorewall/providers</filename>:</para> <para><filename>/etc/shorewall/providers</filename>:</para>
@ -422,17 +413,13 @@ Tproxy 1 - - lo - tproxy</programli
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
eth1 and net interface is eth0):</para> eth1 and net interface is eth0):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S) PORT(S)
DIVERT eth0 0.0.0.0/0 tcp - 80 DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting> TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding <filename>/etc/shorewall/tcrules</filename> <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
are:</para>
<programlisting><emphasis role="bold">FORMAT 2</emphasis> <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
#MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth0 0.0.0.0/0 tcp - 80 DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting> TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
@ -445,16 +432,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
on port 80, then you need to exclude it from TPROXY. Suppose that your on port 80, then you need to exclude it from TPROXY. Suppose that your
web server listens on 192.0.2.144; then:</para> web server listens on 192.0.2.144; then:</para>
<programlisting><emphasis role="bold">FORMAT 2</emphasis> <programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
#MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth0 0.0.0.0/0 tcp - 80 DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting> TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
</note> </note>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 80 ACCEPT loc $FW tcp 80
ACCEPT $FW net tcp 80</programlisting> ACCEPT $FW net tcp 80</programlisting>

View File

@ -166,7 +166,7 @@ iface eth0 inet static
<example id="SSH"> <example id="SSH">
<title>allow SSH from net to eth0:0 above</title> <title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para> ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example> </example>
</section> </section>
@ -179,15 +179,14 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
zone at 192.168.1.3. That is accomplished by a single rule in the zone at 192.168.1.3. That is accomplished by a single rule in the
<filename>/etc/shorewall/rules</filename> file:</para> <filename>/etc/shorewall/rules</filename> file:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting> DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
<para>If I wished to forward tcp port 10000 on that virtual interface to <para>If I wished to forward tcp port 10000 on that virtual interface to
port 22 on local host 192.168.1.3, the rule would be:</para> port 22 on local host 192.168.1.3, the rule would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting> DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting>
</section> </section>
@ -202,7 +201,7 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20
eth0 192.168.1.0/24 206.124.146.178</programlisting> eth0 192.168.1.0/24 206.124.146.178</programlisting>
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DEST PORT(S) have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para> eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
<para>Shorewall can create the alias (additional address) for you if you <para>Shorewall can create the alias (additional address) for you if you
@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
would have the following in would have the following in
<filename>/etc/shorewall/nat</filename>:</para> <filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
206.124.146.178 eth0 192.168.1.3 no no</programlisting> 206.124.146.178 eth0 192.168.1.3 no no</programlisting>
<para>Shorewall can create the alias (additional address) for you if you <para>Shorewall can create the alias (additional address) for you if you
@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows.</para> the INTERFACE column as follows.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para> 206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
<para>In either case, to create rules in <para>In either case, to create rules in
@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a. <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</title> 192.168.1.3.</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para> ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
</example> </example>
</section> </section>
@ -305,8 +304,8 @@ loc ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting> loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
<para>In <filename>/etc/shorewall/rules</filename>, simply specify <para>In <filename>/etc/shorewall/rules</filename>, simply specify
ACCEPT rules for the traffic that you want to permit.</para> ACCEPT rules for the traffic that you want to permit.</para>
@ -327,8 +326,8 @@ loc2 ipv4</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
- eth1 - </programlisting> - eth1 </programlisting>
<para>In <filename>/etc/shorewall/hosts</filename>:</para> <para>In <filename>/etc/shorewall/hosts</filename>:</para>

View File

@ -68,7 +68,7 @@
<para>The following diagram shows the relationship between routing <para>The following diagram shows the relationship between routing
decisions and Netfilter.</para> decisions and Netfilter.</para>
<graphic align="center" fileref="images/Netfilter.png" /> <graphic align="center" fileref="images/Netfilter.png"/>
<para>The light blue boxes indicate where routing decisions are made. Upon <para>The light blue boxes indicate where routing decisions are made. Upon
exit from one of these boxes, if the packet is being sent to another exit from one of these boxes, if the packet is being sent to another
@ -208,8 +208,7 @@
<para><filename>/etc/shorewall/proxyarp</filename>:</para> <para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 No 206.124.146.177 eth1 eth0 No</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The above entry will cause Shorewall to execute the following <para>The above entry will cause Shorewall to execute the following
command:</para> command:</para>

View File

@ -86,7 +86,7 @@
<para>The following diagram shows a firewall for two bridged LAN <para>The following diagram shows a firewall for two bridged LAN
segments.</para> segments.</para>
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" /> <graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
<para>This is fundamentally the Two-interface Firewall described in the <para>This is fundamentally the Two-interface Firewall described in the
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The <ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
@ -108,10 +108,11 @@
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
net eth0 detect ... #ZONE INTERFACE OPTIONS
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis net eth0 ...
role="bold">routeback</emphasis>,...</programlisting> loc <emphasis role="bold">br0</emphasis> <emphasis
role="bold">routeback,bridge</emphasis>,...</programlisting>
<para>So the key points here are:</para> <para>So the key points here are:</para>
@ -128,8 +129,9 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
</listitem> </listitem>
<listitem> <listitem>
<para>The <emphasis role="bold">routeback</emphasis> option is <para>The <emphasis role="bold">routeback</emphasis> and <emphasis
specified for <filename class="devicefile">br0</filename>.</para> role="bold">bridge</emphasis> options is specified for <filename
class="devicefile">br0</filename>.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -138,13 +140,6 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
should also specify the <emphasis role="bold">bridge</emphasis>
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect ...
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
unchanged:</para> unchanged:</para>

View File

@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
<para>Example:</para> <para>Example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net eth1 detect dhcp,routefilter,tcpflags,<emphasis net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
role="bold">upnp</emphasis></programlisting>
<para>If your loc-&gt;fw policy is not ACCEPT then you need this <para>If your loc-&gt;fw policy is not ACCEPT then you need this
rule:</para> rule:</para>

View File

@ -202,7 +202,7 @@
<filename>/etc/shorewall/macro.*</filename>, the general format of a <filename>/etc/shorewall/macro.*</filename>, the general format of a
rule in <filename>/etc/shorewall/rules</filename> is:</para> rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important> <important>
@ -214,7 +214,7 @@
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Web(ACCEPT) net $FW Web(ACCEPT) net $FW
IMAP(ACCEPT)net $FW</programlisting> IMAP(ACCEPT)net $FW</programlisting>
</example> </example>
@ -225,14 +225,14 @@ IMAP(ACCEPT)net $FW</programlisting>
general format of a rule in <filename>/etc/shorewall/rules</filename> general format of a rule in <filename>/etc/shorewall/rules</filename>
is:</para> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example id="Example2"> <example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143</programlisting></para> ACCEPT net $FW tcp 143</programlisting></para>
</example> </example>
@ -320,7 +320,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
<para>Then at a root prompt, type:</para> <para>Then at a root prompt, type:</para>
<blockquote> <blockquote>
<para><command>/sbin/shorewall restart</command></para> <para><command>/sbin/shorewall reload</command></para>
</blockquote> </blockquote>
</section> </section>
@ -345,7 +345,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
<para>Then at a root prompt, type:</para> <para>Then at a root prompt, type:</para>
<blockquote> <blockquote>
<para><command>/sbin/shorewall restart</command></para> <para><command>/sbin/shorewall reload</command></para>
</blockquote> </blockquote>
</section> </section>
</section> </section>

View File

@ -46,7 +46,7 @@
The two most common means for doing this are IPSEC and PPTP. The basic The two most common means for doing this are IPSEC and PPTP. The basic
setup is shown in the following diagram:</para> setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png" /> <graphic fileref="images/VPN.png"/>
<para>A system with an RFC 1918 address needs to access a remote network <para>A system with an RFC 1918 address needs to access a remote network
through a remote gateway. For this example, we will assume that the local through a remote gateway. For this example, we will assume that the local
@ -87,15 +87,15 @@
<entry align="center">SOURCE</entry> <entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry> <entry align="center">DEST</entry>
<entry align="center">PROTOCOL</entry> <entry align="center">PROTO</entry>
<entry align="center">PORT</entry> <entry align="center">DPORT</entry>
<entry align="center">CLIENT PORT</entry> <entry align="center">SPORT</entry>
<entry align="center">ORIGINAL DEST</entry> <entry align="center">ORIGDEST</entry>
</row> </row>
</thead> </thead>
@ -109,11 +109,11 @@
<entry>50</entry> <entry>50</entry>
<entry></entry> <entry/>
<entry></entry> <entry/>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -127,9 +127,9 @@
<entry>500</entry> <entry>500</entry>
<entry></entry> <entry/>
<entry></entry> <entry/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
@ -146,15 +146,15 @@
<entry align="center">SOURCE</entry> <entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry> <entry align="center">DEST</entry>
<entry align="center">PROTOCOL</entry> <entry align="center">PROTO</entry>
<entry align="center">PORT</entry> <entry align="center">DPORT</entry>
<entry align="center">CLIENT PORT</entry> <entry align="center">SPORT</entry>
<entry align="center">ORIGINAL DEST</entry> <entry align="center">ORIGDEST</entry>
</row> </row>
</thead> </thead>
@ -170,9 +170,9 @@
<entry>4500</entry> <entry>4500</entry>
<entry></entry> <entry/>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -186,9 +186,9 @@
<entry>500</entry> <entry>500</entry>
<entry></entry> <entry/>
<entry></entry> <entry/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>

View File

@ -115,7 +115,7 @@
<para>Incoming traffic is similar.</para> <para>Incoming traffic is similar.</para>
<graphic align="center" fileref="images/VPNBasics.png" /> <graphic align="center" fileref="images/VPNBasics.png"/>
</section> </section>
<section id="Shorewall"> <section id="Shorewall">
@ -203,8 +203,8 @@ loc ipv4
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTION <programlisting>#ZONE INTERFACE OPTION
net eth0 - tcpflags,routefilter net eth0 tcpflags,routefilter
loc eth1 - loc eth1 -
<emphasis role="bold">rem ppp0 -</emphasis></programlisting> <emphasis role="bold">rem ppp0 -</emphasis></programlisting>
</section> </section>
@ -216,7 +216,7 @@ loc eth1 -
client(s) and the local zone. You can do that with a couple of client(s) and the local zone. You can do that with a couple of
policies:</para> policies:</para>
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST/LIMIT <programlisting>#SOURCE DESTINATION POLICY LOGLEVEL BURST
rem loc ACCEPT rem loc ACCEPT
loc rem ACCEPT</programlisting> loc rem ACCEPT</programlisting>
@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTION <programlisting>#ZONE INTERFACE OPTION
net eth0 - tcpflags,routefilter net eth0 tcpflags,routefilter
loc eth1 - loc eth1 -
<emphasis role="bold">- tun+ -</emphasis></programlisting> <emphasis role="bold">- tun+ -</emphasis></programlisting>
@ -291,15 +291,14 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<para>/<filename>etc/shorewall/tunnels</filename>:</para> <para>/<filename>etc/shorewall/tunnels</filename>:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec Z1 1.2.3.4 Z2</programlisting> ipsec Z1 1.2.3.4 Z2</programlisting>
</blockquote> </blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT PORT(S)
ACCEPT $FW Z1:1.2.3.4 udp 500 ACCEPT $FW Z1:1.2.3.4 udp 500
ACCEPT Z1:1.2.3.4 $FW udp 500 ACCEPT Z1:1.2.3.4 $FW udp 500
ACCEPT $FW Z1:1.2.3.4 50 ACCEPT $FW Z1:1.2.3.4 50
@ -322,15 +321,14 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
pptpserver Z1 1.2.3.4</programlisting> pptpserver Z1 1.2.3.4</programlisting>
</blockquote> </blockquote>
<para>/<filename>etc/shorewall/rules</filename>:</para> <para>/<filename>etc/shorewall/rules</filename>:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT PORT(S)
ACCEPT Z1:1.2.3.4 $FW tcp 1723 ACCEPT Z1:1.2.3.4 $FW tcp 1723
ACCEPT $FW Z1:1.2.3.4 47 ACCEPT $FW Z1:1.2.3.4 47
@ -347,15 +345,14 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting> openvpn:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote> </blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT PORT(S)
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis> ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting> ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
@ -364,15 +361,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnclient:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting> openvpnclient:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote> </blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT PORT(S)
ACCEPT Z1:1.2.3.4 $FW udp - <emphasis>port</emphasis> ACCEPT Z1:1.2.3.4 $FW udp - <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting> ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
@ -381,15 +377,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting> openvpnserver:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
</blockquote> </blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT PORT(S)
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis> ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
ACCEPT $FW Z1:1.2.3.4 udp - <emphasis>port</emphasis></programlisting> ACCEPT $FW Z1:1.2.3.4 udp - <emphasis>port</emphasis></programlisting>

