extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update for Shorewall 2.0.9

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1641 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-23 22:50:12 +00:00
parent 1e86648628
commit 58204f5bc0
18 changed files with 890 additions and 457 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Lrp2/etc/shorewall/actions
View File

@ -1,5 +1,5 @@
# #
# Shorewall 2.0 /etc/shorewall/actions # Shorewall 2.1 /etc/shorewall/actions
# #
# This file allows you to define new ACTIONS for use in rules # This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to # (/etc/shorewall/rules). You define the iptables rules to
@ -8,10 +8,12 @@
# #
# ACTION names should begin with an upper-case letter to # ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and # distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain # they must need the requirements of a Netfilter chain. If
# name as well as the requirements for a Bourne Shell identifier # you intend to log from the action then the name must be
# (must begin with a letter and be composed of letters, digits # no longer than 11 character in length. Names must also
# and underscore characters). # meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
# #
# If you follow the action name with ":DROP", ":REJECT" or # If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or # :ACCEPT then the action will be taken before a DROP, REJECT or

7
Lrp2/etc/shorewall/masq
View File

@ -42,6 +42,13 @@
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# If you have set ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf then DO NOT
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
# ADDRESS IN THIS COLUMN -- If you do so, you
# will loose your default route when Shorewall
# starts.
#
# You may also specify a range of up to 256 # You may also specify a range of up to 256
# IP addresses if you want the SNAT address to # IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin # be assigned from that range in a round-robin

4
Lrp2/etc/shorewall/rules
View File

@ -195,8 +195,8 @@
# ranges. # ranges.
# #
# If you don't want to restrict client ports but need to # If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-" # specify an ORIGINAL DEST in the next column, then place
# in this column. # "-" in this column.
# #
# If your kernel contains multi-port match support, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in

9
Lrp2/usr/share/shorewall/bogons
View File

@ -14,7 +14,9 @@
# #
# Columns are: # Columns are:
# #
# SUBNET The subnet (host addresses also allowed) # SUBNET The subnet (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# include iprange match support).
# TARGET Where to send packets to/from this subnet # TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally # RETURN - let the packet be processed normally
# DROP - silently drop the packet # DROP - silently drop the packet
@ -47,8 +49,9 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
71.0.0.0/8 logdrop # Reserved 73.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved 89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved 90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved 92.0.0.0/6 logdrop # Reserved

2
Lrp2/usr/share/shorewall/firewall
View File

@ -2075,6 +2075,8 @@ process_tc_rule()
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " [ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.0.8 2.0.9

15
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-08-10</pubdate> <pubdate>2004-09-10</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -1759,6 +1759,17 @@ DNAT loc:<emphasis role="bold">192.168.1.0/24</emphasis> loc:192.168.1.3 tcp
address), the original source address is used. If you want any address), the original source address is used. If you want any
destination address to match the rule but want to specify SNAT, destination address to match the rule but want to specify SNAT,
simply use a colon followed by the SNAT address.</para> simply use a colon followed by the SNAT address.</para>
<important>
<para>Shorewall does not take any steps to ensure that IP
addresses entered in this column are added to the appropriate
firewall interface. Unless traffic for this address is
automatically routed to the firewall by another router, it is your
responsibility to add the address using your distributions network
configuration facilities. See <ulink
url="Shorewall_and_Aliased_Interfaces.html">this article</ulink>
for additional information.</para>
</important>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -3553,7 +3564,7 @@ eth1 -</programlisting>
<member>No - Only traffic to/from some of the hosts in this zone <member>No - Only traffic to/from some of the hosts in this zone
is encrypted. Those encrypted hosts are designated using the is encrypted. Those encrypted hosts are designated using the
<emphasis role="bold">ipsec</emphasis> option in <link <emphasis role="bold">ipsec</emphasis> option in <link
linkend="Hosts">/etc/shorewall/hosts</link>. </member> linkend="Hosts">/etc/shorewall/hosts</link>.</member>
</simplelist> </simplelist>
</glossdef> </glossdef>
</glossentry> </glossentry>

