diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 6586651cd..ae1a86aea 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -2042,7 +2042,7 @@ ACCEPT fw net tcp www Also new in the Shorewall 2.1 series, the effect of ADD_SNAT_ALIASES=Yes can be negated for an entry by following the - interface name by ":" but no digit. + interface name by ":" but no digit. Examples: @@ -2407,7 +2407,7 @@ eth0 eth1 206.124.146.176 Beginning with Shorewall 2.1.1, the effect of ADD_IP_ALIASES=Yes can be negated for an entry by following the - interface name by ":" but no digit. + interface name by ":" but no digit. Example: @@ -2490,6 +2490,24 @@ eth0 eth1 206.124.146.176 This file is used to set the following firewall parameters: + + STARTUP_ENABLED + + + (Added at version 2.2.0) - When set to Yes or yes, Shorewall + may be started. Used as guard against Shorewall being accidentally + started before it has been configured. + + + + + + + + + + + DYNAMIC_ZONES @@ -3023,6 +3041,25 @@ LOGBURST=5 + + RETAIN_ALIASES + + + (Added in 2.2.0) - During "shorewall start", IP addresses to + be added as a consequence of ADD_IP_ALIASES=Yes and + ADD_SNAT_ALIASES=Yes are quietly deleted when /etc/shorewall/nat and /etc/shorewall/masq are processed then are + re-added later. This is done to help ensure that the addresses can + be added with the specified labels but can have the undesirable side + effect of causing routes to be quietly deleted. When RETAIN_ALIASES + is set to Yes, existing addresses will not be deleted. Regardless of + the setting of RETAIN_ALIASES, addresses added during "shorewall + start" are still deleted at a subsequent "shorewall stop" or + "shorewall restart". + + + LOGUNCLEAN @@ -3573,7 +3610,15 @@ eth1 - This file is used to identify the Security Associations used to encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a - zone. Columns are: + zone. Use of this file requires a 2.6 kernel that includes the + IPSEC-Netfilter patches and the policy match patch. Your iptables must + also support policy match. For additional information, see the Shorewall Kernel 2.6 IPSEC + documentation. + + + + Columns are: @@ -3609,32 +3654,40 @@ eth1 - proto=ah|esp|ipcomp + role="bold">proto[!]=ah|esp|ipcomp mode=transport|tunnel + role="bold">mode[!]=transport|tunnel reqid=<number> — - A number assiged to a security policy using the + role="bold">reqid[!]=<number> + — A number assiged to a security policy using the unique:<number> as the SPD level. See setkey(8). tunnel-src=<address>[/<mask>] + role="bold">tunnel-src[!]=<address>[/<mask>] — Tunnel Source; may only be included with mode=tunnel. Since tunnel source and destination are dependent on the direction of the traffic, this option and the following one should only be included in the IN OPTIONS and OUT OPTIONS columns. tunnel-dst=<address>[/<mask>] + role="bold">tunnel-dst[!]=<address>[/<mask>] — Tunnel Destination; may only be included with mode=tunnel. + mss=<number> — Sets + the MSS field in TCP syn packets forwarded to/from this zone. May + be used to compensate for the lack of IPSEC pseuo-deviceses with + their own MTU in the 2.6 Kernel IPSEC implementation. If specified + in the IN OPTIONS, TCP SYN packets from the zone will have MSS + altered; if specified in the OUT OPTIONS, TCP SYN packets to the + zone will have MSS altered. + spi=<number> — - The security parameter index of the Security Association. Since a - different SA is used for incoming and outgoing traffic, this + role="bold">spi[!]=<number> + — The security parameter index of the Security Association. Since + a different SA is used for incoming and outgoing traffic, this option should only be listed in the IN OPTIONS and OUT OPTIONS columns. @@ -3657,10 +3710,20 @@ eth1 - Revision History + + 1.20 + + 2004-10-22 + + TE + + Changes for Shorewall 2.2 Beta 1. + + 1.19 - 2004-09012 + 2004-09-12 TE diff --git a/Shorewall-docs2/VPN.xml b/Shorewall-docs2/VPN.xml index 7e79936e0..920314b3b 100644 --- a/Shorewall-docs2/VPN.xml +++ b/Shorewall-docs2/VPN.xml @@ -15,11 +15,13 @@ - 2002-12-21 + 2004-10-21 2002 + 2004 + Thomas M. Eastep @@ -29,7 +31,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -49,10 +52,11 @@ address 192.0.2.224. If PPTP is being used, there are no firewall requirements beyond the - default loc->net ACCEPT policy. There is one restriction however: Only + default loc->net ACCEPT policy. There is one restriction however: Only one local system at a time can be connected to a single remote gateway unless you patch your kernel from the Patch-o-matic patches - available at http://www.netfilter.org. + available at http://www.netfilter.org. If IPSEC is being used then only one system may connect to the remote gateway and there are firewall configuration requirements as @@ -118,7 +122,19 @@ If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your - firewall. As starting points, see http://www.shorewall.net/Documentation.htm#Tunnels + firewall. As starting points, see http://www.shorewall.net/Documentation.htm#Tunnels or http://www.shorewall.net/PPTP.htm. + + Alternatively, you should configure IPSEC to use NAT + Traversal -- Under NAT traversal the IPSEC packets (protocol + 50 or 51) are encapsulated in UDP packets with destination port 4500. + Additionally, keep-alive messages are sent + frequently so that NATing gateways between the end-points will retain + their connection-tracking entries. This is the way that I connect to the + HP Intranet and it works flawlessly without anything in Shorewall other + than my ACCEPT loc->net policy. NAT traversal is available as a patch + for Windows 2K and is a standard feature of Windows XP -- simply select + " \ No newline at end of file diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index 48d2685cb..fb5a3a905 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2004-04-20 + 2004-10-22 2001-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -43,64 +44,172 @@
Files - /etc/shorewall/shorewall.conf - - used to set several firewall parameters./etc/shorewall/params - - use this file to set shell variables that you will expand in other - files./etc/shorewall/zones - - partition the firewall's view of the world into zones./etc/shorewall/policy - - establishes firewall high-level policy./etc/shorewall/interfaces - - describes the interfaces on the firewall system./etc/shorewall/hosts - - allows defining zones in terms of individual hosts and subnetworks./etc/shorewall/masq - - directs the firewall where to use many-to-one (dynamic) Network Address - Translation (a.k.a. Masquerading) and Source Network Address Translation - (SNAT)./etc/shorewall/modules - - directs the firewall to load kernel modules./etc/shorewall/rules - - defines rules that are exceptions to the overall policies established in - /etc/shorewall/policy./etc/shorewall/nat - - defines one-to-one NAT rules./etc/shorewall/proxyarp - - defines use of Proxy ARP./etc/shorewall/routestopped - (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is - stopped./etc/shorewall/tcrules - - defines marking of packets for later use by traffic - control/shaping or policy routing./etc/shorewall/tos - - defines rules for setting the TOS field in packet headers./etc/shorewall/tunnels - - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall - system./etc/shorewall/blacklist - - lists blacklisted IP/subnet/MAC addresses./etc/shorewall/init - - commands that you wish to execute at the beginning of a shorewall - start or shorewall restart./etc/shorewall/start - - commands that you wish to execute at the completion of a shorewall - start or shorewall restart/etc/shorewall/stop - - commands that you wish to execute at the beginning of a - shorewall stop./etc/shorewall/stopped - - commands that you wish to execute at the completion of a shorewall - stop./etc/shorewall/ecn - - disable Explicit Congestion Notification (ECN - RFC 3168) to remote - hosts or networks./etc/shorewall/accounting - - define IP traffic accounting rules/etc/shorewall/actions - and /usr/share/shorewall/action.template - define - your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and - later)./usr/share/shorewall/actions.std - - Actions defined by Shorewall./usr/share/shorewall/actions.* - - Details of actions defined by Shorewall./usr/share/rfc1918 - — Defines the behavior of the 'norfc1918' interface option in - /etc/shorewall/interfaces. If - you need to change this file, copy it to /etc/shorewall - and modify the copy./usr/share/bogons - — Defines the behavior of the 'nobogons' interface option in - /etc/shorewall/interfaces. If - you need to change this file, copy it to /etc/shorewall - and modify the copy. + + + /etc/shorewall/shorewall.conf - used to + set several firewall parameters. + + + + /etc/shorewall/params - use this file to + set shell variables that you will expand in other files. + + + + /etc/shorewall/zones - partition the + firewall's view of the world into zones. + + + + /etc/shorewall/policy - establishes + firewall high-level policy. + + + + /etc/shorewall/interfaces - describes the + interfaces on the firewall system. + + + + /etc/shorewall/hosts - allows defining + zones in terms of individual hosts and subnetworks. + + + + /etc/shorewall/masq - directs the + firewall where to use many-to-one (dynamic) Network Address + Translation (a.k.a. Masquerading) and Source Network Address + Translation (SNAT). + + + + /etc/shorewall/modules - directs the + firewall to load kernel modules. + + + + /etc/shorewall/rules - defines rules that + are exceptions to the overall policies established in + /etc/shorewall/policy. + + + + /etc/shorewall/nat - defines one-to-one + NAT rules. + + + + /etc/shorewall/proxyarp - defines use of + Proxy ARP. + + + + /etc/shorewall/routestopped (Shorewall + 1.3.4 and later) - defines hosts accessible when Shorewall is + stopped. + + + + /etc/shorewall/tcrules - defines marking + of packets for later use by traffic control/shaping or policy + routing. + + + + /etc/shorewall/tos - defines rules for + setting the TOS field in packet headers. + + + + /etc/shorewall/tunnels - defines IPSEC, + GRE and IPIP tunnels with end-points on the firewall system. + + + + /etc/shorewall/blacklist - lists + blacklisted IP/subnet/MAC addresses. + + + + /etc/shorewall/init - commands that you + wish to execute at the beginning of a shorewall start + or shorewall restart. + + + + /etc/shorewall/start - commands that you + wish to execute at the completion of a shorewall + start or shorewall restart + + + + /etc/shorewall/stop - commands that you + wish to execute at the beginning of a shorewall + stop. + + + + /etc/shorewall/stopped - commands that + you wish to execute at the completion of a shorewall + stop. + + + + /etc/shorewall/ecn - disable Explicit + Congestion Notification (ECN - RFC 3168) to remote hosts or + networks. + + + + /etc/shorewall/accounting - define IP + traffic accounting rules + + + + /etc/shorewall/actions and + /usr/share/shorewall/action.template - define + your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 + and later). + + + + /usr/share/shorewall/actions.std - + Actions defined by Shorewall. + + + + /usr/share/shorewall/actions.* - Details + of actions defined by Shorewall. + + + + /usr/share/rfc1918 — Defines the behavior + of the 'norfc1918' interface option in + /etc/shorewall/interfaces. If you need to change this file, copy it to + /etc/shorewall and modify the + copy. + + + + /usr/share/bogons — Defines the behavior + of the 'nobogons' interface option in + /etc/shorewall/interfaces. If you need to change this file, copy it to + /etc/shorewall and modify the + copy. + +
Special Note about /etc/shorewall/shorewall.conf It is a good idea to modify your /etc/shorewall/shorewall.conf file, - even if you just add a comment that says "I modified this file". - That way, your package manager won't overwrite the file with future - updated versions. Such overwrites can cause unwanted changes in the - behavior of Shorewall. + even if you just add a comment that says "I modified this file". That way, + your package manager won't overwrite the file with future updated + versions. Such overwrites can cause unwanted changes in the behavior of + Shorewall.
@@ -123,7 +232,8 @@ ACCEPT net fw tcp www #This is an end-of-line commentLine Continuation You may continue lines in the configuration files using the usual - backslash (\) followed immediately by a new line character. + backslash (\) followed immediately by a new line + character. Line Continuation @@ -144,53 +254,53 @@ smtp,www,pop3,imap #Services running on the firewall alternate configuration directory if one has been specified for the command. - INCLUDE's may be nested to a level of 3 -- further nested - INCLUDE directives are ignored with a warning message. + INCLUDE's may be nested to a level of 3 -- further nested INCLUDE + directives are ignored with a warning message. Use of INCLUDE shorewall/params.mgmt: -   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3 -    TIME_SERVERS=4.4.4.4 -    BACKUP_SERVERS=5.5.5.5 +   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3 +    TIME_SERVERS=4.4.4.4 +    BACKUP_SERVERS=5.5.5.5 -   ----- end params.mgmt ----- +   ----- end params.mgmt ----- -   shorewall/params: +   shorewall/params: -   # Shorewall 1.3 /etc/shorewall/params -    [..] -    ####################################### -   -    INCLUDE params.mgmt    -   -    # params unique to this host here -    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +   # Shorewall 1.3 /etc/shorewall/params +    [..] +    ####################################### +   +    INCLUDE params.mgmt    +   +    # params unique to