extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-03 16:35:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

FAQ: convert to new header format and update blacklist entry to use blrules

Browse Source 
Signed-off-by: Tuomo Soini <tis@foobar.fi>
This commit is contained in:
Tuomo Soini 2016-02-14 18:31:44 +02:00
parent 704947a1c4
commit 5230eb3b65
1 changed files with 131 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
docs/FAQ.xml
View File

@ -207,28 +207,26 @@
port-forwarding rule <emphasis>from the net</emphasis> to a local system port-forwarding rule <emphasis>from the net</emphasis> to a local system
is as follows:</para> is as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis></programlisting> DNAT net loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis></programlisting>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the <para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para> rule is:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.5 udp 7777</programlisting> DNAT net loc:192.168.1.5 udp 7777</programlisting>
<para>If you want to forward requests directed to a particular address ( <para>If you want to forward requests directed to a particular address (
<emphasis>external-IP</emphasis> ) on your firewall to an internal <emphasis>external-IP</emphasis> ) on your firewall to an internal
system:</para> system:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
DNAT net loc:<emphasis>local-IP-address</emphasis>&gt;[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting> DNAT net loc:<emphasis>local-IP-address</emphasis>&gt;[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting>
<para>If you want to forward requests from a particular Internet address <para>If you want to forward requests from a particular Internet address
( <emphasis>address</emphasis> ):</para> ( <emphasis>address</emphasis> ):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis> protocol</emphasis> <emphasis>port-number</emphasis> -</programlisting> DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis> protocol</emphasis> <emphasis>port-number</emphasis> -</programlisting>
<para>Finally, if you need to forward a range of ports, in the DEST PORT <para>Finally, if you need to forward a range of ports, in the DEST PORT
@ -386,7 +384,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
<para><emphasis role="bold">Answer:</emphasis>In <para><emphasis role="bold">Answer:</emphasis>In
/<filename>etc/shorewall/rules</filename>:</para> /<filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting> DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
</section> </section>
@ -448,8 +446,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176</programlisting></para> DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176</programlisting></para>
</listitem> </listitem>
@ -514,14 +511,22 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</
that your Internet zone is named <emphasis>net</emphasis> and connects that your Internet zone is named <emphasis>net</emphasis> and connects
on interface <filename class="devicefile">eth0</filename>:</para> on interface <filename class="devicefile">eth0</filename>:</para>
<para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176</programlisting></para> DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176</programlisting></para>
<para>In <filename>/etc/shorewall/interfaces</filename>, specify the <para>In <filename>/etc/shorewall/interfaces</filename>, specify the
<emphasis role="bold">routeback</emphasis> option on <emphasis role="bold">routeback</emphasis> option on
eth0:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS eth0:<programlisting>?FORMAT 2
net eth0 detect <emphasis role="bold">routeback</emphasis></programlisting></para> #ZONE INTERFACE OPTIONS
net eth0 <emphasis role="bold">routeback</emphasis></programlisting></para>
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para> eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
@ -542,8 +547,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
<para><emphasis role="bold">Answer</emphasis>: Use this rule.</para> <para><emphasis role="bold">Answer</emphasis>: Use this rule.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
REDIRECT net 22 tcp 9022</programlisting> REDIRECT net 22 tcp 9022</programlisting>
<para>Note that the above rule will also allow connections from the <para>Note that the above rule will also allow connections from the
@ -617,8 +621,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
<para>Example:</para> <para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
role="bold">206.124.146.178</emphasis></programlisting> role="bold">206.124.146.178</emphasis></programlisting>
</section> </section>
@ -704,14 +707,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
<listitem> <listitem>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting> #ZONE INTERFACE OPTIONS