View File

@ -122,7 +122,7 @@ gateway:~#</programlisting>
<para>This is a diagram of the network configuration here at Shorewall.net <para>This is a diagram of the network configuration here at Shorewall.net
during the summer of 2010:</para> during the summer of 2010:</para>
<graphic align="center" fileref="images/Network2010a.png" /> <graphic align="center" fileref="images/Network2010a.png"/>
<para>I created a zone for the vservers as follows:</para> <para>I created a zone for the vservers as follows:</para>
@ -138,8 +138,9 @@ vpn ipv4 #OpenVPN clients
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
<emphasis role="bold">net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis> #ZONE INTERFACE OPTIONS
<emphasis role="bold">net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para> <para><filename>/etc/shorewall/hosts</filename>:</para>
@ -164,8 +165,7 @@ drct eth4:dynamic
<para><filename>/etc/shorewall6/zones</filename></para> <para><filename>/etc/shorewall6/zones</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv6 net ipv6
loc ipv6 loc ipv6
@ -175,8 +175,9 @@ vpn ipv6
<para><filename>/etc/shorewall6/interfaces</filename>:</para> <para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
<emphasis role="bold">net sit1 detect tcpflags,forward=1,nosmurfs,routeback</emphasis> #ZONE INTERFACE OPTIONS
<emphasis role="bold">net sit1 tcpflags,forward=1,nosmurfs,routeback</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall6/hosts</filename>:</para> <para><filename>/etc/shorewall6/hosts</filename>:</para>
@ -204,7 +205,7 @@ vpn ipv6
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
is as shown below:</para> is as shown below:</para>
<graphic align="center" fileref="images/Network2011.png" /> <graphic align="center" fileref="images/Network2011.png"/>
<para>This change was accompanied by the following additions to <para>This change was accompanied by the following additions to
<filename>/etc/shorewall6/proxyndp</filename>:</para> <filename>/etc/shorewall6/proxyndp</filename>:</para>

View File

@ -105,7 +105,7 @@
<para>Here is a high-level diagram of our network.</para> <para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" /> <graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network <para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para> interfaces. These are:</para>
@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
<para>With the three Xen domains up and running, the system looks as <para>With the three Xen domains up and running, the system looks as
shown in the following diagram.</para> shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4a.png" /> <graphic align="center" fileref="images/Xen4a.png"/>
<para>The zones correspond to the Shorewall zones in the Dom0 <para>The zones correspond to the Shorewall zones in the Dom0
configuration.</para> configuration.</para>
@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
a bridged OpenVPN server for the wireless network in our home. Here is a bridged OpenVPN server for the wireless network in our home. Here is
the firewall's view of the network:</para> the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4a.png" /> <graphic align="center" fileref="images/network4a.png"/>
<para>The three laptops can be directly attached to the LAN as shown <para>The three laptops can be directly attached to the LAN as shown
above or they can be attached wirelessly -- their IP addresses are the above or they can be attached wirelessly -- their IP addresses are the
@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall #The firewall itself. fw firewall #The firewall itself.
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
dmz ipv4 #DMZ dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone wifi ipv4 #Local Wireless Zone</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
$FW $FW ACCEPT $FW $FW ACCEPT
$FW net ACCEPT $FW net ACCEPT
loc net ACCEPT loc net ACCEPT
@ -549,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4 net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30 net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG net vpn DROP $LOG
all all REJECT $LOG all all REJECT $LOG</programlisting>
#LAST LINE -- DO NOT REMOVE</programlisting>
<para><filename>Note that the firewall&lt;-&gt;local network interface <para><filename>Note that the firewall&lt;-&gt;local network interface
is wide open so from a security point of view, the firewall system is is wide open so from a security point of view, the firewall system is
@ -572,9 +567,7 @@ EXT_IF=eth0
WIFI_IF=eth2 WIFI_IF=eth2
TEST_IF=eth4 TEST_IF=eth4
OMAK=&lt;IP address at our second home&gt; OMAK=&lt;IP address at our second home&gt;</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para> <para><filename>/etc/shorewall/init</filename>:</para>
@ -591,16 +584,14 @@ loc $TEST_IF detect optional
loc $TEST1_IF detect optional loc $TEST1_IF detect optional
wifi $WIFI_IF detect dhcp,maclist,mss=1400 wifi $WIFI_IF detect dhcp,maclist,mss=1400
vpn tun+ - vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para> <para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
# INTERFACES
COMMENT One-to-one NAT COMMENT One-to-one NAT
206.124.146.178 $EXT_IF:0 192.168.1.3 No No 206.124.146.178 $EXT_IF:0 192.168.1.3 No No
206.124.146.180 $EXT_IF:2 192.168.1.6 No No 206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in <para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to the <filename>following proxyarp</filename> file that allows me to
@ -609,7 +600,7 @@ COMMENT One-to-one NAT
rule before the SNAT rules generated by entries in rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para> <filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC <programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
COMMENT Handle DSL 'Modem' COMMENT Handle DSL 'Modem'
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
COMMENT Masquerade Local Network COMMENT Masquerade Local Network
$EXT_IF 192.168.1.0/24 206.124.146.179 $EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para> <para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes 192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes
192.168.1.7 $TEST_IF $INT_IF yes 192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
# ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/blacklist</filename>:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para> <para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION <programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para> <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
# PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS</programlisting>
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW <programlisting>SECTION NEW
############################################################################################################################################################################### ###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT PORT(S) DEST LIMIT GROUP
############################################################################################################################################################################### ###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031 REJECT:$LOG loc net udp 1025:1031
@ -893,28 +869,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes # Avoid logging Freenode.net probes
# #
DROP net:82.96.96.3 all DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para> <para><filename>etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit $EXT_IF 1300kbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting> </programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default $EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3 $EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S) CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server
#over the server CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors.</programlisting></para>
#Shorewall Mirrors.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
</blockquote> </blockquote>
<para>The <filename class="devicefile">tap0</filename> device used by <para>The <filename class="devicefile">tap0</filename> device used by

View File

@ -72,7 +72,7 @@
class="devicefile">xenbr0</filename>) and a number of virtual interfaces class="devicefile">xenbr0</filename>) and a number of virtual interfaces
as shown in the following diagram.</para> as shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen1.png" /> <graphic align="center" fileref="images/Xen1.png"/>
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish <para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
the bridge and virtual interfaces from Dom0 itself. That distinction is the bridge and virtual interfaces from Dom0 itself. That distinction is
@ -169,7 +169,7 @@
<para>Here is a high-level diagram of our network.</para> <para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" /> <graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network <para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para> interfaces. These are:</para>
@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para>With all three Xen domains up and running, the system looks as <para>With all three Xen domains up and running, the system looks as
shown in the following diagram.</para> shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4.png" /> <graphic align="center" fileref="images/Xen4.png"/>
<para>The zones correspond to the Shorewall zones in the firewall DomU <para>The zones correspond to the Shorewall zones in the firewall DomU
configuration.</para> configuration.</para>
@ -430,39 +430,24 @@ done</programlisting>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
loc ipv4 loc ipv4
dmz ipv4 dmz ipv4</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use <para><filename>/etc/shorewall/policy</filename> (Note the unusual use
of an ACCEPT all-&gt;all policy):</para> of an ACCEPT all-&gt;all policy):</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
dmz all REJECT info dmz all REJECT info
all dmz REJECT info all dmz REJECT info
all all ACCEPT all all ACCEPT</programlisting>
#LAST LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc xenbr0 192.168.1.255 dhcp,routeback loc xenbr0 192.168.1.255 dhcp,routeback
dmz xenbr1 - routeback dmz xenbr1 - routeback</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -478,7 +463,7 @@ SECTION NEW
for our two laptops and a bridged OpenVPN server for the wireless for our two laptops and a bridged OpenVPN server for the wireless
network in our home. Here is the firewall's view of the network:</para> network in our home. Here is the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4.png" /> <graphic align="center" fileref="images/network4.png"/>
<para>The two laptops can be directly attached to the LAN as shown above <para>The two laptops can be directly attached to the LAN as shown above
or they can be attached wirelessly -- their IP addresses are the same in or they can be attached wirelessly -- their IP addresses are the same in
@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
dmz ipv4 #DMZ dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone wifi ipv4 #Local Wireless Zone</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
$FW $FW ACCEPT $FW $FW ACCEPT
$FW net ACCEPT $FW net ACCEPT
loc net ACCEPT loc net ACCEPT
@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4 net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30 net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG net vpn DROP $LOG
all all REJECT $LOG all all REJECT $LOG</programlisting>
#LAST LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/params (edited)</filename>:</para> <para><filename>/etc/shorewall/params (edited)</filename>:</para>
@ -591,9 +571,7 @@ DMZ_IF=eth1
EXT_IF=eth3 EXT_IF=eth3
WIFI_IF=eth4 WIFI_IF=eth4
OMAK=&lt;IP address at our second home&gt; OMAK=&lt;IP address at our second home&gt;</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para> <para><filename>/etc/shorewall/init</filename>:</para>
@ -607,15 +585,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
wifi $WIFI_IF 192.168.3.255 dhcp,maclist wifi $WIFI_IF 192.168.3.255 dhcp,maclist
vpn tun+ - vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para> <para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
# INTERFACES
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie 206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop 206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in <para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to the <filename>following proxyarp</filename> file that allows me to
@ -624,45 +601,39 @@ vpn tun+ -
rule before the SNAT rules generated by entries in rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para> <filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC <programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF 192.168.0.0/22 206.124.146.179 $EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para> <para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes 192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
# ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para> <para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION <programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors Mirrors # Accept traffic from Shorewall Mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para> <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
# PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS</programlisting>
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW <programlisting>?SECTION NEW
############################################################################################################################################################################### ###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT PORT(S) DEST LIMIT GROUP
############################################################################################################################################################################### ###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031 REJECT:$LOG loc net udp 1025:1031
@ -815,28 +786,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes # Avoid logging Freenode.net probes
# #
DROP net:82.96.96.3 all DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para> <para><filename>/etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit $EXT_IF 1300kbit 384kbit</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default $EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3 $EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S) CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server
#over the server CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors.
#Shorewall Mirrors. </programlisting></para>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
</blockquote> </blockquote>
<para>The tap0 device used by the bridged OpenVPN server is bridged to <para>The tap0 device used by the bridged OpenVPN server is bridged to

