extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 21:18:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Version 1.3.9b

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@290 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-10-09 15:47:48 +00:00
parent ad21569d2a
commit 53d582d396
16 changed files with 3710 additions and 3479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
STABLE/documentation/FAQ.htm
View File

@ -29,7 +29,7 @@
</tbody>
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
@ -51,8 +51,8 @@ in Z. Hosts in Z cannot communicate with each other using their external
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
to check my firewall and it shows <b>some ports as 'closed' rather than
'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -61,7 +61,7 @@ to check my firewall and it shows <b>some ports as 'closed' rather than 'blocke
I <b> can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and  how do I <b>change the destination</b>?</a></p>
written and how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
@ -92,9 +92,9 @@ but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, <b>my DHCP client cannot renew its
lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot renew
its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
@ -111,7 +111,8 @@ can't find how to do it.</h4>
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. Assuming that you have a dynamic external
IP address, the format of a port-forwarding rule to a local system is as follows:</p>
IP address, the format of a port-forwarding rule to a local system is as
follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -132,8 +133,10 @@ IP address, the format of a port-forwarding rule to a local system is as follows
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -162,8 +165,10 @@ the rule is:</p>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -225,12 +230,13 @@ can browse http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network is
like raising foxes in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal systems.
For the cost of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems - assuming
that the Server can be located near the Firewall, of course :-)</li>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall, of course
:-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
@ -281,13 +287,13 @@ with subnet 192.168.1.0/24, do the following:</p>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall 1.3.4
or later then include this in /etc/shorewall/params:</p>
IP address. If you have a dynamic IP address and are running Shorewall
1.3.4 or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
@ -344,7 +350,7 @@ to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
and can be accessed externally and internally using the same address. </p>
and can be accessed externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
@ -398,7 +404,8 @@ traffic through your firewall then:</p>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td> </td>
<td> <br>
</td>
</tr>
</tbody>
@ -406,7 +413,7 @@ traffic through your firewall then:</p>
</blockquote>
<div align="left">
<pre align="left"> dmz    dmz    ACCEPT</pre>
<pre align="left"> dmz dmz ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
@ -423,7 +430,8 @@ traffic through your firewall then:</p>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120"> </td>
<td width="120"> <br>
</td>
</tr>
</tbody>
@ -447,11 +455,11 @@ to check my firewall and it shows some ports as 'closed' rather than 'blocked
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. These
are ports that are used by Windows (Windows <u>can</u> be configured to
use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139.
These are ports that are used by Windows (Windows <u>can</u> be configured
to use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows
chatter on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of your
@ -482,15 +490,15 @@ for "ping": </p>
</blockquote>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and  how do I change the destination?</h4>
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged logged
by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
@ -543,10 +551,11 @@ this:</p>
for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
</div>
<h4 align="left">
<h4 align="left"> </h4>
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
properly?</h4>
</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
@ -589,10 +598,10 @@ them when the authors feel that they are ready. </p>
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor it
but as expected if I enable rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
but as expected if I enable rfc1918 blocking for my eth0 interface (the
internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the modem
@ -630,7 +639,41 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</p>
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.<br>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
<table cellpadding="2" border="1" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><u><b>SUBNET</b></u><br>
</td>
<td valign="top"><u><b>TARGET</b></u><br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.1<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.2<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
@ -649,9 +692,9 @@ lease.</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and what those
computers will "see" when things are working properly. That aside, the most
common causes of this problem are:</p>
the net", I wonder where the poster bought computers with eyes and what
those computers will "see" when things are working properly. That aside,
the most common causes of this problem are:</p>
<ol>
<li>
@ -678,16 +721,14 @@ to your startup scripts or place it in /etc/shorewall/start. Under RedHat,
the max log level that is sent to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.</p>
<div align="left">
<p align="left"></p>
</div>
<div align="left"> </div>
<p align="left"><font size="2">Last updated 9/23/2002 - <a
<p align="left"><font size="2">Last updated 10/8/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

247
STABLE/documentation/Install.htm
View File

@ -1,147 +1,176 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Install_Tarball">Install using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration and
the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. You can check your rules and host file for 1.3 compatibility
using the "shorewall check" command after installing the latest version
of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
<p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -156,19 +185,23 @@ QuickStart Guides</a> contain all of the information you need.</p>
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>
<br>
</body>
</html>