loc eth1 <emphasis role="bold">routeback</emphasis></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/masq</filename>:</para> <para>In <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) <programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
<emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting> <emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting>
<para>Note: The technique described here is known as <para>Note: The technique described here is known as
@ -721,15 +725,22 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
<emphasis>external IP address</emphasis> be used as the <emphasis>external IP address</emphasis> be used as the
source:</para> source:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) <programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting> eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<emphasis role="bold">DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</emphasis></programlisting> <emphasis role="bold">DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</emphasis></programlisting>
<para>That rule (and the second one in the previous bullet) only <para>That rule (and the second one in the previous bullet) only
@ -741,8 +752,15 @@ eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</em
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT loc loc:192.168.1.5 tcp www - <emphasis DNAT loc loc:192.168.1.5 tcp www - <emphasis
role="bold">$ETH0_IP</emphasis></programlisting> role="bold">$ETH0_IP</emphasis></programlisting>
@ -825,13 +843,13 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>?FORMAT 2
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting> #ZONE INTERFACE OPTIONS
dmz eth2 <emphasis role="bold">routeback</emphasis> </programlisting>
<para>In <filename>/etc/shorewall/masq</filename>:</para> <para>In <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE: SOURCE ADDRESS <programlisting>#INTERFACE SOURCE
#ADDRESS
eth2:192.168.1.2 192.168.2.0/24</programlisting> eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>In <filename>/etc/shorewall/nat</filename>, be sure that you <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
@ -862,8 +880,15 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>You can enable access to the server from your local network <para>You can enable access to the server from your local network
using the firewall's external IP address by adding this rule:</para> using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting> <emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
<para>If your external IP address is dynamic, then you must do the <para>If your external IP address is dynamic, then you must do the
@ -875,8 +900,15 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT DEST.
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
role="bold">$ETH0_IP</emphasis></programlisting> role="bold">$ETH0_IP</emphasis></programlisting>
@ -1433,16 +1465,23 @@ net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177</programlisting
<para><emphasis role="bold">Answer:</emphasis> Temporarily add the <para><emphasis role="bold">Answer:</emphasis> Temporarily add the
following rule:</para> following rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DROP net fw udp 10619</programlisting>
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have ?SECTION ALL
specifed the 'blacklist' option on your external interface in ?SECTION ESTABLISHED
<filename>/etc/shorewall/interfaces</filename>, then you can blacklist ?SECTION RELATED
the port. In <filename>/etc/shorewall/blacklist</filename>:</para> ?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT DROP net $FW udp 10619</programlisting>
- udp 10619</programlisting>
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist
the port. In <filename>/etc/shorewall/blrules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DROP net $FW udp 10619</programlisting>
</section> </section>
<section id="faq6d"> <section id="faq6d">
@ -2361,12 +2400,11 @@ gateway:~# </programlisting>
<para><emphasis role="bold">Answer:</emphasis> Suppose that you want all <para><emphasis role="bold">Answer:</emphasis> Suppose that you want all
traffic to go out through ISP1 (mark 1) unless you specify otherwise. traffic to go out through ISP1 (mark 1) unless you specify otherwise.
Then simply add these two rules as the first marking rules in your Then simply add these two rules as the first marking rules in your
<filename>/etc/shorewall/mangle</filename> <filename>/etc/shorewall/mangle</filename> (was tcrules) file:</para>
(<filename>/etc/shorewall/tcrules</filename>) file:</para>
<programlisting>#ACTION SOURCE DEST <programlisting>#ACTION SOURCE DEST
1:P 0.0.0.0/0 MARK(1):P 0.0.0.0/0
1 $FW MARK(1) $FW
<emphasis>other MARK rules</emphasis></programlisting> <emphasis>other MARK rules</emphasis></programlisting>