View File

@ -85,14 +85,13 @@
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)). url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
standard and custom macros as well as standard and custom actions. See standard and custom macros as well as standard and custom actions. See
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for <ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
details.</para> for details.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORTS(S)
SECTION BLACKLIST
WHITELIST net:70.90.191.126 all WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773 DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033 DROP all net udp 1023:1033
@ -107,243 +106,74 @@ DROP net:200.55.14.18 all
<para>Beginning with Shorewall 4.4.26, the <command>update</command> <para>Beginning with Shorewall 4.4.26, the <command>update</command>
command supports a <option>-b</option> option that causes your legacy command supports a <option>-b</option> option that causes your legacy
blacklisting configuration to use the blrules file.</para> blacklisting configuration to use the blrules file.</para>
<note>
<para>If you prefer to keep your blacklisting rules in your rules file
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
(5)), you can place them in the BLACKLIST section of that file rather
than in blrules.</para>
</note>
</section> </section>
<section> <section>
<title>Legacy Blacklisting</title> <title>Dynamic Blacklisting</title>
<para>Prior to 4.4.25, two forms of blacklisting were supported; static <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
and dynamic. The dynamic variety is still appropriate for setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
<firstterm>on-the-fly</firstterm> blacklisting; the static form is Prior to that release, the feature is always enabled.</para>
deprecated.</para>
<important> <para>Once enabled, dynamic blacklisting doesn't use any configuration
<para><emphasis role="bold">By default, only the source address is parameters but is rather controlled using /sbin/shorewall[-lite] commands.
checked against the blacklists</emphasis>. Blacklists only stop <emphasis role="bold">Note</emphasis> that <emphasis
blacklisted hosts from connecting to you — they do not stop you or your role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
users from connecting to blacklisted hosts .</para> only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<variablelist> <itemizedlist>
<varlistentry> <listitem>
<term>UPDATE</term> <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem> <listitem>
<para>Beginning with Shorewall 4.4.12, you can also blacklist by <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
destination address. See <ulink causes packets from the listed IP addresses to be rejected by the
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink> firewall.</para>
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8) </listitem>
for details.</para>
</listitem>
</varlistentry>
</variablelist>
</important>
<important> <listitem>
<para><emphasis role="bold">Dynamic Shorewall blacklisting is not <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
appropriate for blacklisting 1,000s of different addresses. Static re-enables receipt of packets from hosts previously blacklisted by a
Blacklisting can handle large blacklists but only if you use <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
ipsets</emphasis>. Without ipsets, the blacklists will take forever to command.</para>
load, and will have a very negative effect on firewall </listitem>
performance.</para>
</important>
<section id="Static"> <listitem>
<title>Static Blacklisting</title> <para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<para>Shorewall static blacklisting support has the following <para><emphasis role="bold">Update:</emphasis> Beginning with
configuration parameters:</para> Shorewall 4.4.10, the dynamic blacklist is automatically retained over
<command>stop/start</command> sequences and over
<command>restart</command> and <emphasis
role="bold">reload</emphasis>.</para>
</listitem>
<itemizedlist> <listitem>
<listitem> <para>show dynamic - displays the dynamic blacklisting
<para>You specify whether you want packets from blacklisted hosts configuration.</para>
dropped or rejected using the BLACKLIST_DISPOSITION setting in </listitem>
<ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting causes packets from the listed IP addresses to be dropped and logged
in <ulink by the firewall. Logging will occur at the level specified by the
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para> BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
</listitem> the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem> <listitem>
<para>You list the IP addresses/subnets that you wish to blacklist <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
in <ulink - causes packets from the listed IP addresses to be rejected and
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink> logged by the firewall. Logging will occur at the level specified by
(5). You may also specify PROTOCOL and Port numbers/Service names in the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
the blacklist file.</para> at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem> </listitem>
</itemizedlist>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
Shorewall 4.4.12 and later).</para>
</listitem>
</itemizedlist>
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
was supported.</para>
<para>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
connections before loading the blacklist rules. While this may allow
connections from blacklisted hosts to slip by during construction of the
blacklist, it can substantially reduce the time that all new connections
are disabled during "shorewall [re]start".</para>
<para>Beginning with Shorewall 2.4.0, you can use <ulink
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
an example:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>In this example, there is a portmap ipset
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
destination ports included in the ipset. There are also
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
ipsets that allow blacklisting networks and individual IP addresses.
Note that [src,dst] is specified so that individual entries in the sets
can be bound to other portmap ipsets to allow blacklisting
(<emphasis>source address</emphasis>, <emphasis>destination
port</emphasis>) combinations. For example:</para>
<programlisting>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against
the entries in the blacklist file that follow. Whitelist entries are
created using the <emphasis role="bold">whitelist</emphasis> option
(OPTIONS column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic">
<title>Dynamic Blacklisting</title>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite]
commands. <emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<itemizedlist>
<listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped
by the firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained
over <command>stop/start</command> sequences and over
<command>restart</command>.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
<listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be dropped and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>logreject [to|from}<emphasis>&lt;ip address
list&gt;</emphasis> - causes packets from the listed IP addresses to
be rejected and logged by the firewall. Logging will occur at the
level specified by the BLACKLIST_LOGLEVEL setting at the last
[re]start (logging will be at the 'info' level if no
BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para>
<example id="Ignore">
<title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<example id="Allow">
<title>Re-enable packets from a system</title>
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
<example>
<title>Displaying the Dynamic Blacklist</title>
<programlisting> <command>shorewall show dynamic</command></programlisting>
<para>Displays the 'dynamic' chain which contains rules for the
dynamic blacklist. The <firstterm>source</firstterm> column contains
the set of blacklisted addresses.</para>
</example>
</section>
</section> </section>
</article> </article>

View File

@ -134,7 +134,7 @@
the bridge would work exactly the same if public IP addresses were used the bridge would work exactly the same if public IP addresses were used
(remember that the bridge doesn't deal with IP addresses).</para> (remember that the bridge doesn't deal with IP addresses).</para>
<graphic fileref="images/bridge.png" /> <graphic fileref="images/bridge.png"/>
<para>There are a several key differences in this setup and a normal <para>There are a several key differences in this setup and a normal
Shorewall configuration:</para> Shorewall configuration:</para>
@ -180,7 +180,7 @@
systems connected to that switch. All of the systems on the local side of systems connected to that switch. All of the systems on the local side of
the <emphasis role="bold">router</emphasis> would still be configured with the <emphasis role="bold">router</emphasis> would still be configured with
IP addresses in 192.168.1.0/24 as shown below.<graphic IP addresses in 192.168.1.0/24 as shown below.<graphic
fileref="images/bridge3.png" /></para> fileref="images/bridge3.png"/></para>
</section> </section>
<section id="Bridge"> <section id="Bridge">
@ -571,8 +571,7 @@ rc-update add bridge boot
fw firewall fw firewall
world ipv4 world ipv4
net:world bport net:world bport
loc:world bport loc:world bport</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>The <emphasis>world</emphasis> zone can be used when defining rules <para>The <emphasis>world</emphasis> zone can be used when defining rules
whose source zone is the firewall itself (remember that fw-&gt;&lt;BP whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@ -581,11 +580,10 @@ loc:world bport
<para>A conventional two-zone policy file is appropriate here — <para>A conventional two-zone policy file is appropriate here —
<filename>/etc/shorewall/policy</filename>:</para> <filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para> <para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -596,11 +594,10 @@ all all REJECT info
is connected to <filename class="devicefile">eth0</filename> and the is connected to <filename class="devicefile">eth0</filename> and the
switch to <filename class="devicefile">eth1</filename>:</para> switch to <filename class="devicefile">eth1</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
world br0 detect bridge world br0 bridge
net br0:eth0 net br0:eth0
loc br0:eth1 loc br0:eth1</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <emphasis>world</emphasis> zone is associated with the bridge <para>The <emphasis>world</emphasis> zone is associated with the bridge
itself which is defined with the <emphasis role="bold">bridge</emphasis> itself which is defined with the <emphasis role="bold">bridge</emphasis>
@ -616,8 +613,7 @@ loc br0:eth1
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para> <filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
<programlisting>#INTERFACE HOST(S) OPTIONS <programlisting>#INTERFACE HOST(S) OPTIONS
br0 192.168.1.0/24 routeback br0 192.168.1.0/24 routeback</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <filename>/etc/shorewall/rules</filename> file from the <para>The <filename>/etc/shorewall/rules</filename> file from the
two-interface sample is a good place to start for defining a set of two-interface sample is a good place to start for defining a set of
@ -645,9 +641,9 @@ br0 192.168.1.0/24 routeback
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS <programlisting> #ZONE INTERFACE OPTIONS
world br0 - bridge world br0 bridge
world br1 - bridge world br1 bridge
z1 br0:p+ z1 br0:p+
z2 br1:p+</programlisting> z2 br1:p+</programlisting>
@ -657,11 +653,11 @@ br0 192.168.1.0/24 routeback
configuration may be defined using the following in configuration may be defined using the following in
<filename>/etc/shorewall/interfaces</filename>:</para> <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS <programlisting> #ZONE INTERFACE OPTIONS
world br0 - bridge world br0 bridge
world br1 - bridge world br1 bridge
z1 br0:x+ - physical=p+ z1 br0:x+ physical=p+
z2 br1:y+ - physical=p+</programlisting> z2 br1:y+ physical=p+</programlisting>
<para>In this configuration, 'x+' is the logical name for ports p+ on <para>In this configuration, 'x+' is the logical name for ports p+ on
bridge br0 while 'y+' is the logical name for ports p+ on bridge bridge br0 while 'y+' is the logical name for ports p+ on bridge
@ -673,8 +669,7 @@ br0 192.168.1.0/24 routeback
<para>Example from /etc/shorewall/rules:</para> <para>Example from /etc/shorewall/rules:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST <programlisting> #ACTION SOURCE DEST PROTO DPORT
# PORT(S)
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting> REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
</section> </section>
@ -683,7 +678,7 @@ br0 192.168.1.0/24 routeback
<para>A system running Shorewall doesn't have to be exclusively a bridge <para>A system running Shorewall doesn't have to be exclusively a bridge
or a router -- it can act as both, which is also know as a brouter. Here's or a router -- it can act as both, which is also know as a brouter. Here's
an example:<graphic fileref="images/bridge2.png" /></para> an example:<graphic fileref="images/bridge2.png"/></para>
<para>This is basically the same setup as shown in the <ulink <para>This is basically the same setup as shown in the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
@ -710,11 +705,11 @@ loc ipv4</programlisting>
<listitem> <listitem>
<para>The <filename>/etc/shorewall/interfaces</filename> file is as <para>The <filename>/etc/shorewall/interfaces</filename> file is as
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS follows:<programlisting>#ZONE INTERFACE OPTIONS
pub br0 detect routefilter,bridge pub br0 routefilter,bridge
net br0:eth0 net br0:eth0
dmz br0:eth2 dmz br0:eth2
loc eth1 detect</programlisting></para> loc eth1</programlisting></para>
</listitem> </listitem>
<listitem> <listitem>
@ -761,9 +756,7 @@ all all REJECT info</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
#
PORT(S) PORT(S)
ACCEPT all all icmp 8 ACCEPT all all icmp 8
ACCEPT loc $DMZ tcp 25,53,80,443,... ACCEPT loc $DMZ tcp 25,53,80,443,...
ACCEPT loc $DMZ udp 53 ACCEPT loc $DMZ udp 53
@ -784,7 +777,7 @@ ACCEPT $FW $DMZ tcp 53 </
<para>This configuration is shown in the following diagram.</para> <para>This configuration is shown in the following diagram.</para>
<graphic align="center" fileref="images/veth1.png" /> <graphic align="center" fileref="images/veth1.png"/>
<para>In this configuration, veth0 is assigned the internal IP address; <para>In this configuration, veth0 is assigned the internal IP address;
br0 does not have an IP address.</para> br0 does not have an IP address.</para>
@ -872,8 +865,7 @@ iface veth0 inet static
<para>For this configuration, we need several additional zones as shown <para>For this configuration, we need several additional zones as shown
here:</para> here:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
zone1 bport zone1 bport
@ -943,22 +935,19 @@ all all REJECT:info</programlisting>
<para>Rules allowing traffic from the net to zone2 look like this:</para> <para>Rules allowing traffic from the net to zone2 look like this:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
ACCEPT col zone2 tcp 22 - - - - <emphasis ACCEPT col zone2 tcp 22 - - - - <emphasis
role="bold">net</emphasis></programlisting> role="bold">net</emphasis></programlisting>
<para>or more compactly:</para> <para>or more compactly:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
role="bold">net</emphasis></programlisting> role="bold">net</emphasis></programlisting>
<para>Similarly, rules allowing traffic from the firewall to zone3:</para> <para>Similarly, rules allowing traffic from the firewall to zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
role="bold">fw</emphasis></programlisting> role="bold">fw</emphasis></programlisting>
@ -969,8 +958,7 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in <para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
zone3:</para> zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
DNAT- net loc:172.168.4.45 tcp 80 DNAT- net loc:172.168.4.45 tcp 80
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
role="bold">net</emphasis></programlisting> role="bold">net</emphasis></programlisting>
@ -979,15 +967,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
role="bold">zonei</emphasis> zones to the <emphasis role="bold">zonei</emphasis> zones to the <emphasis
role="bold">net</emphasis> zone look like this:</para> role="bold">net</emphasis> zone look like this:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
ACCEPT loc net tcp 21 - - - - <emphasis ACCEPT loc net tcp 21 - - - - <emphasis
role="bold">zone1</emphasis></programlisting> role="bold">zone1</emphasis></programlisting>
<para>And to the firewall:</para> <para>And to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
# PORT(S) PORT(S) DEST LIMIT GROUP
ACCEPT zone2 col tcp - - - - <emphasis ACCEPT zone2 col tcp - - - - <emphasis
role="bold">zone2</emphasis></programlisting> role="bold">zone2</emphasis></programlisting>
</section> </section>

