extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-03 19:39:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-18 01:13:38 +00:00
parent 09aed118b3
commit 52629f9049
43 changed files with 4952 additions and 9553 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4855
Lrp/etc/init.d/shorewall
View File

File diff suppressed because it is too large Load Diff

2
Lrp/etc/shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Blacklist File
# Shorewall 1.4 -- Blacklist File
#
# /etc/shorewall/blacklist
#

12
Lrp/etc/shorewall/common.def
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def
# Shorewall 1.4 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
@ -14,14 +14,12 @@
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 139 -j REJECT
run_iptables -A common -p tcp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

7
Lrp/etc/shorewall/hosts
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - /etc/shorewall/hosts
# Shorewall 1.4 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# route messages to and from this
# member when the firewall is in the
# stopped state
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option

2
Lrp/etc/shorewall/init
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
# Shorewall 1.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

24
Lrp/etc/shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Interfaces File
# Shorewall 1.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -46,11 +46,6 @@
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
@ -59,9 +54,6 @@
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
@ -106,27 +98,25 @@
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255 routestopped
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# loc eth1 detect routestopped
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
# connections.
#
# net ppp0 - noping
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp/etc/shorewall/maclist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - MAC list file
# Shorewall 1.4 - MAC list file
#
# /etc/shorewall/maclist
#

2
Lrp/etc/shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - Masquerade file
# Shorewall 1.4 - Masquerade file
#
# /etc/shorewall/masq
#

7
Lrp/etc/shorewall/modules
View File

@ -1,7 +1,12 @@
##############################################################################
# Shorewall 1.3 /etc/shorewall/modules
# Shorewall 1.4 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
loadmodule ip_tables
loadmodule iptable_filter

2
Lrp/etc/shorewall/nat
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Network Address Translation Table
# Shorewall 1.4 -- Network Address Translation Table
#
# /etc/shorewall/nat
#

24
Lrp/etc/shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 /etc/shorewall/params
# Shorewall 1.4 /etc/shorewall/params
#
# Assign any variables that you need here.
#
@ -11,7 +11,7 @@
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
@ -19,25 +19,7 @@
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 noping,norfc1918
# net eth0 130.252.100.255 routefilter,norfc1918
#
# Variables can be used in the following places in the other configuration
# files:
#
# /etc/shorewall/interfaces:
# /etc/shorewall/hosts
#
# All except the first column.
#
# /etc/shorewall/rules
#
# First column after ":".
# All remaining columns
#
# /etc/shorewall/tunnels
# /etc/shorewall/proxyarp
# /etc/shorewall/nat
#
# All columns
##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

2
Lrp/etc/shorewall/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Policy File
# Shorewall 1.4 -- Policy File
#
# /etc/shorewall/policy
#

2
Lrp/etc/shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Proxy ARP
# Shorewall 1.4 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#

9
Lrp/etc/shorewall/rfc1918
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- RFC1918 File
# Shorewall 1.4 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#
@ -25,7 +25,7 @@
192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated using the Python program found at:
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
@ -43,6 +43,8 @@
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
@ -53,7 +55,8 @@
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
222.0.0.0/7 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries

4
Lrp/etc/shorewall/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
#
# Example:

27
Lrp/etc/shorewall/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.3 - Rules File
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
@ -30,18 +30,25 @@
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
@ -90,6 +97,8 @@
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
@ -106,10 +115,8 @@
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port

375
Lrp/etc/shorewall/shorewall.conf
View File

@ -1,19 +1,14 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
@ -45,59 +40,19 @@ SHARED_DIR=/usr/lib/shorewall
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
# LOG FILE LOCATION
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/tmp/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
LOGFILE=/var/log/messages
#
# LOG RATE LIMITING
@ -132,25 +87,122 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this file for a description of log levels
# See the comment at the top of this section for a description of log levels
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
# BLACKLIST LOG LEVEL
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# See the comment at the top of this section for a description of log levels
#
# http://www.shorewall.net/FAQ.htm#faq6
BLACKLIST_LOGLEVEL=
LOGFILE=/var/log/messages
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/tmp/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# ENABLE NAT SUPPORT
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No
#
# BLACKLIST DISPOSITION
# Clear Traffic Shapping/Control
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
BLACKLIST_DISPOSITION=DROP
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#
# BLACKLIST LOG LEVEL
# Mark Packets in the forward chain
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# See the comment at the top of this file for a description of log levels
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
BLACKLIST_LOGLEVEL=
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# MSS CLAMPING
@ -335,39 +403,6 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.
MERGE_HOSTS=Yes
#
# MUTEX TIMEOUT
#
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping handling
# facility including the FORWARDPING option in this file and the 'noping' and
# 'filterping' interface options. If this option is set to 'No' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
# DON'T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
#
# NEWNOTSYN
#
@ -430,6 +435,18 @@ OLD_PING_HANDLING=No
NEWNOTSYN=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# MAC List Disposition
#
@ -441,18 +458,6 @@ NEWNOTSYN=No
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
@ -463,64 +468,4 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE

2
Lrp/etc/shorewall/start
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
# Shorewall 1.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.

2
Lrp/etc/shorewall/stop
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
# Shorewall 1.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.

2
Lrp/etc/shorewall/stopped
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
# Shorewall 1.4 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

2
Lrp/etc/shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.3 - Traffic Control Rules File
# Shorewall version 1.4 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#

2
Lrp/etc/shorewall/tos
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- /etc/shorewall/tos
# Shorewall 1.4 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#

2
Lrp/etc/shorewall/tunnels
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - /etc/shorewall/tunnels
# Shorewall 1.4 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#

2
Lrp/etc/shorewall/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 /etc/shorewall/zones
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#

27
Lrp/sbin/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -84,6 +84,7 @@
#
# Display a chain if it exists
#
showfirstchain() # $1 = name of chain
{
awk \
@ -570,24 +571,11 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT=
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
else
config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
@ -599,6 +587,15 @@ else
exit 2
fi
config=`find_file shorewall.conf`
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then

2
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -1,5 +1,5 @@
etc/init.d/shorewall
etc/shorewall
sbin/shorewall
usr/lib/shorewall
usr/share/shorewall
var/lib/lrpkg/shorwall.*

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.3.14
1.4.0

307
Shorewall-docs/FAQ.htm
View File

@ -52,8 +52,8 @@
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address
192.168.1.5. I've looked everywhere and can't find <b>how
to do it</b>.</a></p>
192.168.1.5. I've looked everywhere and can't find <b>how
to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
@ -64,6 +64,7 @@ to do it</b>.</a></p>
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b>
@ -84,7 +85,7 @@ to do it</b>.</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as
'closed' rather than 'blocked'.</b> Why?</a></p>
'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
@ -126,9 +127,14 @@ to do it</b>.</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat</b> I get messages about insmod failing --
what's wrong?</a></p>
what's wrong?<br>
</a></p>
<p align="left"><b>8a. </b><a href="#faq8a">When I try to <b>start Shorewall
on RedHat</b> I get a message referring me to <b>FAQ #8</b></a><br>
</p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
@ -149,15 +155,15 @@ support?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to
configure/monitor it but as expected if I enable <b> rfc1918
blocking</b> for my eth0 interface, it also blocks the <b>cable
modems web server</b></a>.</p>
configure/monitor it but as expected if I enable <b>
rfc1918 blocking</b> for my eth0 interface, it also blocks
the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918
address. If I enable RFC 1918 filtering on my external interface,
<b>my DHCP client cannot renew its lease</b>.</a></p>
address. If I enable RFC 1918 filtering on my external
interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
@ -172,23 +178,23 @@ address. If I enable RFC 1918 filtering on my external interfa
getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there
any way to use <b>aliased ip addresses</b> with Shorewall,
and maintain separate rulesets for different IPs?</a><br>
any way to use <b>aliased ip addresses</b> with Shorewall,
and maintain separate rulesets for different IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added
<b>entries to /etc/shorewall/tcrules</b> but they <b>don't </b>seem
to <b>do anything</b>. Why?</a><br>
<b>entries to /etc/shorewall/tcrules</b> but they <b>don't
</b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I have just set
up a server. <b>Do I have to change Shorewall to allow access
to my server from the internet?<br>
<b>20. </b><a href="#faq20">I have just
set up a server. <b>Do I have to change Shorewall to allow access
to my server from the internet?<br>
<br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange
log entries </b>occasionally; what are they?<br>
</a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables
commands </b>that I want to <b>run when Shorewall starts.</b> Which
file do I put them in?</a><br>
commands </b>that I want to <b>run when Shorewall starts.</b> Which
file do I put them in?</a><br>
<br>
<b>23. </b><a href="#faq23">Why do you use such <b>ugly
fonts</b> on your <b>web site</b>?</a><br>
@ -204,14 +210,14 @@ on the internet?</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find how to do it.</h4>
looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of a
port-forwarding rule to a local system is as follows:</p>
port-forwarding rule to a local system is as follows:</p>
<blockquote>
@ -233,7 +239,7 @@ port-forwarding rule to a local system is as follows:</p>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> <br>
@ -247,6 +253,7 @@ IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
</tbody>
</table>
</blockquote>
@ -287,13 +294,14 @@ IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
</tbody>
</table>
</blockquote>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