402
Shorewall-docs2/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-20</pubdate> <pubdate>2004-09-23</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -31,14 +31,21 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<note>
<para>The complete Shorewall Documentation is <ulink
url="http://www.shorewall.net/download.htm">available for download</ulink>
in both Docbook XML and HTML formats.</para>
</note>
<caution> <caution>
<para>Are you running Shorewall on <ulink <para>Are you running Shorewall on <ulink
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink> url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark>
with a two-interface setup?</para> Linux</ulink> with a two-interface setup?</para>
<para>If so and if you configured your system while running a Mandrake <para>If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply release earlier than 10.0 final then this documentation will not apply
@ -51,7 +58,8 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><ulink url="Introduction.html">Introduction to Shorewall</ulink></para> <para><ulink url="Introduction.html">Introduction to
Shorewall</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -107,48 +115,167 @@
<listitem> <listitem>
<para><ulink url="configuration_file_basics.htm">Common configuration <para><ulink url="configuration_file_basics.htm">Common configuration
file features&#x00A0;</ulink><itemizedlist><listitem><para><ulink file features&nbsp;</ulink><itemizedlist>
url="configuration_file_basics.htm#Comments">Comments in configuration <listitem>
files</ulink></para></listitem><listitem><para><ulink <para><ulink url="configuration_file_basics.htm#Comments">Comments
url="configuration_file_basics.htm#Continuation">Line Continuation</ulink></para></listitem><listitem><para><ulink in configuration files</ulink></para>
url="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</ulink></para></listitem><listitem><para><ulink </listitem>
url="configuration_file_basics.htm#Ports">Port Numbers/Service Names</ulink>configuration_file_basics.htm#Ports</para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ranges">Port Ranges</ulink></para></listitem><listitem><para><ulink <listitem>
url="configuration_file_basics.htm#Variables">Using Shell Variables</ulink></para></listitem><listitem><para><ulink <para><ulink url="configuration_file_basics.htm#Continuation">Line
url="configuration_file_basics.htm#dnsnames">Using DNS Names</ulink></para></listitem><listitem><para><ulink Continuation</ulink></para>
url="configuration_file_basics.htm#Compliment">Complementing an IP </listitem>
address or Subnet</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Levels">Shorewall Configurations <listitem>
(making a test configuration)</ulink></para></listitem><listitem><para><ulink <para><ulink url="configuration_file_basics.htm#INCLUDE">INCLUDE
url="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</ulink></para></listitem></itemizedlist></para> Directive</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Ports">Port
Numbers/Service
Names</ulink>configuration_file_basics.htm#Ports</para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Ranges">Port
Ranges</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Variables">Using
Shell Variables</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#dnsnames">Using
DNS Names</ulink></para>
</listitem>
<listitem>
<para><ulink
url="configuration_file_basics.htm#Compliment">Complementing an IP
address or Subnet</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Levels">Shorewall
Configurations (making a test configuration)</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#MAC">Using MAC
Addresses in Shorewall</ulink></para>
</listitem>
</itemizedlist></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="Documentation.htm">Configuration File Reference Manual <para><ulink url="Documentation.htm">Configuration File Reference Manual
</ulink><itemizedlist><listitem><para><ulink </ulink><itemizedlist>
url="Documentation.htm#Variables">params</ulink></para></listitem><listitem><para><ulink <listitem>
url="Documentation.htm#Zones">zones</ulink></para></listitem><listitem><para><ulink <para><ulink
url="Documentation.htm#Interfaces">interfaces</ulink></para></listitem><listitem><para><ulink url="Documentation.htm#Variables">params</ulink></para>
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink </listitem>
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink <listitem>
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink <para><ulink url="Documentation.htm#Zones">zones</ulink></para>
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink </listitem>
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para></listitem><listitem><para><ulink <listitem>
url="traffic_shaping.htm#tcrules">tcrules</ulink></para></listitem><listitem><para><ulink <para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para></listitem><listitem><para><ulink url="Documentation.htm#Interfaces">interfaces</ulink></para>
url="Documentation.htm#modules">modules</ulink></para></listitem><listitem><para><ulink </listitem>
url="Documentation.htm#TOS">tos</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para></listitem><listitem><para><ulink <listitem>
url="Documentation.htm#rfc1918">rfc1918</ulink></para></listitem><listitem><para><ulink <para><ulink url="Documentation.htm#Hosts">hosts</ulink></para>
url="Documentation.htm#Routestopped">routestopped</ulink></para></listitem><listitem><para><ulink </listitem>
url="Accounting.html">accounting</ulink></para></listitem><listitem><para><ulink
url="UserSets.html">usersets and users</ulink></para></listitem><listitem><para><ulink <listitem>
url="MAC_Validation.html">maclist</ulink></para></listitem><listitem><para><ulink <para><ulink url="Documentation.htm#Policy">policy</ulink></para>
url="User_defined_Actions.html">actions and action.template</ulink></para></listitem><listitem><para><ulink </listitem>
url="Documentation.htm#Bogons">bogons</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Netmap">netmap</ulink></para></listitem></itemizedlist></para> <listitem>
<para><ulink url="Documentation.htm#Rules">rules</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Masq">masq</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#NAT">nat</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para>
</listitem>
<listitem>
<para><ulink
url="traffic_shaping.htm#tcrules">tcrules</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#modules">modules</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#TOS">tos</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#rfc1918">rfc1918</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></para>
</listitem>
<listitem>
<para><ulink url="Accounting.html">accounting</ulink></para>
</listitem>
<listitem>
<para><ulink url="UserSets.html">usersets and users</ulink></para>
</listitem>
<listitem>
<para><ulink url="MAC_Validation.html">maclist</ulink></para>
</listitem>
<listitem>
<para><ulink url="User_defined_Actions.html">actions and
action.template</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Bogons">bogons</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Netmap">netmap</ulink></para>
</listitem>
</itemizedlist></para>
</listitem> </listitem>
<listitem> <listitem>
@ -161,7 +288,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="ECN.html">ECN Disabling by host or subnet</ulink></para> <para><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -169,9 +297,9 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="shorewall_extension_scripts.htm">Extension Scripts</ulink> <para><ulink url="shorewall_extension_scripts.htm">Extension
(How to extend Shorewall without modifying Shorewall code through the Scripts</ulink> (How to extend Shorewall without modifying Shorewall
use of files in /etc/shorewall -- /etc/shorewall/start, code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</para> /etc/shorewall/stopped, etc.)</para>
</listitem> </listitem>
@ -197,7 +325,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="support.htm">Getting help or answers to questions</ulink></para> <para><ulink url="support.htm">Getting help or answers to
questions</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -209,7 +338,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="Shorewall_and_Kazaa.html">Kazaa Filtering</ulink></para> <para><ulink url="Shorewall_and_Kazaa.html">Kazaa
Filtering</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -235,7 +365,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="NetfilterOverview.html">Netfilter Overview</ulink></para> <para><ulink url="NetfilterOverview.html">Netfilter
Overview</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -261,7 +392,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="ping.html">&#39;Ping&#39; Management</ulink></para> <para><ulink url="ping.html">'Ping' Management</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -291,11 +422,13 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para> <para><ulink
url="shorewall_prerequisites.htm">Requirements</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></para> <para><ulink url="Multiple_Zones.html">Routing on One
Interface</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -303,29 +436,117 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink><itemizedlist><listitem><para><ulink <para><ulink url="shorewall_setup_guide.htm">Shorewall Setup
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para></listitem><listitem><para><ulink Guide</ulink><itemizedlist>
url="shorewall_setup_guide.htm#Concepts">Shorewall Concepts</ulink></para></listitem><listitem><para><ulink <listitem>
url="shorewall_setup_guide.htm#Interfaces">Network Interfaces</ulink></para></listitem><listitem><para><ulink <para><ulink
url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para>
Routing</ulink></para><itemizedlist><listitem><para><ulink </listitem>
url="shorewall_setup_guide.htm#Addresses">IP Addresses</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para></listitem><listitem><para><ulink <listitem>
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para></listitem><listitem><para><ulink <para><ulink url="shorewall_setup_guide.htm#Concepts">Shorewall
url="shorewall_setup_guide.htm#ARP">Address Resolution Protocol (ARP)</ulink></para></listitem><listitem><para><ulink Concepts</ulink></para>
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink </listitem>
url="shorewall_setup_guide.htm#Options">Setting up your Network</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para></listitem><listitem><para><ulink <listitem>
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para><itemizedlist><listitem><para><ulink <para><ulink url="shorewall_setup_guide.htm#Interfaces">Network
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para></listitem><listitem><para><ulink Interfaces</ulink></para>
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para></listitem><listitem><para><ulink </listitem>
url="shorewall_setup_guide.htm#ProxyARP">Proxy ARP</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one NAT</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink <listitem>
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para></listitem><listitem><para><ulink <para><ulink
url="shorewall_setup_guide.htm#OddsAndEnds">Odds and Ends</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para></listitem><listitem><para><ulink Routing</ulink></para>
url="starting_and_stopping_shorewall.htm">Starting and Stopping the
Firewall</ulink></para></listitem></itemizedlist></para> <itemizedlist>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Addresses">IP
Addresses</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#ARP">Address
Resolution Protocol (ARP)</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#RFC1918">RFC
1918</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Options">Setting up
your Network</ulink></para>
<itemizedlist>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para>
<itemizedlist>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#ProxyARP">Proxy
ARP</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one
NAT</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#OddsAndEnds">Odds
and Ends</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting
and Stopping the Firewall</ulink></para>
</listitem>
</itemizedlist></para>
</listitem> </listitem>
<listitem> <listitem>
@ -334,13 +555,20 @@
<listitem> <listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping <para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist><listitem><para>Description of all the Firewall</ulink><itemizedlist>
/sbin/shorewall commands</para></listitem><listitem><para>How to safely <listitem>
test a Shorewall configuration change</para></listitem></itemizedlist></para> <para>Description of all /sbin/shorewall commands</para>
</listitem>
<listitem>
<para>How to safely test a Shorewall configuration change</para>
</listitem>
</itemizedlist></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para> <para><ulink url="Shorewall_Squid_Usage.html">Squid with
Shorewall</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -352,16 +580,18 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="traffic_shaping.htm">Traffic Shaping/QOS</ulink></para> <para><ulink url="traffic_shaping.htm">Traffic
Shaping/QOS</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things to <para><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things to
try if it doesn&#39;t work)</para> try if it doesn't work)</para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="User_defined_Actions.html">User-defined Actions</ulink></para> <para><ulink url="User_defined_Actions.html">User-defined
Actions</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -402,13 +632,15 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="GenericTunnels.html">Other VPN types</ulink></para> <para><ulink url="GenericTunnels.html">Other VPN
types</ulink></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para> <para><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</article> </article>