View File

@ -464,8 +464,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<para>Example (<filename>/etc/shorewall/rules</filename>):</para> <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net:\ ACCEPT net:\
206.124.146.177,\ 206.124.146.177,\
206.124.146.178,\ 206.124.146.178,\
@ -483,8 +482,7 @@ ACCEPT net:\
<para>A trailing backslash is not ignored in a comment. So the continued <para>A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:</para> rule above can be commented out with a single '#' as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
<emphasis role="bold">#</emphasis>ACCEPT net:\ <emphasis role="bold">#</emphasis>ACCEPT net:\
206.124.146.177,\ 206.124.146.177,\
206.124.146.178,\ 206.124.146.178,\
@ -765,8 +763,7 @@ ACCEPT net:\
<para>Example (rules file):</para> <para>Example (rules file):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting> DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
<para>Here's the same line in several equivalent formats:</para> <para>Here's the same line in several equivalent formats:</para>
@ -1133,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE params.mgmt       INCLUDE params.mgmt   
   
   # params unique to this host here    # params unique to this host here
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE   
   ----- end params -----    ----- end params -----
   shorewall/rules.mgmt:    shorewall/rules.mgmt:
@ -1154,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE rules.mgmt        INCLUDE rules.mgmt    
   
   # rules unique to this host here    # rules unique to this host here
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE   
   ----- end rules -----</programlisting>    ----- end rules -----</programlisting>
@ -1166,14 +1162,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
gateway:/etc/shorewall # </programlisting></para> gateway:/etc/shorewall # </programlisting></para>
<para>/etc/shorewall/rules:<programlisting>SECTION NEW <para>/etc/shorewall/rules:<programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para> SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
<para>If you are the sort to put such an entry in your rules file even <para>If you are the sort to put such an entry in your rules file even
though /etc/shorewall/rules.d might not exist or might be empty, then though /etc/shorewall/rules.d might not exist or might be empty, then
you probably want:</para> you probably want:</para>
<programlisting>SECTION NEW <programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting> SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
<para>Beginning with Shorewall 4.5.2, in files other than <para>Beginning with Shorewall 4.5.2, in files other than
@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term> <term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
<listitem> <listitem>
<para>If <replaceable>comment</replaceable> is present, it will <para>If <replaceable>comment</replaceable> is present, it will
@ -1363,8 +1359,7 @@ gateway:~ #
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para> <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ <para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT RATE USER
# PORT(S) PORT(S) LIMIT GROUP
?COMMENT SSH ?COMMENT SSH
PARAM - - tcp 22 </programlisting> PARAM - - tcp 22 </programlisting>
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
@ -1771,7 +1766,7 @@ SSH(ACCEPT) net:$MYIP $FW
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>They may also appear in the ORIGINAL DEST column of:</para> <para>They may also appear in the ORIGDEST column of:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -2318,8 +2313,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
<para>So this rule may work for five minutes then suddently stop <para>So this rule may work for five minutes then suddently stop
working:</para> working:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
POP(ACCEPT) loc net:pop.gmail.com</programlisting> POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<para>If your firewall rules include DNS names then:</para> <para>If your firewall rules include DNS names then:</para>
@ -2418,7 +2412,7 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter <para>Must not have any embedded white space.+<programlisting> Valid: routefilter,dhcp,arpfilter
Invalid: routefilter,     dhcp,     arpfilter</programlisting></para> Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
</listitem> </listitem>
@ -2608,7 +2602,7 @@ redirect =&gt; 137</programlisting>
to forward the range of tcp ports 4000 through 4100 to local host to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para> 192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting> DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you <para>If you omit the low port number, a value of zero is assumed; if you
@ -2790,8 +2784,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
on.</para> on.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
role="bold">primary_down</emphasis> </programlisting> role="bold">primary_down</emphasis> </programlisting>
</blockquote> </blockquote>
@ -2822,17 +2815,16 @@ DNAT net dmz:$BACKUP tcp 80 - -
<para>Here is an example:</para> <para>Here is an example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
role="bold">physical=eth0</emphasis> role="bold">physical=eth0</emphasis>
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
role="bold">physical=eth2</emphasis> role="bold">physical=eth2</emphasis>
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
role="bold">physical=eth1</emphasis> role="bold">physical=eth1</emphasis>
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
role="bold">physical=venet0</emphasis> role="bold">physical=venet0</emphasis>
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
role="bold">physical=tun+</emphasis></programlisting>
<para>In this example, COM_IF is a logical interface name that refers to <para>In this example, COM_IF is a logical interface name that refers to
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is

View File

@ -154,15 +154,13 @@
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
the server zone:</para> the server zone:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT ZONEA ZONEB udp 67:68 ACCEPT ZONEA ZONEB udp 67:68
ACCEPT ZONEB ZONEA udp 67:68</programlisting> ACCEPT ZONEB ZONEA udp 67:68</programlisting>
<para>Alternatively, use the DHCPfwd macro:</para> <para>Alternatively, use the DHCPfwd macro:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting> DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
</listitem> </listitem>

View File

@ -107,13 +107,13 @@
<para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para> <para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
<para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET PROTOCOL PORT <para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
+blacklist</programlisting></para> DROP net:+blacklist</programlisting></para>
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para> <para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net:+sshok $FW tcp 22</programlisting></para> ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>The name of the ipset can be optionally followed by a <para>The name of the ipset can be optionally followed by a
comma-separated list of flags enclosed in square brackets ([...]). Each comma-separated list of flags enclosed in square brackets ([...]). Each

View File

@ -54,7 +54,7 @@
<para>Shorewall NETMAP support is designed to supply a solution. The basic <para>Shorewall NETMAP support is designed to supply a solution. The basic
situation is as shown in the following diagram.<graphic situation is as shown in the following diagram.<graphic
fileref="images/netmap.png" /></para> fileref="images/netmap.png"/></para>
<para>While the link between the two firewalls is shown here as a VPN, it <para>While the link between the two firewalls is shown here as a VPN, it
could be any type of interconnection that allows routing of <ulink could be any type of interconnection that allows routing of <ulink
@ -163,8 +163,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in <term><emphasis role="bold">DPORT (Optional - Added in Shorewall
Shorewall 4.4.23.2)</emphasis> - 4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term> <emphasis>port-number-or-name-list</emphasis></term>
<listitem> <listitem>
@ -190,8 +190,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in <term><emphasis role="bold">SPORT (Optional - Added in Shorewall
Shorewall 4.4.23.2)</emphasis> - 4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term> <emphasis>port-number-or-name-list</emphasis></term>
<listitem> <listitem>
@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.27</entry> <entry>192.168.1.27</entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.4</entry> <entry>192.168.1.4</entry>
<entry></entry> <entry/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
<para>IPv6 Netmap has been verified at shorewall.net using the <para>IPv6 Netmap has been verified at shorewall.net using the
configuration shown below.</para> configuration shown below.</para>
<graphic align="center" fileref="images/Network2011b.png" /> <graphic align="center" fileref="images/Network2011b.png"/>
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
block is 2001:470:b:227::/64.</para> block is 2001:470:b:227::/64.</para>

View File

@ -55,7 +55,7 @@
policy for z1 to z2 is not ACCEPT, you need a rule in policy for z1 to z2 is not ACCEPT, you need a rule in
<filename>/etc/shorewall/rules</filename> of the form:</para> <filename>/etc/shorewall/rules</filename> of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) z1 z2</programlisting> Ping(ACCEPT) z1 z2</programlisting>
<example id="Example1"> <example id="Example1">
@ -63,7 +63,7 @@ Ping(ACCEPT) z1 z2</programlisting>
<para>To permit ping from the local zone to the firewall:</para> <para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) loc $FW</programlisting> Ping(ACCEPT) loc $FW</programlisting>
</example> </example>
@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote> <para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para> from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2</programlisting> Ping(DROP) z1 z2</programlisting>
<example id="Example2"> <example id="Example2">
@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
<para>To drop ping from the Internet, you would need this rule in <para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW</programlisting> Ping(DROP) net $FW</programlisting>
</example> </example>