<para>Now any traffic that isn't marked by one of your other MARK rules <para>Now any traffic that isn't marked by one of your other MARK rules
@ -2449,7 +2487,7 @@ root@gateway:~#</programlisting>
at 10-12kb and adjust as necessary. Example (simple traffic at 10-12kb and adjust as necessary. Example (simple traffic
shaping):</para> shaping):</para>
<programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH <programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis
role="bold">10kb</emphasis> role="bold">10kb</emphasis>
</programlisting> </programlisting>
@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall#
<para>Example from /etc/shorewall/tcdevices:</para> <para>Example from /etc/shorewall/tcdevices:</para>
<programlisting>#NUMBER: IN-BANDWIDTH OUT-BANDWIDTH OPTIONS <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
#INTERFACE
1:COMB_IF <emphasis role="bold">~20mbit:250ms:4sec</emphasis> ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0</programlisting> 1:COMB_IF <emphasis role="bold">~20mbit:250ms:4sec</emphasis> ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0</programlisting>
<para>To create a rate-estimated filter, precede the bandwidth with a <para>To create a rate-estimated filter, precede the bandwidth with a
@ -2674,7 +2711,15 @@ VS3=fw:192.168.2.14</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
ACCEPT $VS1 net tcp 25 ACCEPT $VS1 net tcp 25
DNAT net $VS1 tcp 25 DNAT net $VS1 tcp 25
etc...</programlisting> etc...</programlisting>
@ -2925,7 +2970,7 @@ else
<section id="faq26"> <section id="faq26">
<title>(FAQ 26) When I try to use any of the SYN options in nmap on or <title>(FAQ 26) When I try to use any of the SYN options in nmap on or
behind the firewall, I get <quote>operation not permitted</quote>. How behind the firewall, I get <quote>operation not permitted</quote>. How
can I use nmap with Shorewall?"</title> can I use nmap with Shorewall?</title>
<para><emphasis role="bold">Answer:</emphasis> Temporarily remove any <para><emphasis role="bold">Answer:</emphasis> Temporarily remove any
<emphasis role="bold">rejNotSyn</emphasis>, <emphasis <emphasis role="bold">rejNotSyn</emphasis>, <emphasis
@ -2993,8 +3038,8 @@ REJECT fw net:pagead2.googlesyndication.com all</programlisting
was equivalent to:</para> was equivalent to:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO <para><programlisting>#ACTION SOURCE DEST PROTO
REJECT fw net:216.239.37.99 all REJECT $FW net:216.239.37.99 all
REJECT fw net:216.239.39.99 all</programlisting>Given that REJECT $FW net:216.239.39.99 all</programlisting>Given that
name-based multiple hosting is a common practice (another example: name-based multiple hosting is a common practice (another example:
lists.shorewall.net and www1.shorewall.net are both hosted on the same lists.shorewall.net and www1.shorewall.net are both hosted on the same
system with a single IP address), it is not possible to filter system with a single IP address), it is not possible to filter
@ -3079,10 +3124,9 @@ gateway:~# </programlisting>
<para><emphasis role="bold">Answer:</emphasis> Add these two <para><emphasis role="bold">Answer:</emphasis> Add these two
policies:</para> policies:</para>
<programlisting>#SOURCE DESTINATION POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
# LEVEL
$FW loc ACCEPT $FW loc ACCEPT
loc $FW ACCEPT </programlisting> loc $FW ACCEPT</programlisting>
<para>You should also delete any ACCEPT rules from $FW-&gt;loc and <para>You should also delete any ACCEPT rules from $FW-&gt;loc and
loc-&gt;$FW since those rules are redundant with the above loc-&gt;$FW since those rules are redundant with the above
@ -3161,7 +3205,7 @@ EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
<programlisting>#INTERFACE SOURCE ADDRESS <programlisting>#INTERFACE SOURCE ADDRESS
COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html COMMENT DSL Modem
EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
</programlisting> </programlisting>
@ -3193,6 +3237,7 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
role="bold">fw</emphasis>:</para> role="bold">fw</emphasis>:</para>
<programlisting>#ZONE TYPE OPTIONS <programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">fw</emphasis> firewall</programlisting> <emphasis role="bold">fw</emphasis> firewall</programlisting>
<para>So, using the default or sample configurations, writing <emphasis <para>So, using the default or sample configurations, writing <emphasis
@ -3203,6 +3248,7 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
<emphasis role="bold">gate</emphasis>.</para> <emphasis role="bold">gate</emphasis>.</para>
<programlisting>#ZONE TYPE OPTIONS <programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">gate</emphasis> firewall</programlisting> <emphasis role="bold">gate</emphasis> firewall</programlisting>
<section id="faq95a"> <section id="faq95a">