47
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-08-31</pubdate> <pubdate>2004-09-23</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -617,6 +617,10 @@ to debug/develop the newnat interface.</programlisting></para>
<para>Answer: Add the <firstterm>routeback</firstterm> option to <para>Answer: Add the <firstterm>routeback</firstterm> option to
<filename class="devicefile">br0</filename> in <ulink <filename class="devicefile">br0</filename> in <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para> url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
<para>For more information on this type of configuration, see the <ulink
url="SimpleBridge.html">Shorewall Simple Bridge
documentation</ulink>.</para>
</section> </section>
</section> </section>
@ -817,10 +821,11 @@ LOGBURST=""</programlisting>
</section> </section>
<section id="faq17"> <section id="faq17">
<title>(FAQ 17) What does this log message mean?</title> <title>(FAQ 17) Why are these packets being Dropped/Rejected?</title>
<para><emphasis role="bold">Answer:</emphasis> Logging occurs out of a <para><emphasis role="bold">Answer:</emphasis> Logging of
number of chains (as indicated in the log message) in Shorewall:</para> dropped/rejected packets occurs out of a number of chains (as indicated
in the log message) in Shorewall:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -937,9 +942,14 @@ LOGBURST=""</programlisting>
<para>The packet has a source IP address that isn't in any of your <para>The packet has a source IP address that isn't in any of your
defined zones (<quote>shorewall check</quote> and look at the defined zones (<quote>shorewall check</quote> and look at the
printed zone definitions) or the chain is FORWARD and the printed zone definitions) or the chain is FORWARD and the
destination IP isn't in any of your defined zones. Also see <xref destination IP isn't in any of your defined zones. If the chain is
linkend="faq2a" /> for another cause of packets being logged in FORWARD and the IN and OUT interfaces are the same, then you
the FORWARD chain.</para> probably need the <emphasis role="bold">routeback</emphasis>
option on that interface in <filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
or you need the <emphasis role="bold">routeback</emphasis> option
in the relevant entry in <filename><ulink
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink></filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -976,7 +986,7 @@ LOGBURST=""</programlisting>
<para>This packet was REJECTed out of the <emphasis <para>This packet was REJECTed out of the <emphasis
role="bold">all2all</emphasis> chain -- the packet was rejected role="bold">all2all</emphasis> chain -- the packet was rejected
under the <quote>all</quote>-&gt;<quote>all</quote> REJECT under the <quote>all</quote>-&gt;<quote>all</quote> REJECT
policy (<xref linkend="all2all" /> above).</para> policy (<link linkend="all2all">all2all</link> above).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1820,6 +1830,27 @@ iptables: Invalid argument
<title>Revision History</title> <title>Revision History</title>
<para><revhistory> <para><revhistory>
<revision>
<revnumber>1.32</revnumber>
<date>2004-09-23</date>
<authorinitials>TE</authorinitials>
<revremark>Add link to simple bridge documentation from FAQ
35.</revremark>
</revision>
<revision>
<revnumber>1.31</revnumber>
<date>2004-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>Rename FAQ 17.</revremark>
</revision>
<revision> <revision>
<revnumber>1.30</revnumber> <revnumber>1.30</revnumber>