system:</div>
@ -316,11 +324,12 @@ system:</div>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
<td><i>&lt;external
IP&gt;</i></td>
</tr>
@ -328,11 +337,12 @@ IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
</tbody>
</table>
</blockquote>
Finally, if you need to forward a range of ports, in the PORT column
specify the range as <i>low-port</i>:<i>high-port</i>.<br>
Finally, if you need to forward a range of ports, in the PORT
column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
@ -346,9 +356,9 @@ IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
from inside your firewall (no, that won't work -- see
<a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic
problem with your local system such as an incorrect default
gateway configured (it should be set to the IP address of
your firewall's internal interface).</li>
problem with your local system such as an incorrect default
gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
</ul>
@ -356,15 +366,17 @@ your firewall's internal interface).</li>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4>
<b>Answer: </b>To further diagnose this
problem:<br>
<b>Answer: </b>To further diagnose
this problem:<br>
<ul>
<li>As root, type "iptables -t nat
-Z". This clears the NetFilter counters in the nat table.</li>
-Z". This clears the NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected
port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>As root type "shorewall show
nat"</li>
<li>Locate the appropriate DNAT rule.
It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li>
@ -377,26 +389,30 @@ gateway setting on the server (the server's default gateway should
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not
reaching your server (possibly it is being blocked by your
ISP); or</li>
reaching your server (possibly it is being blocked by your
ISP); or</li>
<li>you are trying to connect to
a secondary IP address on your firewall and your rule is
a secondary IP address on your firewall and your rule is
only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your
DNAT rule); or</li>
<li>your DNAT rule doesn't match
the connection request in some other way. In that case, you
may have to use a packet sniffer such as tcpdump or ethereal
the connection request in some other way. In that case,
you may have to use a packet sniffer such as tcpdump or ethereal
to further diagnose the problem.<br>
</li>
</ul>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local
network. External clients can browse http://www.mydomain.com
@ -408,8 +424,8 @@ to further diagnose the problem.<br>
<ul>
<li>Having an internet-accessible
server in your local network is like raising foxes in
the corner of your hen house. If the server is compromised,
server in your local network is like raising foxes
in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from
@ -421,7 +437,7 @@ to further diagnose the problem.<br>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
That's what I do here at shorewall.net for my local systems
that use static NAT.</li>
that use static NAT.</li>
</ul>
@ -470,6 +486,7 @@ that use static NAT.</li>
</tbody>
</table>
</blockquote>
</div>
@ -477,9 +494,9 @@ that use static NAT.</li>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are
running Shorewall 1.3.4 or later then include this in
/etc/shorewall/init:</p>
IP address. If you have a dynamic IP address and
are running Shorewall 1.3.4 or later then include this
in /etc/shorewall/init:</p>
</div>
@ -524,6 +541,7 @@ that use static NAT.</li>
</tbody>
</table>
</blockquote>
</div>
@ -538,15 +556,15 @@ that use static NAT.</li>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other
using their external (non-RFC1918 addresses) so they can't
access each other using their DNS names.</h4>
to hosts in Z. Hosts in Z cannot communicate with each
other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using the host's
DNS name.</p>
and internal clients to access a NATed host using the
host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
@ -598,6 +616,7 @@ traffic through your firewall then:</p>
</tbody>
</table>
</blockquote>
@ -630,6 +649,7 @@ traffic through your firewall then:</p>
</tbody>
</table>
</blockquote>
@ -662,6 +682,7 @@ traffic through your firewall then:</p>
</tbody>
</table>
</blockquote>
@ -681,20 +702,20 @@ traffic through your firewall then:</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed'
rather than 'blocked'. Why?</h4>
to check my firewall and it shows some ports as
'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113
rather than dropping them. This is necessary to prevent
outgoing connection problems to services that use the
'Auth' mechanism for identifying requesting users. Shorewall
'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports
137-139. These are ports that are used by Windows (Windows <u>can</u>
be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down
slightly on the amount of Windows chatter on LAN segments connected
slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
@ -709,10 +730,10 @@ slightly on the amount of Windows chatter on LAN segments connected
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port as open.
If you want to see which UDP ports are really open, temporarily
change your net-&gt;all policy to REJECT, restart Shorewall
and do the nmap UDP scan again.</p>
back from your firewall then it reports the port as
open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
@ -725,14 +746,15 @@ slightly on the amount of Windows chatter on LAN segments connected
