extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-28 16:39:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

this files are not needed anymore.. deleted :-P

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2545 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-08-24 01:17:15 +00:00
parent ce50f129ca
commit 55b6b26ebc
2 changed files with 0 additions and 718 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

365
Shorewall-Website/seattlefirewall_index.htm
View File

@ -1,365 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta content="HTML Tidy, see www.w3.org" name="generator">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<div>
<table id="AutoNumber4"
style="border-collapse: collapse; width: 100%; height: 100%;"
border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td width="90%">
<h2>Introduction to Shorewall</h2>
<h3>This is the Shorewall 1.4 Web Site</h3>
<div style="margin-left: 40px;"><a
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
style="font-weight: bold;">Preparing for Shorewall 2.2 -- End of
support life for Shorewall 1.4 is Near! </span></a><br>
<br>
The information on this site
applies only to 1.4.x releases of
Shorewall. For older versions:<br>
</div>
<ul>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.</li>
</ul>
</ul>
<h3>Glossary</h3>
<ul>
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
- the
packet filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
Linux kernels. Also the name of the utility program used to configure
and control that facility. Netfilter can be used in ipchains
compatibility mode.</li>
<li>iptables - the utility program used to configure and
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).</li>
</ul>
<h3>What is Shorewall?</h3>
<div style="margin-left: 40px;">The Shoreline Firewall, more
commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
target="_top">connection
state tracking
capabilities</a>.<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is complete
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
program can be used at any time to monitor the Netfilter firewall</a>.<br>
</div>
<h3>Getting Started with Shorewall</h3>
<div style="margin-left: 40px;">New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most
closely match your environment and follow the step by step instructions.<br>
</div>
<h3>Looking for Information?</h3>
<div style="margin-left: 40px;">The <a
href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the frame
above. </div>
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
<div style="margin-left: 40px;">If so, the documentation on this
site will not apply directly
to your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.</div>
<h3>License</h3>
<div style="margin-left: 40px;">This program is free software;
you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
</div>
<p style="margin-left: 40px;">This program is distributed in the
hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more detail.</p>
<div style="margin-left: 40px;"> </div>
<p style="margin-left: 40px;">You should have received a copy of
the GNU General Public
License along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<div style="margin-left: 40px;">Permission is granted to copy,
distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled <a>"GNU Free
Documentation License"</a>. </div>
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
<hr style="width: 100%; height: 2px;">
<h2>News</h2>
<p><b>3/16/2004 - Shorewall 1.4.10d </b><b> <img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<p>Corrects one problem:<br>
</p>
<ul>
<li>Rules involving user-defined actions often resulted in a
warning that the rule was a POLICY.<br>
</li>
</ul>
<p><b>2/15/2004 - Shorewall 1.4.10c&nbsp;</b><b></b></p>
<p>Corrects one problem:<br>
</p>
<ul>
<li>Entries in /etc/shorewall/tcrules with an empty USER/GROUP
column would cause a startup error.<br>
</li>
</ul>
<p><b>2/12/2004 - Shorewall 1.4.10b&nbsp;</b><b></b></p>
<p>Corrects one problem:<br>
</p>
<ul>
<li>In the /etc/shorewall/masq entry “<span class="quote">eth0:!10.1.1.150
&nbsp; &nbsp;0.0.0.0/0!10.1.0.0/16 &nbsp; &nbsp; 10.1.2.16</span>”, the
<span class="quote">!10.1.0.0/16</span>” is ignored.</li>
</ul>
<p><b>2/8/2004 - Shorewall 1.4.10a&nbsp;</b><b></b></p>
<p>Corrects two problems:<br>
</p>
<ul>
<li>A problem which can cause [re]start to fail inexplicably
while processing /etc/shorewall/masq.</li>
<li>Interfaces using the Atheros WiFi card to use the 'maclist'
option.<br>
</li>
</ul>
<p><b>1/30/2004 - Shorewall 1.4.10</b></p>
<p>Problems Corrected since version 1.4.9</p>