View File

@ -61,7 +61,7 @@
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
role="bold">net</emphasis> zone:</para> role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION <programlisting>#ACTION SOURCE DEST
DNS(ACCEPT) dmz net</programlisting> DNS(ACCEPT) dmz net</programlisting>
</note> </note>
@ -74,12 +74,12 @@ DNS(ACCEPT) dmz net</programlisting>
<para>Example: You want to port forward FTP from the net to your server <para>Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>You would code your rule as follows:</para> <para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
FTP(DNAT) net dmz:192.168.1.4 </programlisting> FTP(DNAT) net dmz:192.168.1.4 </programlisting>
</note> </note>
</section> </section>
@ -93,7 +93,7 @@ FTP(DNAT) net dmz:192.168.1.4 </programlisting>
anymore.</emphasis></para> anymore.</emphasis></para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -110,14 +110,14 @@ Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
port(s)</emphasis></emphasis></para> port(s)</emphasis></emphasis></para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
BitTorrent(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> BitTorrent(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="DNS"> <section id="DNS">
<title>DNS</title> <title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting> DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
<para>Note that if you are setting up a DNS server that supports recursive <para>Note that if you are setting up a DNS server that supports recursive
@ -128,7 +128,7 @@ DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
a public DNS server in your DMZ that supports recursive resolution for a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:</para> local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNS(ACCEPT) all dmz DNS(ACCEPT) all dmz
DNS(ACCEPT) dmz net </programlisting> DNS(ACCEPT) dmz net </programlisting>
@ -174,7 +174,7 @@ DNS(ACCEPT) dmz net </programlisting>
<para><filename>/etc/shorewall/rules:</filename></para> <para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Edonkey(DNAT) net loc:192.168.1.4 Edonkey(DNAT) net loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too. #if you wish to enable the Emule webserver, add this rule too.
DNAT net loc:192.168.1.4 tcp 4711</programlisting> DNAT net loc:192.168.1.4 tcp 4711</programlisting>
@ -183,7 +183,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
<section id="FTP"> <section id="FTP">
<title>FTP</title> <title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more <para>Look <ulink url="FTP.html">here</ulink> for much more
@ -212,14 +212,14 @@ FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
<listitem> <listitem>
<para>Your loc-&gt;net policy is ACCEPT</para> <para>Your loc-&gt;net policy is ACCEPT</para>
</listitem> </listitem>
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) </orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para> Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
</section> </section>
<section id="ICQ"> <section id="ICQ">
<title>ICQ/AIM</title> <title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting> ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</section> </section>
@ -236,7 +236,7 @@ ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting>
<para>This information is valid only for Shorewall 3.2 or later.</para> <para>This information is valid only for Shorewall 3.2 or later.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
IMAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP IMAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP
IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlisting> IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlisting>
</section> </section>
@ -244,7 +244,7 @@ IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlis
<section id="IPSEC"> <section id="IPSEC">
<title>IPSEC</title> <title>IPSEC</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 51 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 51
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 500 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 500
@ -263,9 +263,9 @@ ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</e
<para>This information is valid only for Shorewall 3.2 or later.</para> <para>This information is valid only for Shorewall 3.2 or later.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
LDAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> #Insecure LDAP</emphasis> LDAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> #Insecure LDAP</emphasis>
LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting> LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting>
</section> </section>
<section id="MySQL"> <section id="MySQL">
@ -284,14 +284,14 @@ LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &
how to deal with the consequences, you have been warned.</para> how to deal with the consequences, you have been warned.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
MySQL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> </emphasis></programlisting> MySQL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> </emphasis></programlisting>
</section> </section>
<section id="NFS"> <section id="NFS">
<title>NFS</title> <title>NFS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d tcp 111 ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d udp</programlisting> ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d udp</programlisting>
@ -302,14 +302,14 @@ ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis
<section id="NTP"> <section id="NTP">
<title>NTP (Network Time Protocol)</title> <title>NTP (Network Time Protocol)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
NTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> NTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="PCA"> <section id="PCA">
<title><trademark>PCAnywhere</trademark></title> <title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -325,7 +325,7 @@ PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
<para>This information is valid only for Shorewall 3.2 or later</para> <para>This information is valid only for Shorewall 3.2 or later</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
POP3(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Secure POP3(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Secure
POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlisting> POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlisting>
</section> </section>
@ -333,7 +333,7 @@ POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlist
<section id="PPTP"> <section id="PPTP">
<title>PPTP</title> <title>PPTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> 47 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> 47
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 1723</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 1723</programlisting>
@ -344,14 +344,14 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<section id="Rdate"> <section id="Rdate">
<title>rdate</title> <title>rdate</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Rdate(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Rdate(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="rsync"> <section id="rsync">
<title>rsync</title> <title>rsync</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -363,16 +363,16 @@ Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
firewall and is using the default ports</emphasis>.</para> firewall and is using the default ports</emphasis>.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
REDIRECT loc 5060 udp 5060 REDIRECT loc 5060 udp 5060
ACCEPT net fw udp 5060 ACCEPT net fw udp 5060
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis></emphasis></programlisting> ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting>
</section> </section>
<section id="SSH"> <section id="SSH">
<title>SSH/SFTP</title> <title>SSH/SFTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting> SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
</section> </section>
@ -380,7 +380,7 @@ SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File <title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
Sharing)</title> Sharing)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SMB(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> SMB(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis>
SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis></programlisting> SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis></programlisting>
@ -394,7 +394,7 @@ SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt
<para>This information is valid only for Shorewall 3.2 or later.</para> <para>This information is valid only for Shorewall 3.2 or later.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SMTP(ACCEPT)<emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure SMTP SMTP(ACCEPT)<emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure SMTP
SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #SMTP over SSL (TLS)</programlisting> SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #SMTP over SSL (TLS)</programlisting>
</section> </section>
@ -402,7 +402,7 @@ SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
<section id="SNMP"> <section id="SNMP">
<title>SNMP</title> <title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -418,7 +418,7 @@ SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
role="bold">svnserve mode only.</emphasis></para> role="bold">svnserve mode only.</emphasis></para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -430,7 +430,7 @@ SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
insecure</emphasis>, don't use it.</emphasis></para> insecure</emphasis>, don't use it.</emphasis></para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -447,14 +447,14 @@ Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination
that the <filename>/etc/shorewall/modules</filename> file released with that the <filename>/etc/shorewall/modules</filename> file released with
recent Shorewall versions contains entries for these modules.</para> recent Shorewall versions contains entries for these modules.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 69</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 69</programlisting>
</section> </section>
<section id="Traceroute"> <section id="Traceroute">
<title>Traceroute</title> <title>Traceroute</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Good for 10 hops</programlisting> Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Good for 10 hops</programlisting>
<para>UDP traceroute uses ports 33434 through 33434+&lt;max number of <para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
@ -464,7 +464,7 @@ Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
automatically since those sample configurations enable all ICMP packet automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.</para> types originating on the firewall itself.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT fw net icmp ACCEPT fw net icmp
ACCEPT fw loc icmp ACCEPT fw loc icmp
ACCEPT fw ...</programlisting> ACCEPT fw ...</programlisting>
@ -473,7 +473,7 @@ ACCEPT fw ...</programlisting>
<section id="NNTP"> <section id="NNTP">
<title>Usenet (NNTP)</title> <title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
NNTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> NNTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisting> NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisting>
@ -493,13 +493,13 @@ NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisti
<para>the following rule handles VNC traffic for VNC displays 0 - <para>the following rule handles VNC traffic for VNC displays 0 -
9.</para> 9.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
VNC(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> VNC(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
</programlisting> </programlisting>
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para> <para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
@ -519,7 +519,7 @@ VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
<para>This information is valid for Shorewall 3.2 or later.</para> <para>This information is valid for Shorewall 3.2 or later.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
HTTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP HTTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP
HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisting> HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisting>
</section> </section>
@ -527,7 +527,7 @@ HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisti
<section id="Webmin"> <section id="Webmin">
<title>Webmin</title> <title>Webmin</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>Webmin Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>Webmin
use TCP port 10000.</para> use TCP port 10000.</para>
</section> </section>
@ -535,7 +535,7 @@ Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination
<section id="Whois"> <section id="Whois">
<title>Whois</title> <title>Whois</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting></para> Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting></para>
</section> </section>
@ -546,7 +546,7 @@ Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
&lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X &lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para> applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt; udp 177 #XDMCP ACCEPT &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt; udp 177 #XDMCP
ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>&gt; tcp 6000:6009 #X Displays 0-9</programlisting> ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>&gt; tcp 6000:6009 #X Displays 0-9</programlisting>
</section> </section>

View File

@ -44,15 +44,13 @@
<para>If you wish to run Samba on your firewall and access shares between <para>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</para> the firewall and local hosts, you need the following rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S)
SMB(ACCEPT) $FW loc SMB(ACCEPT) $FW loc
SMB(ACCEPT) loc $FW</programlisting> SMB(ACCEPT) loc $FW</programlisting>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para> <para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S)
SMB(ACCEPT) Z1 Z2 SMB(ACCEPT) Z1 Z2
SMB(ACCEPT) Z2 Z1</programlisting> SMB(ACCEPT) Z2 Z1</programlisting>

View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Shorewall 4.4/4.5/4.6 Features</title> <title>Shorewall 5.0 Features</title>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
@ -16,7 +16,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2014</year> <year>2001-2016</year>
<holder>Thomas M Eastep</holder> <holder>Thomas M Eastep</holder>
</copyright> </copyright>
@ -32,13 +32,6 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</emphasis></para>
</caution>
<section id="Features"> <section id="Features">
<title>Features</title> <title>Features</title>
@ -278,6 +271,10 @@
<listitem> <listitem>
<para><ulink url="LXC.html">LXC</ulink></para> <para><ulink url="LXC.html">LXC</ulink></para>
</listitem> </listitem>
<listitem>
<para>Docker (Shorewall 5.0.6 and later)</para>
</listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

View File

@ -314,14 +314,34 @@ gateway:/etc/shorewall# </programl
<para><filename>/etc/shorewall/shorewall.conf</filename>: <para><filename>/etc/shorewall/shorewall.conf</filename>:
<programlisting>MACLIST_LOG_LEVEL=NFLOG(1,0,1)</programlisting></para> <programlisting>MACLIST_LOG_LEVEL=NFLOG(1,0,1)</programlisting></para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlisting><important> ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlisting><important>
<para>Shorewall considers <emphasis role="bold">ULOG(...)</emphasis> <para>Shorewall considers <emphasis role="bold">ULOG(...)</emphasis>
and <emphasis role="bold">NFLOG(...)</emphasis> to be <emphasis and <emphasis role="bold">NFLOG(...)</emphasis> to be <emphasis
role="bold">log levels</emphasis>, just like info, debug, etc. even role="bold">log levels</emphasis>, just like info, debug, etc. even
though they are not defined by syslog.</para> though they are not defined by syslog.</para>
</important></para> </important></para>
<para>Here is a copy of a ulogd.conf file that logs to
/var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
<programlisting>[global]
user="ulogd"
logfile="/var/log/ulogd/ulogd.log"
loglevel=7
plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
[firewall]
file="/var/log/firewall"
sync=1</programlisting>
</section> </section>
</section> </section>

View File

@ -106,19 +106,13 @@
<para><emphasis role="bold">Note to Debian Users</emphasis></para> <para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename <para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This class="directory">/etc/shorewall</filename> directory is almost empty.
is intentional. The released configuration file skeletons may be found This is intentional. The released configuration file skeletons may be
on your system in the directory <filename found on your system in the directory <filename
class="directory">/usr/share/doc/shorewall-common/default-config</filename>. class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
copies.</para> copies.</para>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall-common/default-config/modules to
<filename class="directory">/etc/shorewall</filename> even if you do
not modify those files.</para>
</warning></para> </warning></para>
<para>As each file is introduced, I suggest that you look through the <para>As each file is introduced, I suggest that you look through the
@ -269,8 +263,7 @@ dmz ipv4</programlisting>
<filename>/etc/shorewall/policy</filename> file had the following <filename>/etc/shorewall/policy</filename> file had the following
policies:</para> policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting> all all REJECT info</programlisting>
@ -416,10 +409,11 @@ all all REJECT info</programlisting>
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
</ulink>file, that file would might contain:</para> </ulink>file, that file would might contain:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
net eth0 detect #ZONE INTERFACE OPTIONS
loc eth1 detect net eth0
dmz eth2 detect</programlisting> loc eth1
dmz eth2</programlisting>
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry <para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para> in the /etc/shorewall/interfaces file.</para>
@ -435,10 +429,11 @@ dmz eth2 detect</programlisting>
<example id="multi"> <example id="multi">
<title>Multiple Interfaces to a Zone</title> <title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
net eth0 detect #ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect net eth0
loc eth2 detect</programlisting> loc eth1
loc eth2</programlisting>
</example> </example>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<filename><ulink <filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para> url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
DNAT net loc:192.168.201.4 tcp www</programlisting> DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>If one of your daughter's friends at address <emphasis <para>If one of your daughter's friends at address <emphasis
@ -1424,8 +1418,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>This example used the firewall's external IP address for DNAT. <para>This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses (place it in the You can use another of your public IP addresses (place it in the
ORIGINAL DEST column in the rule above) but Shorewall will not add ORIGDEST column in the rule above) but Shorewall will not add that
that address to the firewall's external interface for you.</para> address to the firewall's external interface for you.</para>
<important> <important>
<para>When testing DNAT rules like those shown above, you must test <para>When testing DNAT rules like those shown above, you must test
@ -1489,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink> url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
file.</para> file.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.0.2.177 eth2 eth0 No 192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting> 192.0.2.178 eth2 eth0 No</programlisting>
@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
You would do that by adding an entry in <filename><ulink You would do that by adding an entry in <filename><ulink
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para> url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
192.0.2.179 eth0 192.168.201.4 No No</programlisting> 192.0.2.179 eth0 192.168.201.4 No No</programlisting>
<para>With this entry in place, you daughter has her own IP address <para>With this entry in place, you daughter has her own IP address
@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
to use a DNAT rule for you daughter's web server -- you would rather to use a DNAT rule for you daughter's web server -- you would rather
just use an ACCEPT rule:</para> just use an ACCEPT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
# PORT(S) PORT(S) DEST
ACCEPT net loc:192.168.201.4 tcp www</programlisting> ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para>A word of warning is in order here. ISPs typically configure <para>A word of warning is in order here. ISPs typically configure
@ -1719,14 +1712,13 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
rules.</para> rules.</para>
<note> <note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in <para>Since the SPORT and ORIGDEST. Columns aren't used in this
this section, they won't be shown</para> section, they won't be shown</para>
</note> </note>
<para>You probably want to allow ping between your zones:</para> <para>You probably want to allow ping between your zones:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net dmz icmp echo-request ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request ACCEPT dmz loc icmp echo-request
@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request</programlisting>
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a <para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
Web Server on DMZ 1. The rules that you would need are:</para> Web Server on DMZ 1. The rules that you would need are:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
#Internet #Internet
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
<para>If you run a public DNS server on 192.0.2.177, you would need to <para>If you run a public DNS server on 192.0.2.177, you would need to
add the following rules:</para> add the following rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
#Internet #Internet
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
scp utility can also do publishing and software update scp utility can also do publishing and software update
distribution.</para> distribution.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT loc dmz tcp ssh #SSH to the DMZ ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net $FW tcp ssh #SSH to the ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting> #Firewall</programlisting>
@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the
<para><filename>/etc/shorewall/interfaces</filename> (The <para><filename>/etc/shorewall/interfaces</filename> (The
<quote>options</quote> will be very site-specific).</para> <quote>options</quote> will be very site-specific).</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
net eth0 detect routefilter #ZONE INTERFACE OPTIONS
loc eth1 detect net eth0 routefilter
dmz eth2 detect</programlisting> loc eth1
dmz eth2</programlisting>
<para>The setup described here requires that your network interfaces be
brought up before Shorewall can start. This opens a short window during
which you have no firewall protection. If you replace
<quote>detect</quote> with the actual broadcast addresses in the entries
above, you can bring up Shorewall before you bring up your network
interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.0.2.255
loc eth1 192.168.201.7
dmz eth2 192.168.202.7</programlisting>
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para> <para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><filename>/etc/shorewall/rules</filename></para> <para><filename>/etc/shorewall/rules</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net dmz icmp echo-request ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request ACCEPT dmz loc icmp echo-request