297
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-02-04</pubdate> <pubdate>2004-09-14</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -37,7 +37,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -45,8 +46,9 @@
Network) daemon which can be used to securely link two or more private Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open networks using an encrypted tunnel over the internet. OpenVPN is an Open
Source project and is <ulink Source project and is <ulink
url="http://openvpn.sourceforge.net/license.html">licensed under the GPL</ulink>. url="http://openvpn.sourceforge.net/license.html">licensed under the
OpenVPN can be downloaded from <ulink url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para> GPL</ulink>. OpenVPN can be downloaded from <ulink
url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
<para>OpenVPN support was added to Shorewall in version 1.3.14.</para> <para>OpenVPN support was added to Shorewall in version 1.3.14.</para>
@ -59,146 +61,73 @@
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the accomplished through use of the
/etc/shorewall/policy file and OpenVPN.</para> <filename>/etc/shorewall/tunnels</filename> file and the
<filename>/etc/shorewall/policy file</filename> and OpenVPN.</para>
<para>While it was possible to use the Shorewall start and stop script to <para>While it was possible to use the Shorewall start and stop script to
start and stop OpenVPN, I decided to use the init script of OpenVPN to start and stop OpenVPN, I decided to use the init script of OpenVPN to
start and stop it.</para> start and stop it.</para>
<para>On each firewall, you will need to declare a zone to represent the <para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote> remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para> and declare it in <filename>/etc/shorewall/zones</filename> on both
systems as follows.</para>
<table> <blockquote>
<title>/etc/shorewall/zones system A &#38; B</title> <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para>
<tgroup cols="3"> <programlisting>#ZONE DISPLAY COMMENTS
<thead> vpn VPN Remote subnet</programlisting>
<row> </blockquote>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone.</para>
<entry align="center">COMMENTS</entry> <blockquote>
</row> <para>In <filename>/etc/shorewall/interfaces</filename> on system
</thead> A:</para>
<tbody> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<row> vpn tun0</programlisting>
<entry>vpn</entry> </blockquote>
<entry>VPN</entry> <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
the following:</para>
<entry>Remote Subnet</entry> <blockquote>
</row> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
</tbody> openvpn net 134.28.54.2</programlisting>
</tgroup> </blockquote>
</table>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis> <note>
zone. In /etc/shorewall/interfaces:</para> <para>Some OpenVPN clients (notabley on <trademark>Windows</trademark>)
do not use the same source and destination ports which can cause
problems. If system B is a Windows system, then you will want the
following entry in /etc/shorewall/tunnels instead of the one
above:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>etc/shorewall/interfaces system A</title> generic:udp:5000 net 134.28.54.2</programlisting>
</note>
<tgroup cols="4"> <para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
<thead> firewall so that OpenVPN traffic on the default port 5000/udp will be
<row> accepted to/from the remote gateway. If you change the port used by
<entry align="center">ZONE</entry> OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para>
<entry align="center">INTERFACE</entry> <blockquote>
<para> /etc/shorewall/tunnels with port 7777:</para>
<entry align="center">BROADCAST</entry> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
openvpn:77777 net 134.28.54.2</programlisting>
<entry align="center">OPTIONS</entry> </blockquote>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from the
remote gateway. If you change the port used by OpenVPN to 7777, you can
define /etc/shorewall/tunnels like this:</para>
<table>
<title>/etc/shorewall/tunnels port 7777</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn:7777</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This is the OpenVPN config on system A:</para> <para>This is the OpenVPN config on system A:</para>
<programlisting>dev tun <blockquote>
<programlisting>dev tun
local 206.162.148.9 local 206.162.148.9
remote 134.28.54.2 remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2 ifconfig 192.168.99.1 192.168.99.2
@ -210,75 +139,31 @@ cert my-a.crt
key my-a.key key my-a.key
comp-lzo comp-lzo
verb 5</programlisting> verb 5</programlisting>
</blockquote>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <emphasis role="bold">vpn</emphasis> zone</para>
<table> <blockquote>
<title>/etc/shorewall/interfaces system B</title> <para>In <filename>/etc/shorewall/interfaces</filename> on system
B:</para>
<tgroup cols="4"> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<thead> vpn tun0 192.168.1.255</programlisting>
<row> </blockquote>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry> <para>In <filename>/etc/shorewall/tunnels</filename> on system B, we
have:</para>
<entry align="center">BROADCAST</entry> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<entry align="center">OPTIONS</entry> openvpn net 206.191.148.9</programlisting>
</row> </blockquote>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<table>
<title>/etc/shorewall/tunnels system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>And in the OpenVPN config on system B:</para> <para>And in the OpenVPN config on system B:</para>
<programlisting>dev tun <blockquote>
<programlisting>dev tun
local 134.28.54.2 local 134.28.54.2
remote 206.162.148.9 remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1 ifconfig 192.168.99.2 192.168.99.1
@ -289,50 +174,20 @@ cert my-b.crt
key my-b.key key my-b.key
comp-lzo comp-lzo
verb 5</programlisting> verb 5</programlisting>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone <para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para> admit all traffic in both directions, you can use the policy file:</para>
<table> <blockquote>
<title>/etc/shorewall/policy system A &#38; B</title> <para><filename>/etc/shorewall/policy </filename>on systems A &amp;
B</para>
<tgroup cols="4"> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<thead> loc vpn ACCEPT
<row> vpn loc ACCEPT</programlisting>
<entry align="center">SOURCE</entry> </blockquote>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On both systems, restart Shorewall and start OpenVPN. The systems in <para>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</para> the two masqueraded subnetworks can now talk to each other.</para>