317
STABLE/documentation/News.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall News</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -26,8 +27,16 @@
</tbody>
</table>
<p><b>9/30/2002 - Shorewall 1.3.9a</b></p>
<p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
This release rolls up fixes to the installer and to the firewall script.<br>
<p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
</b><br>
The firewall and server here at shorewall.net are now running RedHat release
8.0.<br>
<b><br>
9/30/2002 - Shorewall 1.3.9a</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
@ -43,13 +52,14 @@ There is an updated firewall script at <a
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface and
IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation until
the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises
during reboot for users who install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic link
have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises during reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
@ -75,8 +85,8 @@ using them).</li>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored<br>
</b></p>
A couple of recent configuration changes at www.shorewall.net had the
negative effect of breaking the Search facility:<br>
A couple of recent configuration changes at www.shorewall.net had
the negative effect of breaking the Search facility:<br>
<ol>
<li>Mailing List Archive Search was not available.</li>
@ -98,10 +108,10 @@ using them).</li>
</p>
<ul>
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option has
been added to shorewall.conf. This option determines whether Shorewall
accepts TCP packets which are not part of an established connection and
that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
has been added to shorewall.conf. This option determines whether Shorewall
accepts TCP packets which are not part of an established connection
and that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate between zones
za and zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
@ -207,7 +217,8 @@ the Frontpage files have been removed.</p>
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p>
so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p>
@ -221,15 +232,15 @@ the Frontpage files have been removed.</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart
Guides </a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of
or related to an existing connection and that are not SYN packets. These
"New not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
Guides </a> including the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part
of or related to an existing connection and that are not SYN packets.
These "New not SYN" packets may be optionally logged by setting the
LOGNEWNOTSYN option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended
by commands in the new <a href="shorewall_extension_scripts.htm">newnotsyn
extension script</a>.</li>
by commands in the new <a
href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul>
@ -238,10 +249,10 @@ by commands in the new <a href="shorewall_extension_scripts.htm">newnots
<p>This interim release:</p>
<ul>
<li>Causes the firewall script to remove the lock file if it
is killed.</li>
<li>Once again allows lists in the second column of the <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
<li>Causes the firewall script to remove the lock file if
it is killed.</li>
<li>Once again allows lists in the second column of the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
<li>Includes the latest <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>.</li>
@ -289,8 +300,8 @@ prevent a successful restart.</li>
This option facilitates Proxy ARP sub-netting as described in the Proxy
ARP subnetting mini-HOWTO (<a
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
Specifying the proxyarp option for an interface causes Shorewall to
set /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
Specifying the proxyarp option for an interface causes Shorewall
to set /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
<li>The Samples have been updated to reflect the new capabilities
in this release. </li>
@ -307,21 +318,21 @@ prevent a successful restart.</li>
<ul>
<li>A new <a href="Documentation.htm#Routestopped"> /etc/shorewall/routestopped</a>
file has been added. This file is intended to eventually replace the
<b>routestopped</b> option in the /etc/shorewall/interface and
/etc/shorewall/hosts files. This new file makes remote firewall administration
easier by allowing any IP or subnet to be enabled while Shorewall is
stopped.</li>
file has been added. This file is intended to eventually replace
the <b>routestopped</b> option in the /etc/shorewall/interface
and /etc/shorewall/hosts files. This new file makes remote firewall
administration easier by allowing any IP or subnet to be enabled while
Shorewall is stopped.</li>
<li>An /etc/shorewall/stopped <a
href="Documentation.htm#Scripts">extension script</a> has been added.
This script is invoked after Shorewall has stopped.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to <a
href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
option is selected, DNAT rules only apply when the destination address
is the external interface's primary IP address.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When