View File

@ -194,7 +194,7 @@ eth0 External</programlisting>
band 2.</para> band 2.</para>
<note> <note>
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS <para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
column must contain '-'.</para> column must contain '-'.</para>
</note> </note>
</listitem> </listitem>
@ -203,14 +203,14 @@ eth0 External</programlisting>
<para>Assign traffic from a particular IP address to a specific <para>Assign traffic from a particular IP address to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - 192.168.1.44</programlisting> 1 - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to <para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para> priority band 1.</para>
<note> <note>
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE <para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
columns must be empty.</para> columns must be empty.</para>
</note> </note>
</listitem> </listitem>
@ -219,7 +219,7 @@ eth0 External</programlisting>
<para>Assign traffic to/from a particular application to a specific <para>Assign traffic to/from a particular application to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 udp 1194</programlisting> 1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band <para>In that example, OpenVPN traffic is assigned to priority band
@ -230,7 +230,7 @@ eth0 External</programlisting>
<para>Assign traffic that uses a particular Netfilter helper to a <para>Assign traffic that uses a particular Netfilter helper to a
particular priority band:</para> particular priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - - - sip</programlisting> 1 - - - - sip</programlisting>
<para>In this example, SIP and associated RTP traffic will be assigned <para>In this example, SIP and associated RTP traffic will be assigned
@ -318,11 +318,11 @@ tun0 Internal</programlisting>
<para>Example:</para> <para>Example:</para>
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH <para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516 eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
</programlisting>etc/shorewall/tcpri:</para> </programlisting>etc/shorewall/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31 3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3 COMMENT Bit Torrent is in band 3
@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
<para>etc/shorewall6/tcpri:</para> <para>etc/shorewall6/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124 3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries COMMENT But give a boost to DNS queries

View File

@ -277,7 +277,7 @@ net ipv4</programlisting>
<para>The <filename>/etc/shorewall/policy</filename> file included with <para>The <filename>/etc/shorewall/policy</filename> file included with
the one-interface sample has the following policies:</para> the one-interface sample has the following policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT $FW net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting> all all REJECT info</programlisting>
@ -517,20 +517,19 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a <filename>/usr/share/shorewall/macro.*</filename>, the general format of a
rule in <filename>/etc/shorewall/rules</filename> is:</para> rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important> <important>
<para>Be sure to add your rules after the line that reads <emphasis <para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and role="bold">?SECTION NEW</emphasis>.</para>
later).</para>
</important> </important>
<example id="Example1"> <example id="Example1">
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(ACCEPT) net $FW Web(ACCEPT) net $FW
IMAP(ACCEPT)net $FW</programlisting> IMAP(ACCEPT)net $FW</programlisting>
</example> </example>
@ -546,14 +545,14 @@ IMAP(ACCEPT)net $FW</programlisting>
a pre-defined macro that meets your requirements. In that case the general a pre-defined macro that meets your requirements. In that case the general
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para> format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example id="Example2"> <example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143</programlisting></para> ACCEPT net $FW tcp 143</programlisting></para>
</example> </example>
@ -566,7 +565,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
uses clear text (even for login!). If you want shell access to your uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use <acronym>SSH</acronym>:</para> firewall from the Internet, use <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
SSH(ACCEPT) net $FW </programlisting> SSH(ACCEPT) net $FW </programlisting>
</important> </important>
@ -615,7 +614,7 @@ SSH(ACCEPT) net $FW </programlisting>
(<filename><ulink (<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename> url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <quote><command>shorewall restart</command></quote> command. If you the <quote><command>shorewall reload</command></quote> command. If you
want to totally remove any trace of Shorewall from your Netfilter want to totally remove any trace of Shorewall from your Netfilter
configuration, use <quote><command>shorewall configuration, use <quote><command>shorewall
clear</command></quote>.</para> clear</command></quote>.</para>
@ -639,7 +638,7 @@ SSH(ACCEPT) net $FW </programlisting>
</orderedlist> </orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall <para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an <emphasis><ulink reload</command></quote>; it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate url="configuration_file_basics.htm#Configs">alternate
configuration</ulink></emphasis> and test it using the <ulink configuration</ulink></emphasis> and test it using the <ulink
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall url="starting_and_stopping_shorewall.htm"><quote><command>shorewall

View File

@ -165,7 +165,7 @@
<listitem> <listitem>
<para>If you change your configuration and want to install the <para>If you change your configuration and want to install the
changes, use the <command>shorewall restart </command>command.</para> changes, use the <command>shorewall reload </command>command.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -616,7 +616,7 @@
<row> <row>
<entry align="center">/sbin/shorewall Command</entry> <entry align="center">/sbin/shorewall Command</entry>
<entry align="center">Resulting /usr/share/shorewall/firewall <entry align="center">Resulting /var/lib/shorewall/firewall
Command</entry> Command</entry>
<entry align="center">Effect if the Command Succeeds</entry> <entry align="center">Effect if the Command Succeeds</entry>
@ -646,6 +646,15 @@
firewall are accepted.</entry> firewall are accepted.</entry>
</row> </row>
<row>
<entry>shorewall reload</entry>
<entry>firewall reload</entry>
<entry>Very similar to start, replacing the existing ruleset with
one that reflects the current configuration file contents.</entry>
</row>
<row> <row>
<entry>shorewall restart</entry> <entry>shorewall restart</entry>
@ -721,15 +730,15 @@
transition while the compiler is running. If compilation fails, the state transition while the compiler is running. If compilation fails, the state
remains unchanged.</para> remains unchanged.</para>
<para>Also, <command>shorewall start</command> and <command>shorewall <para>Also, <command>shorewall start</command>, <command>shorewall
restart</command> involve compilation followed by execution of the reload</command> and <command>shorewall restart</command> involve
compiled script. So it is the compiled script that performs the state compilation followed by execution of the compiled script. So it is the
transition in these commands rather than compiled script that performs the state transition in these commands
<command>/usr/share/shorewall/firewall</command>.</para> rather than <command>/usr/share/shorewall/firewall</command>.</para>
<para>The compiled script is placed in <filename <para>The compiled script is placed in <filename
class="directory">/var/lib/shorewall</filename> and is named either class="directory">/var/lib/shorewall</filename> and is named either
<filename>.start</filename> or <filename>.restart</filename> depending on <filename>.start</filename>, .reload or <filename>.restart</filename>
the command.</para> depending on the command.</para>
</section> </section>
</article> </article>