15
Shorewall-docs2/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-02-04</pubdate> <pubdate>2004-09-16</pubdate>
<copyright> <copyright>
<year>2003-2004</year> <year>2003-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -41,9 +42,8 @@
KazaaLite, iMash and Grokster.</para> KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you <para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules <emphasis role="bold">near the top</emphasis> of insert the following rules in /etc/shorewall/rules file after any DROP or
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the REJECT rules whose source is the <quote>loc</quote> zone.</para>
<quote>loc</quote> zone).</para>
<programlisting> #ACTION SOURCE DEST PROTO <programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp QUEUE loc net tcp
@ -54,8 +54,9 @@
and restart Shorewall.</para> and restart Shorewall.</para>
<tip> <tip>
<para>There are ftwall init scripts for use with <trademark>SuSE</trademark> <para>There are ftwall init scripts for use with
and <trademark>Debian</trademark> Linux at <ulink <trademark>SuSE</trademark> and <trademark>Debian</trademark> Linux at
<ulink
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para> url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip> </tip>
</article> </article>

119
Shorewall-docs2/SimpleBridge.xml Normal file
View File

@ -0,0 +1,119 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and a Simple Bridge</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-09-23</pubdate>
<copyright>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Background</title>
<para>Systems where Shorewall runs normally function as
<firstterm>routers</firstterm>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
model (think of a bridge as an ethernet switch).</para>
<para>Some differences between routers and bridges are:</para>
<orderedlist>
<listitem>
<para>Routers determine packet destination based on the destination IP
address while bridges route traffic based on the destination MAC
address in the ethernet frame.</para>
</listitem>
<listitem>
<para>As a consequence of the first difference, routers can be
connected to more than one IP network while a bridge may be part of
only a single network.</para>
</listitem>
<listitem>
<para>A router cannot forward broadcast packets while a bridge
can.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Application</title>
<para>There are cases where you want to create a bridge to join two or
more LAN segments and you don't need to restrict the traffic between those
segments. This is the environment that is described in this article.
</para>
<para>If you do need to restrict traffic through the bridge, please refer
to the <ulink url="bridge.html">Shorewall Bridge/Firewall
documentation</ulink>. Also please refer to that documentation for
information about how to create a bridge.</para>
<para>The following diagram shows a firewall for two bridged LAN
segments.</para>
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
<para>This is fundimentally the Two-interface Firewall described in the
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
bridge-specific changes are restricted to the
<filename>/etc/shorewall/interfaces</filename> file.</para>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect ...
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
role="bold">routeback</emphasis>,...</programlisting>
<para>So the key points here are:</para>
<itemizedlist>
<listitem>
<para>The <emphasis role="bold">loc</emphasis> interface is <filename
class="devicefile">br0</filename>.</para>
</listitem>
<listitem>
<para>Neither <filename class="devicefile">eth1</filename> nor
<filename class="devicefile">eth2</filename> have IP addresses and
neither are mentioned in the Shorewall configuration.</para>
</listitem>
<listitem>
<para>The <emphasis role="bold">routeback</emphasis> option is
specified for <filename class="devicefile">br0</filename>.</para>
</listitem>
</itemizedlist>
</section>
</article>

9
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-10</pubdate> <pubdate>2004-09-23</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -70,7 +70,7 @@
<section> <section>
<title>Requirements</title> <title>Requirements</title>
<para>In order to use Shorewall with a bridging firewall:</para> <para>In order to use Shorewall as a bridging firewall:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -103,6 +103,11 @@
<para>You must be running Shorewall 2.0.1 Beta 1 or later.</para> <para>You must be running Shorewall 2.0.1 Beta 1 or later.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Note that if you need a bridge but do not need to restrict the
traffic through the bridge then any version of Shorewall will work. See
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
details.</para>
</section> </section>
<section> <section>

BIN
Shorewall-docs2/images/SimpleBridge.dia Normal file
View File

Binary file not shown.

BIN
Shorewall-docs2/images/SimpleBridge.png Normal file
View File

Binary file not shown.