<ol>
<li>The column descriptions in the action.template file did not
match the column headings. That has been corrected.</li>
<li>The presence of IPV6 addresses on devices generated error
messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes
are specified in /etc/shorewall/shorewall.conf. These messages have
been eliminated.</li>
<li>The CONTINUE action in /etc/shorewall/rules now works
correctly. A couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.</li>
<li>Shorewall now tried to avoid sending an ICMP response to
broadcasts and smurfs.</li>
<li>Specifying "-" or "all" in the PROTO column of an action no
longer causes a startup error. <br>
<br>
</li>
</ol>
Migragion Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
<ol>
<li>The INTERFACE column in the /etc/shorewall/masq file may
now specify a destination list. <br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp; #INTERFACE&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ADDRESS<br>
&nbsp;&nbsp;&nbsp; eth0:192.0.2.3,192.0.2.16/28&nbsp;&nbsp;&nbsp; eth1<br>
<br>
If the list begins with "!" then SNAT will occur only if the
destination IP address is NOT included in the list.<br>
<br>
</li>
<li>Output traffic control rules (those with the firewall as
the source) may now be qualified by the effective userid and/or
effective group id of the program generating the output. This feature
is courtesy of&nbsp; Frédéric LESPEZ.<br>
<br>
A new USER column has been added to /etc/shorewall/tcrules. It may
contain :<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&lt;user name or number&gt;]:[&lt;group
name or number&gt;]<br>
<br>
The colon is optional when specifying only a user.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Examples : john: / john / :users /
john:users<br>
<br>
</li>
<li>A "detectnets" interface option has been added for entries
in /etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just&nbsp;
those hosts that have routes through the interface named in the
INTERFACE column. The named interface must be UP when Shorewall is
[re]started.<br>
<br>
&nbsp;WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! <br>
</li>
</ol>
<p><b>1/17/2004 - FAQ Wiki Available&nbsp;</b></p>
<p>It has been asserted that the use of CVS for maintaining the
Shorewall documentation has been a barrier to community participation.
To test this theory, Alex Martin <a
href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ">has
created a Wiki</a> and with the help of Mike Noyes has populated the
Wiki with the Shorewall FAQ. <br>
</p>
<p><b>1/13/2004 - Shorewall 1.4.9&nbsp;</b><b> </b></p>
<p>Problems Corrected since version 1.4.8:</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
all instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
will no longer produce an error if they attempt to add a rule that
would override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.</li>
<li>DNAT rules that also specified SNAT now work reliably.
Previously, there were cases where the SNAT specification was
effectively ignored.<br>
</li>
</ol>
<p>Migration Issues:</p>
<p>&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features: </p>
<ol>
<li>The documentation has been completely rebased to Docbook
XML. The documentation is now released as separate HTML and XML
packages.<br>
</li>
<li>To cut down on the number of "Why are these ports closed
rather than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
<li>For easier identification, packets logged under the
'norfc1918' interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
new naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX is
not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined &lt;action&gt;,
copy this file to /etc/shorewall/action.&lt;action&gt; and add the
appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
DROP, etc.) in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level and
accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
</li>
<li>The default value for NEWNOTSYN in shorewall.conf is now
"Yes" (non-syn TCP packets that are not part of an existing connection
are filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:<br>
<br>
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.<br>
<br>
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.</li>
<li>The common.def file now contains an entry that silently
drops ICMP packets with a null source address. Ad Koster reported a
case where these were occuring frequently as a result of a broken
system on his external network.<br>
<br>
</li>
</ol>
<p><a href="News.htm">More News</a></p>
<hr style="width: 100%; height: 2px;">