View File

@ -90,7 +90,7 @@
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" /> <imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</figure> </figure>
@ -148,19 +148,18 @@
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif" with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
format="GIF" />.</para>
<para>Configuration notes that are unique to Debian and it's derivatives <para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png" are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para> format="GIF"/>.</para>
</section> </section>
</section> </section>
<section id="PPTP"> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an ADSL Modem and you use PPTP to communicate with a <para>If you have an ADSL Modem and you use PPTP to communicate with a
server in that modem, you must make the <ulink server in that modem, you must make the <ulink
@ -176,7 +175,7 @@
<filename>/etc/shorewall</filename> -- for simple setups, you will only <filename>/etc/shorewall</filename> -- for simple setups, you will only
need to deal with a few of these as described in this guide.</para> need to deal with a few of these as described in this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>After you have installed Shorewall, locate the three-interface <para>After you have installed Shorewall, locate the three-interface
Sample configuration:</para> Sample configuration:</para>
@ -210,7 +209,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If <para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>. class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
@ -248,8 +247,7 @@
a set of zones. In the three-interface sample configuration, the following a set of zones. In the three-interface sample configuration, the following
zone names are used:</para> zone names are used:</para>
<para><programlisting>#ZONE TYPE OPTIONS IN OUT <para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
loc ipv4 loc ipv4
@ -305,7 +303,7 @@ dmz ipv4</programlisting>Zone names are defined in
<para>The <filename>/etc/shorewall/policy</filename> file included with <para>The <filename>/etc/shorewall/policy</filename> file included with
the three-interface sample has the following policies:</para> the three-interface sample has the following policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting> all all REJECT info</programlisting>
@ -315,7 +313,7 @@ all all REJECT info</programlisting>
commented out. If you want your firewall system to have full access to commented out. If you want your firewall system to have full access to
servers on the Internet, uncomment that line.</para> servers on the Internet, uncomment that line.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> $FW net ACCEPT</programlisting>
</important> </important>
@ -351,7 +349,7 @@ $FW net ACCEPT</programlisting>
local network from a security perspective. If you want to do this, add local network from a security perspective. If you want to do this, add
these two policies:</para> these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT loc $FW ACCEPT
$FW loc ACCEPT</programlisting> $FW loc ACCEPT</programlisting>
@ -363,7 +361,7 @@ $FW loc ACCEPT</programlisting>
<emphasis>net</emphasis> zone even though connections are not allowed from <emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para> the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename> <para>At this point, edit your <filename>/etc/shorewall/policy</filename>
file and make any changes that you wish.</para> file and make any changes that you wish.</para>
@ -377,7 +375,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" /> <imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</figure> </figure>
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
the external interface.</para> the external interface.</para>
</caution> </caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename <para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename class="devicefile">ppp0</filename> or <filename
@ -463,7 +461,7 @@ root@lists:~# </programlisting>
exactly one default route via your ISP's Router.</para> exactly one default route via your ISP's Router.</para>
</caution> </caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall three-interface sample configuration assumes that the <para>The Shorewall three-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>, the external interface is <filename class="devicefile">eth0</filename>, the
@ -528,7 +526,7 @@ root@lists:~# </programlisting>
<title>Example sub-network</title> <title>Example sub-network</title>
<tgroup cols="2"> <tgroup cols="2">
<colspec align="left" /> <colspec align="left"/>
<tbody> <tbody>
<row> <row>
@ -573,7 +571,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para> send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (Local Computers 1 &amp; 2) should be <para>Your local computers (Local Computers 1 &amp; 2) should be
configured with their default gateway set to the IP address of the configured with their default gateway set to the IP address of the
@ -596,7 +594,7 @@ root@lists:~# </programlisting>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/dmz2.png" /> <imagedata fileref="images/dmz2.png"/>
</imageobject> </imageobject>
<caption><para>The default gateway for the DMZ computers would be <caption><para>The default gateway for the DMZ computers would be
@ -652,7 +650,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename> class="directory">/etc/shorewall/</filename><filename>masq</filename>
file.</para> file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename <para>If your external firewall interface is <filename
class="devicefile">eth0</filename> then you do not need to modify the file class="devicefile">eth0</filename> then you do not need to modify the file
@ -665,7 +663,7 @@ root@lists:~# </programlisting>
modify the SOURCE column to list just your local interface (10.10.10.0/24 modify the SOURCE column to list just your local interface (10.10.10.0/24
in the above example).</para> in the above example).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external IP is static, you can enter it in the third column <para>If your external IP is static, you can enter it in the third column
in the <filename in the <filename
@ -673,7 +671,7 @@ root@lists:~# </programlisting>
entry if you like although your firewall will work fine if you leave that entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes processing column empty. Entering your static IP in column 3 makes processing
outgoing packets a little more efficient.<graphic align="left" outgoing packets a little more efficient.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para> fileref="images/openlogo-nd-25.png"/></para>
<para><emphasis role="bold">If you are using the Debian package, please <para><emphasis role="bold">If you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the check your <filename>shorewall.conf</filename> file to ensure that the
@ -736,7 +734,7 @@ root@lists:~# </programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a <para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the log other than <filename>/var/log/messages</filename>, then modify the
@ -776,7 +774,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to <filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para> <filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para> <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section> </section>
@ -801,7 +799,7 @@ root@lists:~# </programlisting>
<para>The general form of a simple port forwarding rule in <filename <para>The general form of a simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is: class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
If you don't specify the <emphasis><varname>&lt;server If you don't specify the <emphasis><varname>&lt;server
port&gt;</varname></emphasis>, it is assumed to be the same as port&gt;</varname></emphasis>, it is assumed to be the same as
@ -816,7 +814,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
<title>You run a Web Server on DMZ Computer 2 and you want to forward <title>You run a Web Server on DMZ Computer 2 and you want to forward
incoming TCP port 80 to that system</title> incoming TCP port 80 to that system</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(DNAT) net dmz:10.10.11.2 Web(DNAT) net dmz:10.10.11.2
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist> Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
<listitem> <listitem>
@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you (<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
must use DNAT from the loc zone as well (see below).</para> must use DNAT from the loc zone as well (see below).</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting> Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
<para>where <replaceable>external-ip-address</replaceable> is the <para>where <replaceable>external-ip-address</replaceable> is the
@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
you have problems connecting to your web server, try the following you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to rule and try connecting to port 5000 (e.g., connect to
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your <literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S)
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para> DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
</listitem> </listitem>
@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
<para>If you want to be able to access your server from the local <para>If you want to be able to access your server from the local
network using your external address, then if you have a static network using your external address, then if you have a static
external IP you can replace the loc-&gt;dmz rule above external IP you can replace the loc-&gt;dmz rule above
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis>&lt;external IP&gt;</emphasis></programlisting>If DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
you have a dynamic IP then you must ensure that your external you have a dynamic IP then you must ensure that your external
interface is up before starting Shorewall and you must take steps interface is up before starting Shorewall and you must take steps
@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis>&lt;
<listitem> <listitem>
<para>Make your <literal>loc-&gt;dmz</literal> rule: <para>Make your <literal>loc-&gt;dmz</literal> rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para> DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
</listitem> </listitem>
</orderedlist></para> </orderedlist></para>
@ -886,7 +880,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</itemizedlist></para> </itemizedlist></para>
</example> </example>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, add the DNAT and ACCEPT rules for your <para>At this point, add the DNAT and ACCEPT rules for your
servers.</para> servers.</para>
@ -924,7 +918,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<listitem> <listitem>
<para><inlinegraphic fileref="images/BD21298_.gif" <para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para> format="GIF"/></para>
<para>You can configure a <emphasis>Caching Name Server</emphasis> <para>You can configure a <emphasis>Caching Name Server</emphasis>
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<filename>/etc/shorewall/rules</filename>.</para> <filename>/etc/shorewall/rules</filename>.</para>
</listitem> </listitem>
</itemizedlist> If you run the name server on the firewall: </itemizedlist> If you run the name server on the firewall:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) loc $FW DNS(ACCEPT) loc $FW
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) loc dmz:10.10.11.1 DNS(ACCEPT) loc dmz:10.10.11.1
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para> DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
<filename>/etc/shorewall/rules</filename>. The first example above (name <filename>/etc/shorewall/rules</filename>. The first example above (name
server on the firewall) could also have been coded as follows:</para> server on the firewall) could also have been coded as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 53 ACCEPT loc $FW tcp 53
ACCEPT loc $FW udp 53 ACCEPT loc $FW udp 53
ACCEPT dmz $FW tcp 53 ACCEPT dmz $FW tcp 53
@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 </programlist
<title>Other Connections</title> <title>Other Connections</title>
<para>The three-interface sample includes the following rule: <para>The three-interface sample includes the following rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
from your firewall and may be removed if you commented out the line in from your firewall and may be removed if you commented out the line in
<filename>/etc/shorewall/policy</filename> allowing all connections from <filename>/etc/shorewall/policy</filename> allowing all connections from
the firewall to the Internet.</para> the firewall to the Internet.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) loc $FW SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
an SSH server on your firewall and in each of your DMZ systems and to an SSH server on your firewall and in each of your DMZ systems and to
connect to those servers from your local systems.</para> connect to those servers from your local systems.</para>
<para>If you wish to enable other connections between your systems, the <para>If you wish to enable other connections between your systems, the
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para>
<para>The general format when not using a defined macro <para>The general format when not using a defined macro
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para> ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para>
<example id="Example2"> <example id="Example2">
@ -1009,12 +1003,12 @@ ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&g
<para>Using defined macros:</para> <para>Using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) net $FW</programlisting> DNS(ACCEPT) net $FW</programlisting>
<para>Not using defined macros:</para> <para>Not using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW tcp 53 ACCEPT net $FW tcp 53
ACCEPT net $FW udp 53 </programlisting> ACCEPT net $FW udp 53 </programlisting>
@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 </programlisting>
<important> <important>
<para>I don't recommend enabling telnet to/from the Internet because it <para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) net $FW</programlisting></para> SSH(ACCEPT) net $FW</programlisting></para>
</important> </important>
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
users will want to add the following two rules to be compatible with users will want to add the following two rules to be compatible with
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW udp 53 ACCEPT loc $FW udp 53
ACCEPT net $FW tcp 80 </programlisting><itemizedlist> ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
<listitem> <listitem>
@ -1045,7 +1039,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>Entry 2 allows the <quote>weblet</quote> to work.</para> <para>Entry 2 allows the <quote>weblet</quote> to work.</para>
</listitem> </listitem>
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif" </itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para> format="GIF"/></para>
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or <para>Now modify <filename>/etc/shorewall/rules</filename> to add or
remove other connections as required.</para> remove other connections as required.</para>
@ -1110,7 +1104,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<section id="Starting"> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink> <para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is configures your system to start Shorewall at system boot but startup is
@ -1119,7 +1113,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
firewall, you can enable Shorewall startup by editing firewall, you can enable Shorewall startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting <filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.<graphic align="left" STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important> fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the <filename>.deb</filename> package must edit <para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set <filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para> <varname>startup=1</varname>.</para>
@ -1138,11 +1132,11 @@ ACCEPT net $FW tcp 80 </programlisting><it
(<ulink (<ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink> url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <command>shorewall restart</command> command. If you want to totally the <command>shorewall reload</command> command. If you want to totally
remove any trace of Shorewall from your Netfilter configuration, use remove any trace of Shorewall from your Netfilter configuration, use
<command>shorewall clear</command>.</para> <command>shorewall clear</command>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The three-interface sample assumes that you want to enable routing <para>The three-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (your local network) to/from <filename class="devicefile">eth1</filename> (your local network)
@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</orderedlist> </orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall <para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate reload</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para> try</command></quote> command.</para>
</warning></para> </warning></para>
@ -1239,7 +1233,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<programlisting><command>systemctl disable iptables.service</command></programlisting> <programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para> <para>At this point, disable your existing firewall service.</para>
</section> </section>

View File

@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit</programlisting>
packets arriving on eth2 and eth3 should be marked with 2. All packets packets arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para> originating on the firewall itself should be marked with 3.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(1) eth1 0.0.0.0/0 all MARK(1) eth1 0.0.0.0/0 all
MARK(2) eth2 0.0.0.0/0 all MARK(2) eth2 0.0.0.0/0 all
MARK(2) eth3 0.0.0.0/0 all MARK(2) eth3 0.0.0.0/0 all
@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
<para>All GRE (protocol 47) packets destined for 155.186.235.151 <para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para> should be marked with 12.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting> MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example> </example>
@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
<para>All SSH request packets originating in 192.168.1.0/24 and <para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para> destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example> </example>
@ -956,8 +956,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
/etc/shorewall/tcdevices should be assigned to the class with mark /etc/shorewall/tcdevices should be assigned to the class with mark
value 10.</para> value 10.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S)
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22 CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting> CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example> </example>
@ -975,8 +974,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
means unclassified. Traffic originating on the firewall is not covered means unclassified. Traffic originating on the firewall is not covered
by this example.</para> by this example.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S) GROUP
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -1002,8 +1000,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
ensure that all VOIP packets also receive that mark (assumes that ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded).</para> nf_conntrack_sip is loaded).</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip 1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
@ -1235,7 +1232,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWIDTH OUT_BANDWIDTH
eth0 100mbit 100mbit</programlisting> eth0 100mbit 100mbit</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para> <para><filename>/etc/shorewall/tcclasses</filename>:</para>
@ -1293,7 +1290,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<section id="realtcd"> <section id="realtcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 5000kbit 500kbit</programlisting> ppp0 5000kbit 500kbit</programlisting>
</section> </section>
@ -1309,8 +1306,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
<section id="realtcr"> <section id="realtcr">
<title>mangle file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# mark traffic which should have a lower priority with a 3: # mark traffic which should have a lower priority with a 3:
@ -1347,23 +1343,14 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
mangle file:</para> mangle file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all
MARK(3) 0.0.0.0/0 60.0.0.0/24 all MARK(3) 0.0.0.0/0 60.0.0.0/24 all
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting> MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
<para>Corresponding tcrules file entries are:</para>
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
</section> </section>
</section> </section>
@ -1378,7 +1365,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
<section id="simpletcd"> <section id="simpletcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 6000kbit 700kbit</programlisting> ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para> <para>We have 6mbit down and 700kbit upstream.</para>
@ -1403,8 +1390,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<section id="simpletcr"> <section id="simpletcr">
<title>mangle file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
MARK(2):F 192.168.2.23 0.0.0.0/0 all MARK(2):F 192.168.2.23 0.0.0.0/0 all
@ -1412,8 +1398,7 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para>Corresponding tcrules file:</para> <para>Corresponding tcrules file:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
2:F 192.168.2.23 0.0.0.0/0 all 2:F 192.168.2.23 0.0.0.0/0 all
@ -1472,13 +1457,12 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
eth0 - 1000kbit hfsc</programlisting> eth0 - 1000kbit hfsc</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para> <para><filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
# DMAX:UMAX
1:10 1 500kbit full 1 1:10 1 500kbit full 1
1:20 2 500kbit full 1 1:20 2 500kbit full 1
1:10:11 3 400kbit:53ms:1500b full 2 1:10:11 3 400kbit:53ms:1500b full 2
@ -1649,8 +1633,7 @@ ip link set ifb0 up</command></programlisting>
<para>Example: <filename>/etc/shorewall/rules</filename>:</para> <para>Example: <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting> DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting>
<para>Requests redirected by this rule will have destination IP <para>Requests redirected by this rule will have destination IP
@ -1721,7 +1704,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>DEST PORT(S)</term> <term>DPORT</term>
<listitem> <listitem>
<para>Comma-separated list of destination port names or numbers. <para>Comma-separated list of destination port names or numbers.
@ -1731,7 +1714,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>SOURCE PORT</term> <term>SPORT</term>
<listitem> <listitem>
<para>Comma-separated list of source port names or numbers. May <para>Comma-separated list of source port names or numbers. May
@ -1810,8 +1793,7 @@ qt ip link set dev ifb0 up</programlisting></para>
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<para><programlisting> <para><programlisting>
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
# INTERFACES
1:eth0 - 384kbit classify 1:eth0 - 384kbit classify
2:ifb0 - 1300kbit - eth0</programlisting> 2:ifb0 - 1300kbit - eth0</programlisting>
<filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -1820,8 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
1:130 - 2*full/10 6*full/10 3 1:130 - 2*full/10 6*full/10 3
2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay
2:120 - 2*full/10 6*full/10 2 default 2:120 - 2*full/10 6*full/10 2 default
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE 2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT
#CLASS PORT(S) PORT(S)
# #
# OUTGOING TRAFFIC # OUTGOING TRAFFIC
# #