this host here +    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE -   ----- end params ----- +   ----- end params ----- -   shorewall/rules.mgmt: +   shorewall/rules.mgmt: -   ACCEPT net:$MGMT_SERVERS   $FW    tcp    22 -    ACCEPT $FW          net:$TIME_SERVERS    udp    123 -    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22 +   ACCEPT net:$MGMT_SERVERS   $FW    tcp    22 +    ACCEPT $FW          net:$TIME_SERVERS    udp    123 +    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22 -   ----- end rules.mgmt ----- +   ----- end rules.mgmt ----- -   shorewall/rules: +   shorewall/rules: -   # Shorewall version 1.3 - Rules File -    [..] -    ####################################### -   -    INCLUDE rules.mgmt     -   -    # rules unique to this host here -    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +   # Shorewall version 1.3 - Rules File +    [..] +    ####################################### +   +    INCLUDE rules.mgmt     +   +    # rules unique to this host here +    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -   ----- end rules ----- +   ----- end rules -----
@@ -200,46 +310,47 @@ smtp,www,pop3,imap #Services running on the firewall I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called - out of bed at 2:00AM because Shorewall won't start as a result of - DNS problems then don't say that you were not forewarned. + out of bed at 2:00AM because Shorewall won't start as a result of DNS + problems then don't say that you were not forewarned. Beginning with Shorewall 1.3.9, Host addresses in Shorewall - configuration files may be specified as either IP addresses or DNS Names. + configuration files may be specified as either IP addresses or DNS + Names. - DNS names in iptables rules aren't nearly as useful as they - first appear. When a DNS name appears in a rule, the iptables utility - resolves the name to one or more IP addresses and inserts those addresses - into the rule. So changes in the DNS->IP address relationship that - occur after the firewall has started have absolutely no effect on the - firewall's ruleset. + DNS names in iptables rules aren't nearly as useful as they first + appear. When a DNS name appears in a rule, the iptables utility resolves + the name to one or more IP addresses and inserts those addresses into the + rule. So changes in the DNS->IP address relationship that occur after + the firewall has started have absolutely no effect on the firewall's + ruleset. If your firewall rules include DNS names then: If your /etc/resolv.conf is wrong then your - firewall won't start. + firewall won't start. If your /etc/nsswitch.conf is wrong then - your firewall won't start. + your firewall won't start. - If your Name Server(s) is(are) down then your firewall won't + If your Name Server(s) is(are) down then your firewall won't start. If your startup scripts try to start your firewall before - starting your DNS server then your firewall won't start. + starting your DNS server then your firewall won't start. - Factors totally outside your control (your ISP's router is - down for example), can prevent your firewall from starting. + Factors totally outside your control (your ISP's router is down + for example), can prevent your firewall from starting. @@ -285,7 +396,8 @@ smtp,www,pop3,imap #Services running on the firewall - The server address in a DNAT rule (/etc/shorewall/rules file) + The server address in a DNAT rule (/etc/shorewall/rules + file) @@ -297,7 +409,8 @@ smtp,www,pop3,imap #Services running on the firewall - These restrictions are imposed by Netfilter and not by Shorewall. + These restrictions are imposed by Netfilter and not by + Shorewall.
@@ -305,8 +418,9 @@ smtp,www,pop3,imap #Services running on the firewall Where specifying an IP address, a subnet or an interface, you can precede the item with ! to specify the complement of the - item. For example, !192.168.1.4 means any host but 192.168.1.4. - There must be no white space following the !. + item. For example, !192.168.1.4 means any host but + 192.168.1.4. There must be no white space following the + !.
@@ -318,7 +432,7 @@ smtp,www,pop3,imap #Services running on the firewall Must not have any embedded white space. Valid: routefilter,dhcp,norfc1918 - Invalid: routefilter,     dhcp,     norfc1818 + Invalid: routefilter,     dhcp,     norfc1818 @@ -328,11 +442,37 @@ smtp,www,pop3,imap #Services running on the firewall - Entries in a comma-separated list may appear in any order. + Entries in a comma-separated list may appear in any + order.