this option is selected, DNAT rules only apply when the destination
address is the external interface's primary IP address.</li>
<li>The <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> has been broken into three guides and has been almost entirely
rewritten.</li>
Guide</a> has been broken into three guides and has been almost
entirely rewritten.</li>
<li>The Samples have been updated to reflect the new capabilities
in this release. </li>
@ -346,9 +357,9 @@ from those generated by the 'rfc1918' chain in the filter table.</li>
against the interfaces file.</li>
<li>The TARGET column in the rfc1918 file is now checked for
correctness.</li>
<li>The chain structure in the nat table has been changed to
reduce the number of rules that a packet must traverse and to correct
problems with NAT_BEFORE_RULES=No</li>
<li>The chain structure in the nat table has been changed
to reduce the number of rules that a packet must traverse and to
correct problems with NAT_BEFORE_RULES=No</li>
<li>The "hits" command has been enhanced.</li>
</ul>
@ -376,8 +387,8 @@ problems with NAT_BEFORE_RULES=No</li>
<ul>
<li>A <a href="Documentation.htm#Starting">logwatch command</a>
has been added to /sbin/shorewall.</li>
<li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a>
has been added.</li>
<li>A <a href="blacklisting_support.htm">dynamic blacklist
facility</a> has been added.</li>
<li>Support for the <a href="Documentation.htm#Conf">Netfilter
multiport match function</a> has been added.</li>
<li>The files <b>firewall, functions </b>and <b>version</b>
@ -455,8 +466,8 @@ away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all
incorporates the following:</p>
<ul>
<li>Support for the /etc/shorewall/whitelist file has been withdrawn.
If you need whitelisting, see <a
<li>Support for the /etc/shorewall/whitelist file has been
withdrawn. If you need whitelisting, see <a
href="/1.3/whitelisting_under_shorewall.htm">these instructions</a>.</li>
</ul>
@ -471,8 +482,8 @@ away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all
is now an INPUT and a FORWARD chain for each interface; this reduces
the number of rules that a packet must traverse, especially in complicated
setups.</li>
<li><a href="Documentation.htm#Exclude">Sub-zones may now be
excluded from DNAT and REDIRECT rules.</a></li>
<li><a href="Documentation.htm#Exclude">Sub-zones may now
be excluded from DNAT and REDIRECT rules.</a></li>
<li>The names of the columns in a number of the configuration
files have been changed to be more consistent and self-explanatory
and the documentation has been updated accordingly.</li>
@ -486,15 +497,15 @@ excluded from DNAT and REDIRECT rules.</a></li>
features:</p>
<ul>
<li>Simplified rule syntax which makes the intent of each rule
clearer and hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files has been
maintained so that current users can migrate to the new syntax at
their convenience.</li>
<li><b><font color="#cc6666">WARNING:  Compatibility with the
old parameterized sample configurations has NOT been maintained. Users
still running those configurations should migrate to the new sample
configurations before upgrading to 1.3 Beta 1.</font></b></li>
<li>Simplified rule syntax which makes the intent of each
rule clearer and hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files has
been maintained so that current users can migrate to the new syntax
at their convenience.</li>
<li><b><font color="#cc6666">WARNING:  Compatibility with
the old parameterized sample configurations has NOT been maintained.
Users still running those configurations should migrate to the new
sample configurations before upgrading to 1.3 Beta 1.</font></b></li>
</ul>
@ -512,8 +523,8 @@ is supported.</li>
now inherit the VLSM and Broadcast Address of the interface's primary
IP address.</li>
<li>The order in which port forwarding DNAT and Static DNAT
<a href="Documentation.htm#Conf">can now be reversed</a> so that port
forwarding rules can override the contents of <a
<a href="Documentation.htm#Conf">can now be reversed</a> so that
port forwarding rules can override the contents of <a
href="Documentation.htm#NAT"> /etc/shorewall/nat</a>. </li>
</ul>
@ -562,17 +573,17 @@ Unstable Branch</a></li>
<p>In this version:</p>
<ul>
<li>The 'try' command now accepts an optional timeout. If the
timeout is given in the command, the standard configuration will
automatically be restarted after the new configuration has been running
for that length of time. This prevents a remote admin from being locked
out of the firewall in the case where the new configuration starts
but prevents access.</li>
<li>The 'try' command now accepts an optional timeout. If
the timeout is given in the command, the standard configuration
will automatically be restarted after the new configuration has been
running for that length of time. This prevents a remote admin from
being locked out of the firewall in the case where the new configuration
starts but prevents access.</li>
<li>Kernel route filtering may now be enabled globally using
the new ROUTE_FILTER parameter in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Individual IP source addresses and/or subnets may now be
excluded from masquerading/SNAT.</li>
<li>Individual IP source addresses and/or subnets may now
be excluded from masquerading/SNAT.</li>
<li>Simple "Yes/No" and "On/Off" values are now case-insensitive
in /etc/shorewall/shorewall.conf.</li>