75
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-06</pubdate> <pubdate>2004-09-07</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -78,11 +78,11 @@
<listitem> <listitem>
<para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP <para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (Windows system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
XP/SuSE 9.1) laptop <quote>Tipper</quote> which connects through the 9.1/Windows XP) laptop <quote>Tipper</quote> which connects through
Wireless Access Point (wap) via a Wireless Bridge (wet).<note> the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use <para>While the distance between the WAP and where I usually use
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old bridge, I have virtually eliminated these problems (Being an old
@ -148,7 +148,8 @@
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with IPSEC for tunnel mode my work laptop and the Firewall is configured with IPSEC for tunnel mode
road warrior access from Tipper.</para> access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink>.</para>
<para><graphic align="center" fileref="images/network.png" /></para> <para><graphic align="center" fileref="images/network.png" /></para>
</section> </section>
@ -397,7 +398,7 @@ $EXT_IF:2 eth2 206.124.146.179
</section> </section>
<section> <section>
<title>Tunnels File (Shell variable TEXAS set in <title>Tunnels File (Shell variables TEXAS and OMAK set in
/etc/shorewall/params)</title> /etc/shorewall/params)</title>
<blockquote> <blockquote>
@ -653,6 +654,10 @@ ACCEPT tx loc:192.168.1.5 all
<title>zones</title> <title>zones</title>
<blockquote> <blockquote>
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
<emphasis role="bold">net</emphasis>, <emphasis
role="bold">loc</emphasis> must be defined first.</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE DISPLAY COMMENTS
loc Local Local networks loc Local Local networks
net Internet The Big Bad Internet net Internet The Big Bad Internet
@ -688,7 +693,7 @@ all all REJECT info
<blockquote> <blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- br0 192.168.1.255 dhcp - br0 192.168.1.255 dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -754,11 +759,13 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
<blockquote> <blockquote>
<para>This file is SuSE-specific and creates the bridge device <para>This file is SuSE-specific and creates the bridge device
<filename class="devicefile">br0</filename>. A script for other <filename class="devicefile">br0</filename>. A script for other
disbributions would be similar.</para> distributions would be similar (see the <ulink
url="bridge.html">Shorewall Bridge documentation</ulink> for
examples).</para>
<programlisting>#!/bin/sh <programlisting>#!/bin/sh
################################################################################ ################################################################################
# Script to create a bridge between eth0, eth1 and eth2 # Script to create a bridge
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
@ -766,6 +773,15 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
# #
# Modify the following variables to match your configuration # Modify the following variables to match your configuration
# #
#### BEGIN INIT INFO
# Provides: bridge
# Required-Start: coldplug
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops a bridge
### END INIT INFO
#
# chkconfig: 2345 05 89 # chkconfig: 2345 05 89
# description: Layer 2 Bridge # description: Layer 2 Bridge
# #
@ -773,21 +789,29 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
INTERFACES="eth0 eth1"
BRIDGE="br0"
do_stop() { do_stop() {
echo "Stopping Bridge" echo "Stopping Bridge $BRIDGE"
brctl delbr br0 brctl delbr $BRIDGE
ip link set eth0 down for interface in $INTERFACES; do
ip link set eth1 down ip link set $interface down
done
} }
do_start() { do_start() {
echo "Starting Bridge" echo "Starting Bridge $BRIDGE"
ip link set eth0 up for interface in $INTERFACES; do
ip link set eth1 up ip link set $interface up
brctl addbr br0 done
brctl addif br0 eth0
brctl addif br0 eth1 brctl addbr $BRIDGE
for interface in $INTERFACES; do
brctl addif $BRIDGE $interface
done
} }
case "$1" in case "$1" in
@ -816,11 +840,7 @@ exit 0</programlisting>
<blockquote> <blockquote>
<para>This file is SuSE-specific</para> <para>This file is SuSE-specific</para>
<programlisting>BOOTPROTO='static' <programlisting>BOOTPROTO='dhcp'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.5'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
REMOTE_IPADDR='' REMOTE_IPADDR=''
STARTMODE='onboot' STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C' UNIQUE='3hqH.MjuOqWfSZ+C'
@ -835,8 +855,9 @@ MTU=''</programlisting>
<blockquote> <blockquote>
<para>This file is SuSE-specific</para> <para>This file is SuSE-specific</para>
<programlisting>192.168.1.0 - 255.255.255.0 br0 <programlisting>192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.5
default 192.168.1.254 - -</programlisting> 127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev br0</programlisting>
</blockquote> </blockquote>
</section> </section>
</section> </section>