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br>
b) Be sure that the first command
in the file is ". /etc/shorewall/common.def"<br>
b) Be sure that the first
command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following to /etc/shorewall/common
</p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT<br>
</p>
@ -751,7 +773,8 @@ syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, "service syslog restart"). </p>
syslogd (on a RedHat system, "service syslog restart").
</p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
@ -761,8 +784,10 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br></pre>
Beginning with Shorewall version 1.3.12, you can <a
href="shorewall_logging.html">set up Shorewall to log all of its messages
to a separate file</a>.<br>
</div>
@ -776,6 +801,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<blockquote>
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a
@ -788,8 +814,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
</p>
</blockquote>
I personnaly use Logwatch. It emails me a report
each day from my various systems with each report summarizing the
logged activity on the corresponding system.
each day from my various systems with each report summarizing
the logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i exclude
@ -799,8 +825,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<pre> DROP net fw udp 10619</pre>
<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
of these DROP messages from port 53 to some high numbered port. They
get dropped, but what the heck are they?</h4>
of these DROP messages from port 53 to some high numbered port.
They get dropped, but what the heck are they?</h4>
<pre>Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br> SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br> TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
<b>Answer: </b>There are two possibilities:<br>
@ -813,8 +839,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
You can distinguish the difference by setting the <b>logunclean</b>
option (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an /etc/shorewall/common
file like this:<br>
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -824,10 +850,10 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only 6 bytes
in length.</h4>
Shorewall log messages so long? I thought MAC addresses were only 6
bytes in length.</h4>
What is labeled as the MAC address in a Shorewall log message is actually
the Ethernet frame header. IT contains:<br>
the Ethernet frame header. IT contains:<br>
<ul>
<li>the destination MAC address (6 bytes)</li>
@ -873,14 +899,22 @@ the Ethernet frame header. IT contains:<br>
<div align="left">
<pre align="left"> service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</pre>
<pre align="left"> <b><font color="#009900">service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</font></b></pre>
</div>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3)
shipped with RH7.2.</p>
shipped with RH7.2.<br>
</p>
<h4><a name="faq8a"></a><b>8a. </b>When I try to start Shorewall on RedHat
I get a message referring me to FAQ #8</h4>
<b>Answer:</b> This is usually cured by the sequence of commands shown above
in FAQ #8
<h4> </h4>
</div>
@ -940,10 +974,10 @@ the Ethernet frame header. IT contains:<br>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city
where I live</a>) and "Fire<u>wall</u>". The full name
of the product is actually "Shoreline Firewall" but "Shorewall" is
must more commonly used.</p>
(<a href="http://www.cityofshoreline.com">the
city where I live</a>) and "Fire<u>wall</u>". The full
name of the product is actually "Shoreline Firewall" but "Shorewall"
is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
@ -970,8 +1004,8 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<p align="left">If you are running version 1.3.1 or later, simply add the
following to<a href="Documentation.htm#rfc1918">
/etc/shorewall/rfc1918</a>:</p>
following to<a
href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
</div>
@ -983,7 +1017,8 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SUBNET </b></u></td>
<td><u><b>SUBNET
</b></u></td>
<td><u><b>TARGET</b></u></td>
</tr>
<tr>
@ -996,6 +1031,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</tbody>
</table>
</blockquote>
</div>
@ -1010,7 +1046,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
interface to correspond to the modem address, you must
also make an entry in /etc/shorewall/rfc1918 for that address.
For example, if you configure the address 192.168.100.2 on
your firewall, then you would add two entries to /etc/shorewall/rfc1918:
your firewall, then you would add two entries to /etc/shorewall/rfc1918:
<br>
</p>
@ -1070,7 +1106,7 @@ lease.</h4>
the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when things
are working properly. That aside, the most common causes
of this problem are:</p>
of this problem are:</p>
<ol>
@ -1094,8 +1130,8 @@ of this problem are:</p>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and
hasn't enabled UDP and TCP port 53 from the firewall
to the internet.</p>
hasn't enabled UDP and TCP port 53 from the firewall
to the internet.</p>
</li>
@ -1116,9 +1152,9 @@ to the internet.</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging occurs out
of a number of chains (as indicated in the log message)
in Shorewall:<br>
<b>Answer: </b>Logging occurs
out of a number of chains (as indicated in the log message)
in Shorewall:<br>
<ol>
@ -1128,11 +1164,11 @@ in Shorewall:<br>
<li><b>rfc1918</b> - The source