@ -600,9 +611,9 @@ excluded from masquerading/SNAT.</li>
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart
Guide</a> is now available. This Guide and its accompanying sample configurations
are expected to provide a replacement for the recently withdrawn parameterized
samples. </p>
Guide</a> is now available. This Guide and its accompanying sample
configurations are expected to provide a replacement for the recently
withdrawn parameterized samples. </p>
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
@ -718,8 +729,9 @@ dropped in the <i>common</i> chain</li>
<li>RFC 1918 checking in the mangle table has been streamlined
to no longer require packet marking. RFC 1918 checking in the filter
table has been changed to require half as many rules as previously.</li>
<li>A 'shorewall check' command has been added that does a cursory
validation of the zones, interfaces, hosts, rules and policy files.</li>
<li>A 'shorewall check' command has been added that does a
cursory validation of the zones, interfaces, hosts, rules and policy
files.</li>
</ul>
@ -734,12 +746,12 @@ dropped in the <i>common</i> chain</li>
<ul>
<li>$-variables may now be used anywhere in the configuration
files except /etc/shorewall/zones.</li>
<li>The interfaces and hosts files now have their contents validated
before any changes are made to the existing Netfilter configuration.
<li>The interfaces and hosts files now have their contents
validated before any changes are made to the existing Netfilter configuration.
The appearance of a zone name that isn't defined in /etc/shorewall/zones
causes "shorewall start" and "shorewall restart" to abort without changing
the Shorewall state. Unknown options in either file cause a warning
to be issued.</li>
causes "shorewall start" and "shorewall restart" to abort without
changing the Shorewall state. Unknown options in either file cause
a warning to be issued.</li>
<li>A problem occurring when BLACKLIST_LOGLEVEL was not set
has been corrected.</li>
@ -769,8 +781,8 @@ GNU/Linux File Hierarchy Standard, Version 2.2.</li>
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
<ul>
<li>The "fw" zone <a href="Documentation.htm#FW">may now be given
a different name</a>.</li>
<li>The "fw" zone <a href="Documentation.htm#FW">may now be
given a different name</a>.</li>
<li>You may now place end-of-line comments (preceded by '#')
in any of the configuration files</li>
<li>There is now protection against against two state changing
@ -840,12 +852,12 @@ chain</li>
<li>Support for IP blacklisting has been added
<ul>
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a
<li>You specify whether you want packets from blacklisted
hosts dropped or rejected using the <a
href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION </a>setting
in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
<li>You specify whether you want packets from blacklisted
hosts logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting
in /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist
@ -862,16 +874,17 @@ blacklist using the new "<a
<li>Use of TCP RST replies has been expanded 
<ul>
<li>TCP connection requests rejected because of a REJECT policy
are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a REJECT
policy are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a protocol=all
rule in /etc/shorewall/rules are now replied with a TCP RST packet.</li>
rule in /etc/shorewall/rules are now replied with a TCP RST
packet.</li>
</ul>
</li>
<li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification
has been added to /etc/shorewall/shorewall.conf. LOGFILE is used to
tell the /sbin/shorewall program where to look for Shorewall messages.</li>
has been added to /etc/shorewall/shorewall.conf. LOGFILE is used
to tell the /sbin/shorewall program where to look for Shorewall messages.</li>
</ul>
@ -904,8 +917,8 @@ than DROPPED. This speeds up connection establishment to some servers.</
<p>In version 1.2.1:</p>
<ul>
<li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
Packets</a> is added. </li>
<li><a href="Documentation.htm#LogUncleanOption">Logging of
Mangled/Invalid Packets</a> is added. </li>
<li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
<li>'shorewall show tc' now correctly handles tunnels.</li>
@ -936,8 +949,8 @@ forced into a quick upgrade to 1.2.0 just to have access to bug fixes.</p>
</blockquote>
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site
is mirrored at <a href="http://www.infohiiway.com/shorewall"
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web
site is mirrored at <a href="http://www.infohiiway.com/shorewall"
target="_top">http://www.infohiiway.com/shorewall</a> and the ftp site
is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
@ -1006,13 +1019,13 @@ to properly display the NAT entry in that file.</li>
<li>A new "shorewall show connections" command has been added.</li>
<li>In the "shorewall monitor" output, the currently tracked
connections are now shown on a separate page.</li>
<li>Prior to this release, Shorewall unconditionally added the
external IP adddress(es) specified in /etc/shorewall/nat. Beginning
<li>Prior to this release, Shorewall unconditionally added
the external IP adddress(es) specified in /etc/shorewall/nat. Beginning
with version 1.1.16, a new parameter (<a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>) may be set
to "no" (or "No") to inhibit this behavior. This allows IP aliases