<p><a href="http://leaf.sourceforge.net" target="_top"><img
alt="(Leaf Logo)"
style="border: 0px solid ; height: 36px; width: 49px;"
src="images/leaflogo.gif" title=""></a> Jacques Nilo and Eric Wolzak
have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!</b><br>
<div>
<div style="text-align: center;"> </div>
</div>
<hr style="width: 100%; height: 2px;">
<h2><a name="Donations"></a>Donations<br>
</h2>
<p style="text-align: left;"> <big><img
src="images/alz_logo2.gif" title=""
alt="(Alzheimer's Association Logo)"
style="width: 300px; height: 60px;" align="left">Shorewall is free but
if you
try it and find it useful,
please consider making a donation to the <a href="http://www.alz.org/"
target="_top">Alzheimer's Association</a>. Thanks!</big> </p>
</td>
</tr>
<tr>
<td style="vertical-align: top;"> <br>
</td>
</tr>
</tbody>
</table>
</div>
<p><font size="2">Updated 04/03/2004 - <a href="support.htm">Tom Eastep</a></font><br>
</p>
</body>
</html>

353
Shorewall-Website/sourceforge_index.htm
View File

@ -1,353 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2>Introduction<br>
</h2>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the
packet
filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.<br>
</li>
<li>iptables - the utility program used to configure and
control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).<br>
</li>
</ul>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of
configuration files. Shorewall reads those configuration files and
with the help of the iptables utility, Shorewall configures
Netfilter to match your requirements. Shorewall can be used on a
dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system. Shorewall does not use
Netfilter's ipchains compatibility mode and can thus take advantage
of Netfilter's <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
state tracking capabilities</a>.
<p>This program is free software; you can redistribute it and/or
modify it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General
Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p> Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <a>"GNU
Free Documentation License"</a>.</p>
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Read about</h2>
You can <a
href="http://lists.shorewall.net/pipermail/shorewall-users/2004-February/011163.html">prepare
for 2.0</a> while you are still running Shorewall 1.4.<br>
<br>
The <a href="http://shorewall.net/pub/shorewall/Beta">Shorewall 2.0.0
RC2</a> is available!<br>
<br>
Here's the <a href="http://shorewall.net/2.0/Documentation_Index.html">Shorewall
2.0.0 Documentation</a>.<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step
instructions.<br>
<h2>Looking for Information?</h2>
The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the
frame above.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
<h2><b>News</b></h2>
<p><b>2/15/2004 - Shorewall 1.4.10c </b><b> <img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<p>Corrects one problem:<br>
</p>
Entries in /etc/shorewall/tcrules with an empty USER/GROUP column would
cause a startup error.
<p><b>2/12/2004 - Shorewall 1.4.10b </b><b> <img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<p>Corrects one problem:<br>
</p>
<ul>
<li>In the /etc/shorewall/masq entry “<span class="quote">eth0:!10.1.1.150
&nbsp; &nbsp;0.0.0.0/0!10.1.0.0/16 &nbsp; &nbsp; 10.1.2.16</span>”, the
<span class="quote">!10.1.0.0/16</span>” is ignored.</li>
</ul>
<p><b>2/8/2004 - Shorewall 1.4.10a </b><b> <img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<p>Corrects two problems:<br>
</p>
<ul>
<li>A problem which can cause [re]start to fail inexplicably
while processing /etc/shorewall/masq.</li>
<li>Interfaces using the Atheros WiFi card to use the 'maclist'
option.<br>
</li>
</ul>
<p><b>1/30/2004 - Shorewall 1.4.10</b></p>
<p>Problems Corrected since version 1.4.9</p>
<ol>
<li>The column descriptions in the action.template file did not
match the column headings. That has been corrected.</li>
<li>The presence of IPV6 addresses on devices generated error
messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes
are specified in /etc/shorewall/shorewall.conf. These messages have
been eliminated.</li>
<li value="3">The CONTINUE action in /etc/shorewall/rules now
works
correctly. A couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.</li>
<li>Shorewall now tried to avoid sending an ICMP response to
broadcasts and smurfs.</li>
<li>Specifying "-" or "all" in the PROTO column of an action no
longer causes a startup error. </li>
</ol>
Migragion Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