319
Shorewall-docs2/ports.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-31</pubdate> <pubdate>2004-09-21</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
<abstract> <abstract>
@ -50,8 +51,8 @@
<filename>/usr/share/shorewall/actions.std</filename> file for a list of <filename>/usr/share/shorewall/actions.std</filename> file for a list of
the actions in your distribution. If you find what you need, you simply the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the use the action in a rule. For example, to allow DNS queries from the
<emphasis role="bold">dmz</emphasis> zone to the <emphasis role="bold">net</emphasis> <emphasis role="bold">dmz</emphasis> zone to the <emphasis
zone:</para> role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION <programlisting>#ACTION SOURCE DESTINATION
AllowDNS dmz net</programlisting> AllowDNS dmz net</programlisting>
@ -67,7 +68,7 @@ AllowDNS dmz net</programlisting>
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
<para>You would code your rule as follows:</para> <para>You would code your rule as follows:</para>
@ -80,23 +81,23 @@ DNAT net dmz:192.168.1.4 tcp 21</programlisting>
<title>Auth (identd)</title> <title>Auth (identd)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 113</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 113</programlisting>
</section> </section>
<section> <section>
<title>DNS</title> <title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 53 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 53
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 53</programlisting>
<para>Note that if you are setting up a DNS server that supports recursive <para>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the &#60;<emphasis>destination</emphasis>&#62; resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
for resolution requests (from clients) and is also the &#60;<emphasis>source</emphasis>&#62; resolution requests (from clients) and is also the
of recursive resolution requests (usually to other servers in the &lt;<emphasis>source</emphasis>&gt; of recursive resolution requests
&#39;net&#39; zone). So for example, if you have a public DNS server in (usually to other servers in the 'net' zone). So for example, if you have
your DMZ that supports recursive resolution for local clients then you a public DNS server in your DMZ that supports recursive resolution for
would need:</para> local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53 ACCEPT all dmz udp 53
@ -105,9 +106,9 @@ ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</programlisting> ACCEPT dmz net tcp 53</programlisting>
<note> <note>
<para>Recursive Resolution means that if the server itself can&#39;t <para>Recursive Resolution means that if the server itself can't resolve
resolve the name presented to it, the server will attempt to resolve the the name presented to it, the server will attempt to resolve the name
name with the help of other servers.</para> with the help of other servers.</para>
</note> </note>
</section> </section>
@ -115,36 +116,37 @@ ACCEPT dmz net tcp 53</programlisting>
<title>FTP</title> <title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more information.</para> <para>Look <ulink url="FTP.html">here</ulink> for much more
information.</para>
</section> </section>
<section> <section>
<title>ICQ/AIM</title> <title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> net tcp 5190</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> net tcp 5190</programlisting>
</section> </section>
<section> <section>
<title>IMAP</title> <title>IMAP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 143 #Unsecure IMAP ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 993 #Secure IMAP</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 993 #Secure IMAP</programlisting>
</section> </section>
<section> <section>
<title>IPSEC</title> <title>IPSEC</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 50 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 51 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 51
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 500 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 500
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 50 ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 50
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 51 ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 51
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 500</programlisting> ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 500</programlisting>
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink <para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para> url="VPN.htm">here</ulink>.</para>
@ -154,23 +156,23 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>NFS</title> <title>NFS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111 ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp</programlisting> ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d udp</programlisting>
</section> </section>
<section> <section>
<title>NTP (Network Time Protocol)</title> <title>NTP (Network Time Protocol)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 123</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 123</programlisting>
</section> </section>
<section> <section>
<title><trademark>PCAnywhere</trademark></title> <title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 5632 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 5632
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5631</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5631</programlisting>
</section> </section>
<section> <section>
@ -179,16 +181,16 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para> <para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 110 #Unsecure Pop3 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 110 #Unsecure Pop3
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 995 #Secure Pop3</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 995 #Secure Pop3</programlisting>
</section> </section>
<section> <section>
<title>PPTP</title> <title>PPTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> 47 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> 47
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 1723</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 1723</programlisting>
<para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink <para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para> url="VPN.htm">here</ulink>.</para>
@ -198,24 +200,24 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<title>rdate</title> <title>rdate</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 37</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 37</programlisting>
</section> </section>
<section> <section>
<title>SSH</title> <title>SSH</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 22</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 22</programlisting>
</section> </section>
<section> <section>
<title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title> <title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> tcp 137,139,445 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 137:139 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 137:139
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> tcp 137,139,445 ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 137:139</programlisting> ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 137:139</programlisting>
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para> <para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
</section> </section>
@ -224,57 +226,67 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>SMTP</title> <title>SMTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 25 #Insecure SMTP ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 25 #Insecure SMTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting>
</section> </section>
<section> <section>
<title>SNMP</title> <title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 161:162 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 161:162
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 161</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 161</programlisting>
</section> </section>
<section> <section>
<title>Telnet</title> <title>Telnet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 23</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 23</programlisting>
</section> </section>
<section> <section>
<title>TFTP</title> <title>TFTP</title>
<para>You must have TFTP connection tracking support in your kernel. If <para>You must have TFTP connection tracking support in your kernel. If
modularized, the modules are <emphasis role="bold">ip_conntrack_tftp</emphasis> modularized, the modules are <emphasis
(and <emphasis role="bold">ip_nat_tftp</emphasis> if any form of NAT is role="bold">ip_conntrack_tftp</emphasis> (and <emphasis
involved) These modules may be loaded using entries in role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These
<filename>/etc/shorewall/modules</filename>. The <emphasis role="bold">ip_conntrack_tftp</emphasis> modules may be loaded using entries in
module must be loaded first. Note that the <filename>/etc/shorewall/modules</filename> <filename>/etc/shorewall/modules</filename>. The <emphasis
file released with recent Shorewall versions contains entries for these role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note
modules.</para> that the <filename>/etc/shorewall/modules</filename> file released with
recent Shorewall versions contains entries for these modules.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 69</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 69</programlisting>
</section> </section>
<section> <section>
<title>Traceroute</title> <title>Traceroute</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 33434:33443 #Good for 10 hops ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 33434:33443 #Good for 10 hops
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> icmp 8</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> icmp 8</programlisting>
<para>UDP traceroute uses ports 33434 through 33434+&#60;max number of <para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
hops&#62;-1</para> hops&gt;-1. Note that for the firewall to respond with a TTL expired ICMP
reply, you will need to allow ICMP 11 outbound from the firewall. The
standard Shorewall sample configurations all set this up for you
automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw ...</programlisting>
</section> </section>
<section> <section>
<title>Usenet (NNTP)</title> <title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 119</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 119</programlisting>
<para>TCP Port 119</para> <para>TCP Port 119</para>
</section> </section>
@ -282,43 +294,60 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<section> <section>
<title>VNC</title> <title>VNC</title>
<para>Vncviewer to Vncserver -- TCP port 5900 + &#60;display number&#62;.</para> <para>Vncviewer to Vncserver -- TCP port 5900 + &lt;display
number&gt;.</para>
<para>Vncviewer to Vncserver -- TCP port 5900 + &lt;display
number&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5902 #Display Number 2
...</programlisting> ...</programlisting>
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para> <para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5500</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5500</programlisting>
</section>
<section>
<title><trademark>Vonage</trademark></title>
<para>The standard Shorewall loc-&gt;net ACCEPT policy is all that is
required for <trademark>Vonage</trademark> IP phone service to work,
provided that you have loaded the tftp helper modules (add the following
entries to /etc/shorewall/modules if they are not there already):</para>
<programlisting> loadmodule ip_conntrack_tftp
loadmodule ip_nat_tftp</programlisting>
</section> </section>
<section> <section>
<title>Web Access</title> <title>Web Access</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 80 #Insecure HTTP ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 80 #Insecure HTTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting> ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 443 #Secure HTTP</programlisting>
</section> </section>
<section> <section>
<title>X/XDMCP</title> <title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at &#60;<emphasis>chooser</emphasis>&#62; <para>Assume that the Choser and/or X Server are running at
and the Display Manager/X applications are running at &#60;<emphasis>apps</emphasis>&#62;.</para> &lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT &#60;<emphasis>chooser</emphasis>&#62; &#60;<emphasis>apps</emphasis>&#62; udp 177 #XDMCP ACCEPT &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt; udp 177 #XDMCP
ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphasis>&#62; tcp 6000:6009 #X Displays 0-9</programlisting> ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>&gt; tcp 6000:6009 #X Displays 0-9</programlisting>
</section> </section>
<section> <section>
<title>Other Source of Port Information</title> <title>Other Source of Port Information</title>
<para>Didn&#39;t find what you are looking for -- have you looked in your <para>Didn't find what you are looking for -- have you looked in your own
own /etc/services file?</para> /etc/services file?</para>
<para>Still looking? Try <ulink <para>Still looking? Try <ulink
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para> url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
@ -327,16 +356,138 @@ ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphas
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.11</revnumber><date>2004-05-28</date><authorinitials>TE</authorinitials><revremark>Corrected <para><revhistory>
directory for actions.std and enhanced the DNS section.</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-05-09</date><authorinitials>TE</authorinitials><revremark>Added <revision>
TFTP.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised <revnumber>1.13</revnumber>
ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added
SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make <date>2004-09-21</date>
NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add
PCAnywhere.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added <authorinitials>TE</authorinitials>
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add <revremark>Add note about ICMP type 11 to Traceroute.</revremark>
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial </revision>
version converted to Docbook XML</revremark></revision></revhistory></para>
<revision>
<revnumber>1.12</revnumber>
<date>2004-09-09</date>
<authorinitials>TE</authorinitials>
<revremark>Add note about <trademark>Vonage</trademark>.</revremark>
</revision>
<revision>
<revnumber>1.11</revnumber>
<date>2004-05-28</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected directory for actions.std and enhanced the DNS
section.</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-05-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added TFTP.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-04-24</date>
<authorinitials>TE</authorinitials>
<revremark>Revised ICQ/AIM.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2004-04-23</date>
<authorinitials>TE</authorinitials>
<revremark>Added SNMP.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-18</date>
<authorinitials>TE</authorinitials>
<revremark>Make NFS work for everyone.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-14</date>
<authorinitials>TE</authorinitials>
<revremark>Add PCAnywhere.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added information about VNC viewers in listen
mode.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2004-01-26</date>
<authorinitials>TE</authorinitials>
<revremark>Correct ICQ.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-04</date>
<authorinitials>TE</authorinitials>
<revremark>Alphabetize</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2004-01-03</date>
<authorinitials>TE</authorinitials>
<revremark>Add rules file entries.</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2002-07-30</date>
<authorinitials>TE</authorinitials>
<revremark>Initial version converted to Docbook XML</revremark>
</revision>
</revhistory></para>
</appendix> </appendix>
</article> </article>