created using your distribution's network configuration tools to
be used in static NAT. </li>
created using your distribution's network configuration tools
to be used in static NAT. </li>
</ul>
@ -1037,8 +1050,8 @@ to properly display the NAT entry in that file.</li>
will first look for configuration files in the alternate directory then
in /etc/shorewall. To create an alternate configuration simply:<br>
1. Create a New Directory<br>
2. Copy to that directory any of your configuration files that
you want to change.<br>
2. Copy to that directory any of your configuration files
that you want to change.<br>
3. Modify the copied files as needed.<br>
4. Restart Shorewall specifying the new directory.</li>
<li>The rules for allowing/disallowing icmp echo-requests (pings)
@ -1047,8 +1060,8 @@ This allows you to add rules that selectively allow/deny ping based
on source or destination address.</li>
<li>Rules that specify multiple client ip addresses or subnets
no longer cause startup failures.</li>
<li>Zone names in the policy file are now validated against the
zones file.</li>
<li>Zone names in the policy file are now validated against
the zones file.</li>
<li>If you have <a href="Documentation.htm#MangleEnabled">packet
mangling</a> support enabled, the "<a
href="Documentation.htm#Interfaces">norfc1918</a>" interface option
@ -1094,12 +1107,14 @@ the <a href="Documentation.htm#Interfaces">documentation for the
refreshing the rules associated with the broadcast address on a dynamic
interface. This command should be used in place of "shorewall
restart" when the internet interface's IP address changes.</li>
<li>The /etc/shorewall/start file (if any) is now processed after
all temporary rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.</li>
<li>The /etc/shorewall/start file (if any) is now processed
after all temporary rules have been deleted. This change prevents
the accidental removal of rules added during the processing of that
file.</li>
<li>The "dhcp" interface option is now applicable to firewall
interfaces used by a DHCP server running on the firewall.</li>
<li>The RPM can now be built from the .tgz file using "rpm -tb" </li>
<li>The RPM can now be built from the .tgz file using "rpm
-tb" </li>
</ul>
@ -1109,10 +1124,10 @@ restart" when the internet interface's IP address changes.</li>
<li>Shorewall now enables Ipv4 Packet Forwarding by default.
Packet forwarding may be disabled by specifying IP_FORWARD=Off in
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable
or disable packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
file.</li>
<li>The "shorewall hits" command no longer lists extraneous service
names in its last report.</li>
or disable packet forwarding, add IP_FORWARDING=Keep to your
/etc/shorewall/shorewall.conf file.</li>
<li>The "shorewall hits" command no longer lists extraneous
service names in its last report.</li>
<li>Erroneous instructions in the comments at the head of the
firewall script have been corrected.</li>
@ -1123,16 +1138,16 @@ firewall script have been corrected.</li>
<ul>
<li>The "tunnels" file <u>really</u> is in the RPM now.</li>
<li>SNAT can now be applied to port-forwarded connections.</li>
<li>A bug which would cause firewall start failures in some dhcp
configurations has been fixed.</li>
<li>A bug which would cause firewall start failures in some
dhcp configurations has been fixed.</li>
<li>The firewall script now issues a message if you have the
name of an interface in the second column in an entry in /etc/shorewall/masq
and that interface is not up.</li>
<li>You can now configure Shorewall so that it<a
href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or mangle
netfilter modules</a>.</li>
<li>Thanks to Alex  Polishchuk, the "hits" command from seawall
is now in shorewall.</li>
<li>Thanks to Alex  Polishchuk, the "hits" command from
seawall is now in shorewall.</li>
<li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been
added.</li>
@ -1168,22 +1183,22 @@ been formatted to 80 columns for ease of editing on a VGA console.</li
<ul>
<li><a href="Documentation.htm#lograte">You may now rate-limit
the packet log.</a></li>
<li><font face="Century Gothic, Arial, Helvetica"> Previous versions
of Shorewall have an implementation of Static NAT which violates
the principle of least surprise.  NAT only occurs for packets arriving
at (DNAT) or send from (SNAT) the interface named in the INTERFACE
column of /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
regardless of which interface packets come from or are destined to.
To get compatibility with prior versions, I have added a new "ALL <a
href="NAT.htm#AllInterFaces">"ALL INTERFACES"  column to /etc/shorewall/nat</a>.
<li><font face="Century Gothic, Arial, Helvetica"> Previous
versions of Shorewall have an implementation of Static NAT which
violates the principle of least surprise.  NAT only occurs for packets
arriving at (DNAT) or send from (SNAT) the interface named in the
INTERFACE column of /etc/shorewall/nat. Beginning with version 1.1.6,
NAT effective regardless of which interface packets come from or are
destined to. To get compatibility with prior versions, I have added a
new "ALL <a href="NAT.htm#AllInterFaces">"ALL INTERFACES"  column to /etc/shorewall/nat</a>.
By placing "no" or "No" in the new column, the NAT behavior of