<ol>
<li>The INTERFACE column in the /etc/shorewall/masq file may
now specify a destination list. <br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp; #INTERFACE&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ADDRESS<br>
&nbsp;&nbsp;&nbsp; eth0:192.0.2.3,192.0.2.16/28&nbsp;&nbsp;&nbsp; eth1<br>
<br>
If the list begins with "!" then SNAT will occur only if the
destination IP address is NOT included in the list.<br>
<br>
</li>
<li>Output traffic control rules (those with the firewall as
the
source) may now be qualified by the effective userid and/or effective
group id of the program generating the output. This feature is courtesy
of&nbsp; Frédéric LESPEZ.<br>
<br>
A new USER column has been added to /etc/shorewall/tcrules. It may
contain :<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&lt;user name or number&gt;]:[&lt;group
name or number&gt;]<br>
<br>
The colon is optional when specifying only a user.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Examples : john: / john / :users /
john:users<br>
<br>
</li>
<li>A "detectnets" interface option has been added for entries
in
/etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just&nbsp;
those
hosts that have routes through the interface named in the INTERFACE
column. The named interface must be UP when Shorewall is [re]started.<br>
<br>
&nbsp;WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
&nbsp;&nbsp; </li>
</ol>
<p><b>1/17/2004 - FAQ Wiki Available&nbsp;</b></p>
It has been asserted that the use of CVS for maintaining the
Shorewall documentation has been a barrier to community participation.
To test this theory, Alex Martin <a
href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ">has
created a Wiki</a> and with the help of Mike Noyes has populated the
Wiki with the Shorewall FAQ.
<p><b>1/13/2004 - Shorewall 1.4.9</b> <b><br>
</b></p>
<p>Problems Corrected since version 1.4.8:<br>
</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all instances of "Static NAT" have been replaced with
"One-to-one NAT" in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
will
no longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.</li>
<li>DNAT rules that also specified SNAT now work reliably.
Previously,
there were cases where the SNAT specification was effectively ignored.</li>
</ol>
<p>Migration Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
</p>
<ol>
<li>The documentation has been completely rebased to Docbook
XML. The
documentation is now released as separate HTML and XML packages.</li>
<li>To cut down on the number of "Why are these ports closed
rather
than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to
'DROP'.</li>
<li>For easier identification, packets logged under the
'norfc1918'
interface option are now logged out of chains named 'rfc1918'.
Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
suffix for module names in your particular distribution. If
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension).
Set MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined
&lt;action&gt;, copy this file to
/etc/shorewall/action.&lt;action&gt; and add the appropriate rules
for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
<li>The default value for NEWNOTSYN in shorewall.conf is now
"Yes" (non-syn
TCP packets that are not part of an existing connection are filtered
according to the rules and policies rather than being dropped). I have
made this change for two reasons:<br>
<br>
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.<br>
<br>
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.</li>
<li>The common.def file now contains an entry that silently
drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.</li>
</ol>
<p><b><a href="News.htm">More News</a></b></p>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash)
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!</b> <br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"></a></b></h1>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a></b></h2>
<br>
<br>
<h2><b><a name="Donations"></a>Donations</b></h2>
<big><img
src="file:///vfat/Ursa/Shorewall/Shorewall-Website/images/alz_logo2.gif"
title="" alt="(Alzheimer's Association Logo)"
style="height: 60px; width: 300px;" align="left"></big><big>Shorewall
is free but
if you try it and find it useful,
please consider making a donation to the <a href="http://www.alz.org/"
target="_top">Alzheimer's Association</a>. Thanks!</big><br>
<br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<p><font size="2">Updated 03/08/2004 - <a href="support.htm">Tom
Eastep</a></font><br>
</p>
</body>
</html>