address is listed in /etc/shorewall/rfc1918 with a <b>logdrop
</b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level
and this packet is being logged under that policy. If you
intend to ACCEPT this traffic then you need a <a
<li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all </b>-
You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
a log level and this packet is being logged under that policy.
If you intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
@ -1140,22 +1176,23 @@ intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The
packet is being logged under the <b>maclist</b> <a
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
<li><b>&lt;interface&gt;_mac</b> -
The packet is being logged under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet
is being logged under the <b>logunclean</b> <a
is being logged under the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet
is being logged under the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet
is being logged because the source IP is blacklisted in
the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet
is being logged because it is a TCP packet that is not
@ -1176,6 +1213,7 @@ of your defined zones ("shorewall check" and look at the
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different
IPs?</h4>
@ -1185,12 +1223,12 @@ of your defined zones ("shorewall check" and look at the
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes
in /etc/shorewall/shorewall.conf so the contents of the tcrules
file are simply being ignored.<br>
in /etc/shorewall/shorewall.conf so the contents of the
tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the
internet?</b><br>
internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
@ -1209,12 +1247,12 @@ you used during your initial setup for information about how to set
is my internal LAN<br>
<br>
<b>Answer: </b>While most people associate
the Internet Control Message Protocol (ICMP) with 'ping', ICMP
is a key piece of the internet. ICMP is used to report problems
back to the sender of a packet; this is what is happening here.
Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
there are a lot of broken implementations. That is what you are seeing
with these messages.<br>
the Internet Control Message Protocol (ICMP) with 'ping',
ICMP is a key piece of the internet. ICMP is used to report
problems back to the sender of a packet; this is what is happening
here. Unfortunately, where NAT is involved (including SNAT, DNAT
and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.<br>
<br>
Here is my interpretation of what is happening
-- to confirm this analysis, one would have to have packet sniffers
@ -1222,13 +1260,13 @@ with these messages.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent a UDP DNS query to 192.0.2.3 and your DNS server tried
to send a response (the response information is in the brackets --
note source port 53 which marks this as a DNS reply). When the response
was returned to to 206.124.146.179, it rewrote the destination IP
TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
had a connection on UDP port 2857. This causes a port unreachable
(type 3, code 3) to be generated back to 192.0.2.3. As this packet is
sent back through 206.124.146.179, that box correctly changes the
to send a response (the response information is in the brackets
-- note source port 53 which marks this as a DNS reply). When the
response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
had a connection on UDP port 2857. This causes a port unreachable
(type 3, code 3) to be generated back to 192.0.2.3. As this packet
is sent back through 206.124.146.179, that box correctly changes the
source address in the packet to 206.124.146.179 but doesn't reset
the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having
@ -1244,22 +1282,22 @@ by RFC 1918.<br>
I want to <b>run when Shorewall starts.</b> Which file do I put
them in?</h4>
You can place these commands in one of the
<a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they
are intended. Many iptables commands published in HOWTOs and other
instructional material use the -A command which adds the rules to
the end of the chain. Most chains that Shorewall constructs end with
an unconditional DROP, ACCEPT or REJECT rule and any rules that you
add after that will be ignored. Check "man iptables" and look at the
-I (--insert) command.<br>
<a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what
they are intended. Many iptables commands published in HOWTOs and
other instructional material use the -A command which adds the rules
to the end of the chain. Most chains that Shorewall constructs end
with an unconditional DROP, ACCEPT or REJECT rule and any rules that
you add after that will be ignored. Check "man iptables" and look at
the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font neutral (it doesn't
explicitly specify fonts except on a few pages) so the fonts you see
are largely the default fonts configured in your browser. If you don't
like them then reconfigure your browser.<br>
explicitly specify fonts except on a few pages) so the fonts you
see are largely the default fonts configured in your browser. If you
don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
@ -1281,17 +1319,12 @@ add after that will be ignored. Check "man iptables" and look at the
<br>
<font color="#009900"><b>    /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 3/6/2003 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 3/11/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
<br>
</body>
</html>