prior versions may be retained. </font></li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels
where the remote gateway is a standalone system has been improved</a>.
Previously, it was necessary to include an additional rule allowing
UDP port 500 traffic to pass through the tunnel. Shorewall will now
create this rule automatically when you place the name of the remote
peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. </li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
Tunnels where the remote gateway is a standalone system has been
improved</a>. Previously, it was necessary to include an additional
rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall
will now create this rule automatically when you place the name of
the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. </li>
</ul>
@ -1223,21 +1238,21 @@ been corrected (Thanks to Mark Pavlidis).
<li>/tmp/shorewallpolicy-$$ is now removed if there is an error
while starting the firewall.</li>
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are
now used to define the icmpdef and common chains unless overridden by
the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been
corrected. An extra space after "/etc/shorwall/policy" has been removed
and "/etc/shorwall/rules" has been added.</li>
now used to define the icmpdef and common chains unless overridden
by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has
been corrected. An extra space after "/etc/shorwall/policy" has been
removed and "/etc/shorwall/rules" has been added.</li>
<li>When a sub-shell encounters a fatal error and has stopped
the firewall, it now kills the main shell so that the main shell will
not continue.</li>
<li>A problem has been corrected where a sub-shell stopped the
firewall and main shell continued resulting in a perplexing error message
referring to "common.so" resulted.</li>
<li>A problem has been corrected where a sub-shell stopped
the firewall and main shell continued resulting in a perplexing error
message referring to "common.so" resulted.</li>
<li>Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules
resulted in an error message during start. This has been corrected.</li>
<li>The first line of "install.sh" has been corrected -- I had
inadvertently deleted the initial "#".</li>
<li>The first line of "install.sh" has been corrected -- I
had inadvertently deleted the initial "#".</li>
</ul>
@ -1247,9 +1262,9 @@ the firewall, it now kills the main shell so that the main shell will
<li>Port redirection now works again.</li>
<li>The icmpdef and common chains <a
href="Documentation.htm#Icmpdef">may now be user-defined</a>.</li>
<li>The firewall no longer fails to start if "routefilter" is
specified for an interface that isn't started. A warning message is
now issued in this case.</li>
<li>The firewall no longer fails to start if "routefilter"
is specified for an interface that isn't started. A warning message
is now issued in this case.</li>
<li>The LRP Version is renamed "shorwall" for 8,3 MSDOS file
system compatibility.</li>
<li>A couple of LRP-specific problems were corrected.</li>
@ -1268,9 +1283,9 @@ the firewall, it now kills the main shell so that the main shell will
<li>The common chain is traversed from INPUT, OUTPUT and FORWARD
before logging occurs</li>
<li>The source has been cleaned up dramatically</li>
<li>DHCP DISCOVER packets with RFC1918 source addresses no longer
generate log messages. Linux DHCP clients generate such packets and
it's annoying to see them logged. </li>
<li>DHCP DISCOVER packets with RFC1918 source addresses no
longer generate log messages. Linux DHCP clients generate such packets
and it's annoying to see them logged. </li>
</ul>
@ -1279,8 +1294,8 @@ the firewall, it now kills the main shell so that the main shell will
<ul>
<li>Log messages now indicate the packet disposition.</li>
<li>Error messages have been improved.</li>
<li>The ability to define zones consisting of an enumerated set
of hosts and/or subnetworks has been added.</li>
<li>The ability to define zones consisting of an enumerated
set of hosts and/or subnetworks has been added.</li>
<li>The zone-to-zone chain matrix is now sparse so that only
those chains that contain meaningful rules are defined.</li>
<li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
@ -1290,8 +1305,8 @@ interface option.</li>
when a chain is defined, when the firewall is initialized, when
the firewall is started, when the firewall is stopped and when the
firewall is cleared.</li>
<li>The Linux kernel's route filtering facility can now be specified
selectively on network interfaces.</li>
<li>The Linux kernel's route filtering facility can now be
specified selectively on network interfaces.</li>
</ul>
@ -1319,8 +1334,8 @@ packets are sent through the chain.</li>
<ul>
<li>The PATH variable in the firewall script now includes /usr/local/bin
and /usr/local/sbin.</li>
<li>DMZ-related chains are now correctly deleted if the DMZ is
deleted.</li>
<li>DMZ-related chains are now correctly deleted if the DMZ
is deleted.</li>
<li>The interface OPTIONS for "gw" interfaces are no longer
ignored.</li>
@ -1331,7 +1346,7 @@ packets are sent through the chain.</li>
tunnels with end-points on the firewall. There is also a .lrp available
now.</b></p>
<p><font size="2">Updated 9/23/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> Copyright</font>
@ -1346,5 +1361,7 @@ now.</b></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