13
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-04</pubdate> <pubdate>2004-09-07</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -175,14 +175,6 @@
other output is better than a paraphrase or summary.</para> other output is better than a paraphrase or summary.</para>
</listitem> </listitem>
<listitem>
<para>Please don't describe your problem as <quote>Computer A can't
see Computer B</quote>. Of course it can't -- it hasn't any eyes! If
ping from A to B fails, say so (and see below for information about
reporting <quote>ping</quote> problems). If Computer B doesn't show up
in <quote>Network Neighborhood</quote> then say so.</para>
</listitem>
<listitem> <listitem>
<para>Please give details about what doesn't work. Reports that say <para>Please give details about what doesn't work. Reports that say
<quote>I followed the directions and it didn't work</quote> will <quote>I followed the directions and it didn't work</quote> will
@ -220,7 +212,8 @@
(<quote><command>/sbin/shorewall show log</command></quote>) when you (<quote><command>/sbin/shorewall show log</command></quote>) when you
exercise the function that is giving you problems? If so, include the exercise the function that is giving you problems? If so, include the
message(s) in your post along with a copy of your message(s) in your post along with a copy of your
/etc/shorewall/interfaces file.</para> /etc/shorewall/interfaces file (and /etc/shorewall/hosts file if you
have entries in that file).</para>
</listitem> </listitem>
<listitem> <listitem>