934
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

46
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -37,8 +37,8 @@
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<td width="100%"
bgcolor="#ffffff">
@ -59,25 +59,23 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
@ -115,11 +113,12 @@
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="News.htm">News
Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
@ -139,7 +138,7 @@ from Users</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
@ -157,15 +156,8 @@ Daily 0200-0330 GMT.<br>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

47
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -16,8 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -44,7 +44,7 @@
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
href="sourceforge_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
@ -65,19 +65,16 @@
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
@ -103,23 +100,27 @@
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="News.htm">News
Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
@ -128,6 +129,7 @@ from Users</a></li>
</ul>
</td>
</tr>
@ -136,6 +138,7 @@ from Users</a></li>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
@ -143,9 +146,9 @@ from Users</a></li>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
@ -156,11 +159,9 @@ from Users</a></li>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

169
Shorewall-docs/errata_3.html
View File

@ -40,6 +40,7 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -48,6 +49,7 @@
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
@ -55,9 +57,10 @@ untar the archive, replace the 'firewall' script in the untarred director
</li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
than 1.3.11, when the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
@ -98,7 +101,7 @@ RedHat iptables</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
and NAT</a></b><br>
</li>
</ul>
@ -114,19 +117,26 @@ and NAT</a></b><br>
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address. This has been corrected in <a
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
<li>The firewall fails to start in the case where you have "eth0 eth1"
in /etc/shorewall/masq and the default route is through eth1.<br>
</li>
</ul>
These problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.
This has been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> (contains a fix for the preceding problem as well) which
may be installed in /usr/lib/shorewall as described above.<br>
</li>
</ul>
above.<br>
<h3>Version 1.3.13</h3>
@ -145,9 +155,9 @@ may be installed in /usr/lib/shorewall as described above.<br>
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
@ -156,14 +166,14 @@ may be installed in /usr/lib/shorewall as described above.<br>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.13. If you need such support,
post on the users list and I can provide you with a patched version.<br>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
@ -171,9 +181,9 @@ is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file --
a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects
this problem.<br>
</li>
</ul>
@ -201,9 +211,9 @@ problem.<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -220,15 +230,15 @@ a fix.<br>
<ul>
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
where installing this script in /usr/lib/shorewall/firewall solved
your connection problems. Beginning with version 1.3.10, it is safe
to save the old version of /usr/lib/shorewall/firewall before copying
in the new one since /usr/lib/shorewall/firewall is the real script
now and not just a symbolic link to the real script.<br>
</li>
</ul>
@ -259,8 +269,8 @@ not just a symbolic link to the real script.<br>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
@ -268,8 +278,8 @@ file /etc/shorewall/functions. <a
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
script at <a
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
@ -278,9 +288,9 @@ file /etc/shorewall/functions. <a
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
@ -291,16 +301,19 @@ file /etc/shorewall/functions. <a
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
@ -309,10 +322,12 @@ problem.</p>
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
@ -321,13 +336,14 @@ problem.</p>
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the client
won't be able to obtain an IP address
is running a DHCP server, the
client won't be able to obtain an IP address
lease from that server.</li>
<li>With this order
of checking, the "dhcp" option
of checking, the "dhcp" option
cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
@ -338,17 +354,20 @@ cannot be used as a noise-reduction
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described
above.</p>
corrects the problem. It must be
installed in /var/lib/shorewall as
described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
@ -365,7 +384,7 @@ cannot be used as a noise-reduction
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
add an SNAT alias. </p>
</li>
<li>
@ -450,8 +469,8 @@ so it's a good idea to run that command after you have made configura
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this
case.</p>
and later versions produce a clearer error message in
this case.</p>
<h3 align="left">Version 1.3.2</h3>
@ -463,9 +482,9 @@ version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it
behaved just like "NAT_BEFORE_RULES=Yes".</li>
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -492,8 +511,8 @@ behaved just like "NAT_BEFORE_RULES=Yes".</li>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain
is sometimes generated for a CONTINUE policy.</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than
one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first
@ -511,8 +530,8 @@ found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
@ -525,12 +544,12 @@ problem is corrected.</li>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
@ -566,7 +585,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
@ -610,39 +629,45 @@ download from<font color="#ff6633"> <a
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
the Netfilter 'mangle' table. You can correct the problem
by installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
@ -662,13 +687,13 @@ in /etc/shorewall/shorewall.conf; or </li>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -684,5 +709,7 @@ it. The 2.4.19 kernel contains corrected support under a new kernel configu
<br>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