12
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -37,7 +37,8 @@
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -50,8 +51,8 @@
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak
Republic</a></li>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
@ -59,6 +60,7 @@
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul>
</li>
@ -80,7 +82,7 @@
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0100-0200 GMT.<br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text"
@ -106,5 +108,7 @@
<br>
<br>
<br>
<br>
<br>
</body>
</html>

14
STABLE/documentation/blacklisting_support.htm
View File

@ -31,8 +31,7 @@
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
@ -50,8 +49,8 @@ names in the blacklist file.<br>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
@ -62,7 +61,7 @@ against the blacklist using the "<a
/sbin/shorewall commands:</p>
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be rejected by the firewall.</li>
@ -76,7 +75,7 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

138
STABLE/documentation/errata.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -38,9 +39,9 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
@ -50,17 +51,22 @@ or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
@ -70,24 +76,55 @@ in Version 1.2</a></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script at
<a href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
</a>-- copy that file to /usr/lib/shorewall/firewall as descripbed above.<br>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
@ -135,8 +172,8 @@ server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic and
static clients on a LAN segment.</li>
measure where there are both dynamic
and static clients on a LAN segment.</li>
</ol>
@ -165,9 +202,10 @@ an IP address lease from that server.</li>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT
alias. </p>
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
@ -235,10 +273,10 @@ an IP address lease from that server.</li>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -248,22 +286,22 @@ it's a good idea to run that command after you have made configuratio
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -274,6 +312,7 @@ it's a good idea to run that command after you have made configuratio
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
@ -290,9 +329,10 @@ it's a good idea to run that command after you have made configuratio
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option.
For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
@ -300,12 +340,13 @@ it's a good idea to run that command after you have made configuratio
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
</ul>
@ -396,6 +437,7 @@ from<font color="#ff6633"> <a
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
@ -429,7 +471,22 @@ from<font color="#ff6633"> <a
</ul>
<p><font size="2"> Last updated 9/28/2002 -
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -438,5 +495,8 @@ from<font color="#ff6633"> <a
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

54
STABLE/documentation/mailing_list_problems.htm
View File

@ -1,21 +1,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
@ -23,37 +32,18 @@ to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>familie-fleischhacker.de - (connection timed out)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
<a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font size="2">Last updated 10/6/2002 20:30 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm">
<font face="Trebuchet MS">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left">&nbsp;</p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p>
<br>
<br>
</body>
</html>

24
STABLE/documentation/myfiles.htm
View File

@ -43,8 +43,8 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
@ -93,8 +93,8 @@ of the entry in /etc/shorewall/proxyarp (see below).</
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
use features not available before Shorewall
version 1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
@ -108,8 +108,8 @@ of the entry in /etc/shorewall/proxyarp (see below).</
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -140,10 +140,11 @@ Ethernet interfaces. </p>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
@ -151,18 +152,21 @@ Ethernet interfaces. </p>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> 206.124.146.179 eth2 eth0 No<br></font><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<p><font size="2"> Last updated 10/1/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
</body>
</html>

25
STABLE/documentation/quotes.htm
View File

@ -32,14 +32,16 @@ and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
@ -51,15 +53,15 @@ scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
7 machines up and running with shorewall on several versions - starting
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
-- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
@ -68,8 +70,8 @@ any problems!" -- SM, Germany</p>
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
by checkpoint, some of them are running....Shorewall." -- Name withheld by
request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
@ -90,12 +92,13 @@ people recommending it. :-)<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

167
STABLE/documentation/seattlefirewall_index.htm
View File

@ -20,12 +20,13 @@
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
</a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
@ -49,31 +50,36 @@
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.<br>
This program is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for
more details.<br>
<br>
You should have received a copy of the GNU General
Public License along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
You should have received a copy of the
GNU General Public License along with this program; if
not, write to the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
@ -81,12 +87,14 @@ it will be useful, but WITHOUT ANY WARRANTY; without even the
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF
distribution called <i>Bering</i> that features Shorewall-1.3.3
and Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
</a>Jacques Nilo and Eric Wolzak have
a LEAF distribution called <i>Bering</i> that features
Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -94,51 +102,79 @@ it will be useful, but WITHOUT ANY WARRANTY; without even the
<p><b>9/30/2002 - Shorewall 1.3.9a </b><b><img border="0"
<h2></h2>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now running RedHat release
8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!! </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b>9/28/2002 - Shorewall 1.3.9 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b> </b></p>
<p>In this version:<br>
</p>
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li><a href="configuration_file_basics.htm#dnsnames">DNS
Names</a> are now allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE may now be qualified by both
interface and IP address in a <a href="Documentation.htm#Rules">Shorewall
rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version' files and the 'firewall'
symbolic link have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
</ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
A couple of recent configuration changes at www.shorewall.net
broke the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
@ -149,38 +185,45 @@ it.</li>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8</b><b> </b></p>
<p>In this version:<br>
</p>
<ul>
<li>A NEWNOTSYN option has been added to shorewall.conf.
This option determines whether Shorewall accepts TCP packets which
are not part of an established connection and that are not 'SYN' packets
(SYN flag on and ACK flag off).</li>
<li>A NEWNOTSYN option has been added to
shorewall.conf. This option determines whether Shorewall accepts
TCP packets which are not part of an established connection and
that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the
case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist
if:
case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will
exist if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
</li>
<li>There is at least one rule for za
to zb. </li>
@ -188,72 +231,88 @@ if:
</li>
</ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
<li>The /etc/shorewall/blacklist file now
contains three columns. In addition to the SUBNET/ADDRESS column,
there are optional PROTOCOL and PORT columns to block only certain
applications from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a
@ -266,6 +325,7 @@ if:
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -274,6 +334,7 @@ if:
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
@ -281,8 +342,8 @@ if:
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -292,9 +353,11 @@ but if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 9/30/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>