View File

@ -74,7 +74,7 @@
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" /> <imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</figure> <caution> </figure> <caution>
@ -121,19 +121,18 @@
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif" with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
format="GIF" />.</para>
<para>Configuration notes that are unique to Debian and it's derivatives <para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png" are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para> format="GIF"/>.</para>
</section> </section>
</section> </section>
<section id="PPTP"> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use <para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you <acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -146,7 +145,7 @@
<section id="Concepts"> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para></para> <para/>
<para>The configuration files for Shorewall are contained in the directory <para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple <filename class="directory">/etc/shorewall</filename> -- for simple
@ -154,7 +153,7 @@
this guide.</para> this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" <para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /><important> format="GIF"/><important>
<para>After you have <ulink url="Install.htm">installed <para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, locate the two-interfaces samples:</para> Shorewall</ulink>, locate the two-interfaces samples:</para>
@ -189,10 +188,10 @@
<listitem> <listitem>
<para><graphic align="left" <para><graphic align="left"
fileref="images/openlogo-nd-25.png" />If you installed using a fileref="images/openlogo-nd-25.png"/>If you installed using a
Shorewall 4.x .deb, the samples are in <emphasis Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename role="bold"><filename
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis> class="directory">/usr/share/doc/shorewall/examples/two-interfaces</filename>.</emphasis>
You do not need the shorewall-doc package to have access to the You do not need the shorewall-doc package to have access to the
samples.</para> samples.</para>
@ -230,8 +229,7 @@
a set of zones. In the two-interface sample configuration, the following a set of zones. In the two-interface sample configuration, the following
zone names are used:</para> zone names are used:</para>
<para><programlisting>#ZONE TYPE OPTIONS IN OUT <para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
loc ipv4</programlisting>Zones are defined in the <ulink loc ipv4</programlisting>Zones are defined in the <ulink
@ -289,13 +287,13 @@ loc ipv4</programlisting>Zones are defined in the <ulink
<para>The <filename <para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the two-interface sample has the following policies: file included with the two-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting>In the two-interface all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policy will: $FW net ACCEPT</programlisting> The above policy will:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -333,11 +331,11 @@ $FW net ACCEPT</programlisting> The above policy will:
local network from a security perspective. If you want to do this, add local network from a security perspective. If you want to do this, add
these two policies:</para> these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT loc $FW ACCEPT
$FW loc ACCEPT</programlisting> $FW loc ACCEPT</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename <para>At this point, edit your <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
@ -349,7 +347,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" /> <imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
@ -393,7 +391,7 @@ root@lists:~# </programlisting>
the external interface.</para> the external interface.</para>
</caution> </caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename <para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename class="devicefile">ppp0</filename> or <filename
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
internal interface.</emphasis> Your firewall should have exactly one internal interface.</emphasis> Your firewall should have exactly one
default route via your ISP's Router.</para> default route via your ISP's Router.</para>
</warning> <inlinegraphic fileref="images/BD21298_.gif" </warning> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para> format="GIF"/></para>
<para>The Shorewall two-interface sample configuration assumes that the <para>The Shorewall two-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename> and the external interface is <filename class="devicefile">eth0</filename> and the
@ -533,7 +531,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para> send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (computer 1 and computer 2 in the above <para>Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their default gateway to be the diagram) should be configured with their default gateway to be the
@ -550,7 +548,7 @@ root@lists:~# </programlisting>
<para id="Diagram">The remainder of this guide will assume that you have <para id="Diagram">The remainder of this guide will assume that you have
configured your network as shown here: <mediaobject> configured your network as shown here: <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/basics1.png" format="PNG" /> <imagedata align="center" fileref="images/basics1.png" format="PNG"/>
</imageobject> </imageobject>
</mediaobject> The default gateway for computer's 1 &amp; 2 would be </mediaobject> The default gateway for computer's 1 &amp; 2 would be
<systemitem class="ipaddress">10.10.10.254</systemitem>. <warning> <systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
@ -607,7 +605,7 @@ root@lists:~# </programlisting>
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
<acronym>IP</acronym> is static.</para> <acronym>IP</acronym> is static.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename <para>If your external firewall interface is <filename
class="devicefile">eth0</filename>, you do not need to modify the file class="devicefile">eth0</filename>, you do not need to modify the file
@ -616,7 +614,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename> and class="directory">/etc/shorewall/</filename><filename>masq</filename> and
change the first column to the name of your external interface.</para> change the first column to the name of your external interface.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external <acronym>IP</acronym> is static, you can enter it <para>If your external <acronym>IP</acronym> is static, you can enter it
in the third column in the <filename in the third column in the <filename
@ -626,7 +624,7 @@ root@lists:~# </programlisting>
column 3 (SNAT) makes the processing of outgoing packets a little more column 3 (SNAT) makes the processing of outgoing packets a little more
efficient.</para> efficient.</para>
<graphic align="left" fileref="images/openlogo-nd-25.png" /> <graphic align="left" fileref="images/openlogo-nd-25.png"/>
<para>I<emphasis role="bold">f you are using the Debian package, please <para>I<emphasis role="bold">f you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the check your <filename>shorewall.conf</filename> file to ensure that the
@ -689,7 +687,7 @@ root@lists:~# </programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a <para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the log other than <filename>/var/log/messages</filename>, then modify the
@ -729,7 +727,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to <filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para> <filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para> <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section> </section>
@ -758,7 +756,7 @@ root@lists:~# </programlisting>
a server in the <emphasis>loc</emphasis> zone, the general form of a a server in the <emphasis>loc</emphasis> zone, the general form of a
simple port forwarding rule in <filename simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is: class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important> DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para><emphasis role="bold">If you want to forward traffic from the <para><emphasis role="bold">If you want to forward traffic from the
<emphasis>loc</emphasis> zone to a server in the <emphasis>loc</emphasis> zone to a server in the
@ -784,14 +782,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
<para>You run a Web Server on computer 2 in <link <para>You run a Web Server on computer 2 in <link
linkend="Diagram">the above diagram</link> and you want to forward linkend="Diagram">the above diagram</link> and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system: incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(DNAT) net loc:10.10.10.2</programlisting></para> Web(DNAT) net loc:10.10.10.2</programlisting></para>
</example> <example id="Example2" label="2"> </example> <example id="Example2" label="2">
<title>FTP Server</title> <title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on <link <para>You run an <acronym>FTP</acronym> Server on <link
linkend="Diagram">computer 1</link> so you want to forward incoming linkend="Diagram">computer 1</link> so you want to forward incoming
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DPORT
FTP(DNAT) net loc:10.10.10.1</programlisting> For FTP(DNAT) net loc:10.10.10.1</programlisting> For
<acronym>FTP</acronym>, you will also need to have <acronym>FTP</acronym>, you will also need to have
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym> <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
@ -829,11 +827,11 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
server, try the following rule and try connecting to port server, try the following rule and try connecting to port
5000.</para> 5000.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting> DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem> </listitem>
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif" </itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para> format="GIF"/></para>
<para>At this point, modify <filename <para>At this point, modify <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> to class="directory">/etc/shorewall/</filename><filename>rules</filename> to
@ -881,7 +879,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para><anchor id="cachingdns" /> You can configure a <para><anchor id="cachingdns"/> You can configure a
<emphasis>Caching Name Server</emphasis> on your firewall. <emphasis>Caching Name Server</emphasis> on your firewall.
<trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a <trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
caching name server (the <acronym>RPM</acronym> also requires the caching name server (the <acronym>RPM</acronym> also requires the
@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
network to the firewall; you do that by adding the following rules network to the firewall; you do that by adding the following rules
in <filename in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>. class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT)loc $FW</programlisting></para> DNS(ACCEPT)loc $FW</programlisting></para>
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW</programlisting></para>
<title>Other Connections</title> <title>Other Connections</title>
<para>The two-interface sample includes the following rules: <para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) $FW net</programlisting>This rule allows DNS(ACCEPT) $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you <acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename uncommented the line in <filename
@ -922,7 +920,7 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
<para>You don't have to use defined macros when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
faster if you code your rules directly rather than using macros. The the faster if you code your rules directly rather than using macros. The the
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53 ACCEPT $FW net udp 53
ACCEPT $FW net tcp 53</programlisting></para> ACCEPT $FW net tcp 53</programlisting></para>
@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53</programlisting></para>
your needs, you can either define the macro yourself or you can simply your needs, you can either define the macro yourself or you can simply
code the appropriate rules directly.</para> code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server <acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para> from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other <para>If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The &lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3"> id="Example3">
<title>Web Server on Firewall</title> <title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system: <para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(ACCEPT) net $FW Web(ACCEPT) net $FW
Web(ACCEPT) loc $FW </programlisting>Those two rules would of Web(ACCEPT) loc $FW </programlisting>Those two rules would of
course be in addition to the rules listed above under <quote><link course be in addition to the rules listed above under <quote><link
@ -957,14 +955,14 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
shell access to your firewall from the Internet, use shell access to your firewall from the Internet, use
<acronym>SSH</acronym>:</para> <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) net $FW</programlisting> SSH(ACCEPT) net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif" </important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be format="GIF"/>Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting> ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Now edit your <filename <para>Now edit your <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> class="directory">/etc/shorewall/</filename><filename>rules</filename>
@ -1030,7 +1028,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<section id="Starting"> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink> <para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is configures your system to start Shorewall at system boot but startup is
@ -1038,7 +1036,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
configuration is complete. Once you have completed configuration of your configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left" STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important> fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the .deb package must edit <filename <para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename> class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para> and set <varname>startup=1</varname>.</para>
@ -1056,11 +1054,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
(Shorewall 4.5.7 and earlier) or in<filename> <ulink (Shorewall 4.5.7 and earlier) or in<filename> <ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>. url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace reload</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para> <quote><command>shorewall clear</command></quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The two-interface sample assumes that you want to enable routing <para>The two-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (the local network) to/from <filename class="devicefile">eth1</filename> (the local network)
@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</orderedlist> </orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall <para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate reload</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para> try</command></quote> command.</para>
</warning></para> </warning></para>
@ -1158,7 +1156,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<programlisting><command>systemctl disable iptables.service</command></programlisting> <programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para> <para>At this point, disable your existing firewall service.</para>
</section> </section>
@ -1202,9 +1200,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</caution></para> </caution></para>
<para>Your new network will look similar to what is shown in the following <para>Your new network will look similar to what is shown in the following
figure.<graphic align="center" fileref="images/basics2.png" /></para> figure.<graphic align="center" fileref="images/basics2.png"/></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The first thing to note is that the computers in your wireless <para>The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN. network will be in a different subnet from those on your wired local LAN.
@ -1217,7 +1215,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
traffic may flow freely between the local wired network and the wireless traffic may flow freely between the local wired network and the wireless
network.</para> network.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>There are only two changes that need to be made to the Shorewall <para>There are only two changes that need to be made to the Shorewall
configuration:</para> configuration:</para>
@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
network interface. If the wireless interface is <filename network interface. If the wireless interface is <filename
class="devicefile">wlan0</filename>, the entry might look like:</para> class="devicefile">wlan0</filename>, the entry might look like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc wlan0 detect maclist</programlisting> loc wlan0 maclist</programlisting>
<para>As shown in the above entry, I recommend using the <ulink <para>As shown in the above entry, I recommend using the <ulink
url="MAC_Validation.html">maclist option</ulink> for the wireless url="MAC_Validation.html">maclist option</ulink> for the wireless
@ -1248,7 +1246,7 @@ loc wlan0 detect maclist</programlisting>
from the wireless network to the Internet. If you file looks like from the wireless network to the Internet. If you file looks like
this:</para> this:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK <programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK
eth0 10.0.0.0/8,\ eth0 10.0.0.0/8,\
169.254.0.0/16,\ 169.254.0.0/16,\
172.16.0.0/12,\ 172.16.0.0/12,\

View File

@ -120,7 +120,7 @@ loc eth2:0.0.0.0/0</programlisting>
<bridgehead renderas="sect4">Policy File</bridgehead> <bridgehead renderas="sect4">Policy File</bridgehead>
<programlisting>#SOURCE DEST POLICY LOG LEVEL <programlisting>#SOURCE DEST POLICY LOGLEVEL
<emphasis role="bold">ops all ACCEPT <emphasis role="bold">ops all ACCEPT
all ops CONTINUE</emphasis> all ops CONTINUE</emphasis>
loc net ACCEPT loc net ACCEPT
@ -134,7 +134,7 @@ all all REJECT info</programlisting>
<bridgehead renderas="sect4">Rules File</bridgehead> <bridgehead renderas="sect4">Rules File</bridgehead>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT loc!ops 3128 tcp http</programlisting> REDIRECT loc!ops 3128 tcp http</programlisting>
<para>This is the rule that transparently redirects web traffic to the <para>This is the rule that transparently redirects web traffic to the