+
+ IP Address Ranges + + Beginning with Shorewall 2.2.0, if you kernel and iptables have + iprange match support, you may use IP address ranges in Shorewall + configuration file entries; IP address ranges have the syntax + <low IP address>-<high IP + address>. Example: 192.168.1.5-192.168.1.12. + + To see if your kernel and iptables have the required support, use + the shorewall check command: + + >~ shorewall check +... +Shorewall has detected the following iptables/netfilter capabilities: + NAT: Available + Packet Mangling: Available + Multi-port Match: Available + Connection Tracking Match: Available + Packet Type Match: Not available + Policy Match: Available + Physdev Match: Available + IP range Match: Available <-------------- +
+
Port Numbers/Service Names @@ -344,8 +484,8 @@ smtp,www,pop3,imap #Services running on the firewall Port Ranges If you need to specify a range of ports, the proper syntax is - <low port number>:<high port number>. For example, if you - want to forward the range of tcp ports 4000 through 4100 to local host + <low port number>:<high port number>. For example, if you want + to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORTS(S) @@ -368,22 +508,23 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 Using Shell Variables -     /etc/shorewall/params +     /etc/shorewall/params NET_IF=eth0 NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,norfc1918 -    /etc/shorewall/interfaces record: +    /etc/shorewall/interfaces record: net $NET_IF $NET_BCAST $NET_OPTIONS -    The result will be the same as if the record had been written +    The result will be the same as if the record had been written net eth0 130.252.100.255 routefilter,norfc1918 - Variables may be used anywhere in the other configuration files. + Variables may be used anywhere in the other configuration + files.
@@ -407,16 +548,16 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 MAC Address of an Ethernet Controller -      [root@gateway root]# ifconfig eth0 -      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55 -      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0 -      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0 -      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0 -      collisions:30394 txqueuelen:100 -      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb) -      Interrupt:11 Base address:0x1800 +      [root@gateway root]# ifconfig eth0 +      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55 +      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0 +      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0 +      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0 +      collisions:30394 txqueuelen:100 +      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb) +      Interrupt:11 Base address:0x1800 @@ -424,11 +565,13 @@ role="bold">02:00:08:E3:FA:55 Shorewall requires MAC addresses to be written in another way. In Shorewall, MAC addresses begin with a tilde (~) and consist of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in - the example above would be written ~02-00-08-E3-FA-55. + the example above would be written ~02-00-08-E3-FA-55. It is not necessary to use the special Shorewall notation in the - /etc/shorewall/maclist + /etc/shorewall/maclist file. @@ -465,8 +608,9 @@ role="bold">02:00:08:E3:FA:55 - The try command - allows you to attempt to restart using an alternate configuration and if - an error occurs to automatically restart the standard configuration. + The try + command allows you to attempt to restart using an alternate + configuration and if an error occurs to automatically restart the standard + configuration. \ No newline at end of file diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index a73a853e2..9041f95b8 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2004-10-16 + 2004-10-20 2001-2004 @@ -741,15 +741,16 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback ipsec
- The mss=1400 in the OUT OPTIONS uses a feature added in 2.1.12 - and sets the MSS field in forwarded TCP SYN packets from the 'sec' - zone to 1400. This works around a problem whereby ICMP + The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature + added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to + the 'net' zone to 1400. This works around a problem whereby ICMP fragmentation-needed packets are being dropped somewhere between my main firewall and the IMAP server at my work. #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS -sec yes mode=tunnel - mss=1400 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-docs2/shorewall_quickstart_guide.xml b/Shorewall-docs2/shorewall_quickstart_guide.xml index 1194fe362..fefbd8f9a 100644 --- a/Shorewall-docs2/shorewall_quickstart_guide.xml +++ b/Shorewall-docs2/shorewall_quickstart_guide.xml @@ -15,7 +15,7 @@ - 2004-06-19 + 2004-10-22 2001-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -53,35 +54,48 @@ If you already have a router on your premises and you simply want to add a firewall between the router and your local system then you want - a simple bridge configuration. + a bridge configuration.
- If you have a <emphasis role="bold">single public IP address</emphasis> + If you have a <emphasis role="bold">single public IP + address</emphasis> These guides are designed to get your first firewall up and running quickly in the three most common Shorewall configurations. If you want to learn more about Shorewall than is explained in these simple guides then the Shorewall Setup - Guide is for you.Standalone Linux System (Version Française)Two-interface Linux System acting as a - firewall/router for a small local network (Version Française)Three-interface Linux System acting as - a firewall/router for a small local network and a DMZ.. (Version Française) + Guide is for you. + + Standalone Linux System + (Version Française) + + + + Two-interface Linux + System acting as a firewall/router for a small local network + (Version + Française) + + + + Three-interface + Linux System acting as a firewall/router for a small local network + and a DMZ.. (Version + Française) + +
If you have more than one public IP address - The Shorewall Setup Guide - outlines the steps necessary to set up a firewall where there are - multiple public IP addresses involved or if you want to learn more about - Shorewall than is explained in the single-address guides above (Version Française) + The Shorewall Setup + Guide outlines the steps necessary to set up a firewall where + there are multiple public IP addresses involved or if you want to learn + more about Shorewall than is explained in the single-address guides + above (Version + Française)