412
Shorewall-docs/seattlefirewall_index.htm
View File

@ -7,6 +7,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
@ -15,9 +16,8 @@
<base
target="_self">
<meta name="author" content="Tom Eastep">
<base target="_self">
</head>
<body>
@ -43,33 +43,46 @@
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
<div align="center"><a
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
<br>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</div>
</td>
</tr>
@ -122,9 +135,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -138,28 +152,30 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -185,88 +201,51 @@
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!!</b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2>
<h2></h2>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p></p>
Shorewall 1.4 represents the next step in the evolution of Shorewall.
The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time.<br>
 <br>
</b><b> </b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
@ -283,41 +262,21 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted.<br>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.<br>
</li>
</ul>
<ol>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
@ -326,74 +285,216 @@ is no longer accepted.<br>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
1.4 no longer unconditionally accepts outbound ICMP packets. So if
you want to 'ping' from the firewall, you will need the appropriate rule
or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
a) You must be running kernel 2.4.20<br>
b) You must have applied the patch in<br>
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a
comma-separated list could appear in the second column while the code
only supported a single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. 802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate
limited.</li>
<li>The firewall fails to start in the case
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
is through eth1.</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added
to shorewall.conf. When set to Yes, Shorewall ping handling is
as it has always been (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request.
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will all generate
an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
<br>
a) In the INTERFACE column of /etc/shorewall/masq<br>
b) In the INTERFACE column of /etc/shorewall/nat<br>
</li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the
form $DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may
be optionally followed by ":" and either 'F' or 'P' to designate that
the marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
<br>
a) The subnets associated with other addresses
on the interface.<br>
b) Subnets accessed through local routers.<br>
<br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
<br>
Example 1 -- This is how it works in 1.3.14.<br>
<br>
<p><b></b><a href="News.htm">More News</a></p>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
<br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
<br>
Example 2 -- Suppose that your current config is as
follows:<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
<br>
Example 3 -- What if your current configuration is
like this?<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, you would want to change the entry
in /etc/shorewall/masq to:<br>
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
@ -445,7 +546,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
  </a></p>
</a></p>
@ -458,11 +559,11 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -480,10 +581,9 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
</body>
</html>

59
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -40,8 +40,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
@ -54,10 +54,10 @@ must all first walk before we can run.<br>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
@ -70,13 +70,13 @@ Linux System acting as a firewall/router for a small local network
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
@ -91,7 +91,7 @@ Shorewall than is explained in the single-address guides above.</b></p>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
Address Resolution Protocol</a></li>
</ul>
@ -108,8 +108,8 @@ Address Resolution Protocol</a></li>
Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
@ -122,10 +122,10 @@ Address Resolution Protocol</a></li>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
@ -133,6 +133,7 @@ Address Resolution Protocol</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
@ -143,7 +144,8 @@ Address Resolution Protocol</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
@ -154,8 +156,8 @@ Address Resolution Protocol</a></li>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p>
<ul>
<li><a
@ -175,6 +177,7 @@ Address Resolution Protocol</a></li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
@ -194,12 +197,13 @@ Address Resolution Protocol</a></li>
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
@ -240,8 +244,10 @@ Address Resolution Protocol</a></li>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code through the use of
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
@ -279,8 +285,8 @@ Address Resolution Protocol</a></li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
@ -305,10 +311,11 @@ Address Resolution Protocol</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
</p>
<br>
</body>
</html>