24
STABLE/documentation/shoreline.htm
View File

@ -67,18 +67,19 @@ Shorewall. </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
My personal Linux System which runs Samba configured as a WINS server.
and LNE100TX (Tulip) NIC - My personal Windows system. Also has SuSE
8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
runs PoPToP for road warrior access.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
@ -103,9 +104,12 @@ and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
<p><font size="2">Last updated 10/6/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
</body>
</html>

18
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -30,8 +30,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
@ -54,8 +54,8 @@ as a firewall/router for a small local network and a DMZ.</li>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -77,8 +77,8 @@ Protocol</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -110,7 +110,8 @@ and Stopping the Firewall</a></li>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
above. Please review the appropriate guide before trying to use this documentation
directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
@ -199,11 +200,12 @@ to a remote network.</li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a
<p><font size="2">Last modified 10/5/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
</body>
</html>

189
STABLE/documentation/two-interface.htm
View File

@ -52,10 +52,10 @@ in its most common configuration:</p>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -69,8 +69,8 @@ this program:</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -82,10 +82,10 @@ Version of dos2unix</a></li>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
@ -127,8 +127,8 @@ of these as described in this guide. After you have <a
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -136,14 +136,14 @@ of these as described in this guide. After you have <a
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -231,9 +231,9 @@ the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
@ -243,14 +243,15 @@ your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
will be connected to the same hub/switch (note: If you have only a single
internal system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
internal system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -286,15 +287,15 @@ that are specified for the interfaces. Some hints:</p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>However your external address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses in your internal network (the Internal Interface
on your firewall plus your other computers). RFC 1918 reserves several
<i>Private </i>IP address ranges for this purpose:</p>
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You
will have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -313,13 +314,13 @@ remove the 'norfc1918' option from the external interface's entry in
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as the
<i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -362,16 +363,16 @@ remove the 'norfc1918' option from the external interface's entry in
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above diagram)
should be configured with their<i> default gateway</i> to be the IP address
of the firewall's internal interface.<i>      </i> </p>
should be configured with their<i> default gateway</i> to be the IP
address of the firewall's internal interface.<i>      </i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
@ -398,18 +399,18 @@ A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address is
reserved by RFC 1918 can't be routed across the internet so the remote host
can't address its response to computer 1). When the firewall receives a
return packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to computer 1. </p>
it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -433,8 +434,8 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
height="13">
    If your external firewall interface is <b>eth0</b>, you do not need
to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
and change the first column to the name of your external interface and the
second column to the name of your internal interface.</p>
and change the first column to the name of your external interface and
the second column to the name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -449,10 +450,10 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
@ -523,13 +524,13 @@ port&gt;</i>]</td>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
network (i.e., don't test from a browser running on computers 1 or 2 or
on the firewall). If you want to be able to access your web server using
the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
have problems connecting to your web server, try the following rule
and try connecting to port 5000.</li>
</ul>
@ -568,35 +569,35 @@ that you require.</p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of a
pair of DNS <i> name servers</i> for you to manually configure as your primary
and secondary name servers. Regardless of how DNS gets configured on your
firewall, it is <u>your</u> responsibility to configure the resolver in your
internal systems. You can take one of two approaches:</p>
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers are
given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
take this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
@ -685,7 +686,7 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
</div>
@ -806,12 +807,13 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your firewall"</p>
listed above under "You can configure a Caching Name Server on your
firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -865,9 +867,9 @@ connections as required.</p>
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
version 1.3.9 startup is disabled so that your system won't try to start Shorewall
before configuration is complete. Once you have completed configuration of
your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -906,7 +908,7 @@ added an entry for the IP address that you are connected from to <a
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
<p align="left"><font size="2">Last updated 10/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -915,5 +917,6 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{

11
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{
@ -167,6 +167,8 @@ while [ $# -gt 0 ] ; do
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
@ -282,13 +284,18 @@ fi
# Install the functions file
#
if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/etc/shorewall/functions
rm -f ${PREFIX}/etc/shorewall/functions
fi
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions"
echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions"
#
# Install the common.def file
#

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{