271
Shorewall-docs/sourceforge_index.htm
View File

@ -10,7 +10,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<title>Shoreline Firewall (Shorewall) 1.3</title>
@ -18,7 +18,6 @@
<base target="_self">
<meta name="author" content="Tom Eastep">
</head>
<body>
@ -51,8 +50,8 @@
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
made easy"</i></font></font><a
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
@ -65,6 +64,7 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
@ -74,6 +74,7 @@
</tbody>
</table>
@ -104,6 +105,7 @@
<h2 align="left">What is it?</h2>
@ -122,7 +124,7 @@
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
GNU/Linux system.</p>
@ -139,8 +141,8 @@ GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -188,20 +190,21 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.1!!!</b><br>
<h2>News</h2>
@ -219,22 +222,24 @@ Eric on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
<p><b>3/17/2003 - Shorewall 1.4.0  </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
 </b><b> </b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall
over time. <br>
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
@ -251,71 +256,52 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOS
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<ul>
</ul>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
@ -324,12 +310,167 @@ file. To use this facility:<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address. </li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. </li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option. </li>
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
<li>The firewall fails to start in the case where you have "eth0
eth1" in /etc/shorewall/masq and the default route is through eth1
</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been
(see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request. The
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
options in /etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as  "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the form
$DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be
optionally followed by ":" and either 'F' or 'P' to designate that the
marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the
interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change described
above will cause masquerading to occur on subnetworks that you don't wish
to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
 <br>
Example 3 -- What if your current configuration is like
this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in 
/etc/shorewall/masq to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<p></p>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
<b> </b>
@ -340,6 +481,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<ul>
@ -349,6 +491,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ul>
@ -425,6 +568,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</tbody>
</table>
@ -473,11 +617,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
@ -495,7 +640,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>

327
Shorewall-docs/support.htm
View File

@ -10,20 +10,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Support Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -38,6 +25,7 @@
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
@ -50,75 +38,42 @@
</table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
style="font-weight: 400;"></span></big></b></p>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you post.
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot
more than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources
for problem solution information. Please try these before you
post.
<h3> </h3>
<h3> </h3>
<ul>
<li>More than half of the questions posted on the
support list have answers directly accessible from the <a
<li>More than half of the questions posted
on the support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
</ul>
<h3> </h3>
<ul>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li>
a number of tips to help you solve common problems.
</li>
</ul>
<h3> </h3>
<ul>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
</ul>
<h3> </h3>
<ul>
<li> The Mailing
List Archives search facility can locate posts about similar
problems: </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<h2>Site and Mailing List Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
@ -126,15 +81,11 @@ List Archives search facility can locate posts about similar
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -143,66 +94,55 @@ List Archives search facility can locate posts about similar
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text"
size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a
real-world example. It would be like saying that you have three
rooms at home, and when you walk into one of the rooms, you detect
this strange smell. Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to
the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<h2>Problem Reporting Guidelines<br>
</h2>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div>
<br>
<h3> </h3>
<ul>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when
it actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears to
be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not
an obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<li> Please don't
describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall you are running.<br>
<br>
@ -210,8 +150,10 @@ than a paraphrase or summary.<br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
@ -219,8 +161,10 @@ than a paraphrase or summary.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
@ -228,8 +172,10 @@ than a paraphrase or summary.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
@ -237,10 +183,13 @@ than a paraphrase or summary.<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact output from<br>
<li>If your kernel is modularized, the exact
output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
@ -249,15 +198,16 @@ than a paraphrase or summary.<br>
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br>
<li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.</b><br>
<br>
</li>
</ul>
</ul>
@ -277,91 +227,69 @@ than a paraphrase or summary.<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive
them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul>
<ul>
</ul>
<h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> Do you see
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that
is giving you problems? If so, include the message(s) in your post
along with a copy of your /etc/shorewall/interfaces file.<br>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver addresses,
domain name, etc. These aren't secrets, and concealing them often
misleads us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
</ul>
<h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>Please post in plain text</h2>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> </blockquote>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -370,33 +298,36 @@ to strip all HTML from outgoing posts.<br>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi
Network Firewall (MNF) and you have not purchased an MNF license
from MandrakeSoft then you can post non MNF-specific Shorewall questions
to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
users mailing list</a>. <b>Do not expect to get free MNF support
on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.</p>
list</a>.</p>
</blockquote>
<p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
.<br>
</p>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font

4
Shorewall/changelog.txt
View File

@ -60,3 +60,7 @@ Changes since 1.3.14
27. Remove stale comments in the params file.
28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.0-RC2
VERSION=1.4.0
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.0-RC2
VERSION=1.4.0
usage() # $1 = exit status
{

12
Shorewall/releasenotes.txt
View File

@ -77,6 +77,18 @@ Changes for 1.4 include:
10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.4.0
%define release 0RC2
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC2
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.0-RC2
VERSION=1.4.0
usage() # $1 = exit status
{