mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-02 19:49:08 +01:00
Some 2.1 Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1710 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e91e189278
commit
584f57cfb0
@ -2042,7 +2042,7 @@ ACCEPT fw net tcp www</programlisting>
|
|||||||
|
|
||||||
<para>Also new in the Shorewall 2.1 series, the effect of
|
<para>Also new in the Shorewall 2.1 series, the effect of
|
||||||
ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
|
ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
|
||||||
interface name by ":" but no digit. </para>
|
interface name by ":" but no digit.</para>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -2407,7 +2407,7 @@ eth0 eth1 206.124.146.176</programlisting>
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 2.1.1, the effect of
|
<para>Beginning with Shorewall 2.1.1, the effect of
|
||||||
ADD_IP_ALIASES=Yes can be negated for an entry by following the
|
ADD_IP_ALIASES=Yes can be negated for an entry by following the
|
||||||
interface name by ":" but no digit. </para>
|
interface name by ":" but no digit.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
|
|
||||||
@ -2490,6 +2490,24 @@ eth0 eth1 206.124.146.176</programlisting>
|
|||||||
<para>This file is used to set the following firewall parameters:</para>
|
<para>This file is used to set the following firewall parameters:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>STARTUP_ENABLED</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>(Added at version 2.2.0) - When set to Yes or yes, Shorewall
|
||||||
|
may be started. Used as guard against Shorewall being accidentally
|
||||||
|
started before it has been configured.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para></para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DYNAMIC_ZONES</term>
|
<term>DYNAMIC_ZONES</term>
|
||||||
|
|
||||||
@ -3023,6 +3041,25 @@ LOGBURST=5</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>RETAIN_ALIASES</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>(Added in 2.2.0) - During "shorewall start", IP addresses to
|
||||||
|
be added as a consequence of ADD_IP_ALIASES=Yes and
|
||||||
|
ADD_SNAT_ALIASES=Yes are quietly deleted when <link
|
||||||
|
linkend="NAT">/etc/shorewall/nat</link> and <link
|
||||||
|
linkend="Masq">/etc/shorewall/masq</link> are processed then are
|
||||||
|
re-added later. This is done to help ensure that the addresses can
|
||||||
|
be added with the specified labels but can have the undesirable side
|
||||||
|
effect of causing routes to be quietly deleted. When RETAIN_ALIASES
|
||||||
|
is set to Yes, existing addresses will not be deleted. Regardless of
|
||||||
|
the setting of RETAIN_ALIASES, addresses added during "shorewall
|
||||||
|
start" are still deleted at a subsequent "shorewall stop" or
|
||||||
|
"shorewall restart".</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>LOGUNCLEAN</term>
|
<term>LOGUNCLEAN</term>
|
||||||
|
|
||||||
@ -3573,7 +3610,15 @@ eth1 -</programlisting>
|
|||||||
|
|
||||||
<para>This file is used to identify the Security Associations used to
|
<para>This file is used to identify the Security Associations used to
|
||||||
encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a
|
encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a
|
||||||
zone. Columns are:</para>
|
zone. Use of this file requires a 2.6 kernel that includes the
|
||||||
|
IPSEC-Netfilter patches and the policy match patch. Your iptables must
|
||||||
|
also support policy match. For additional information, see the <ulink
|
||||||
|
url="IPSEC-2.6.html">Shorewall Kernel 2.6 IPSEC
|
||||||
|
documentation</ulink>.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
|
<para>Columns are:</para>
|
||||||
|
|
||||||
<glosslist>
|
<glosslist>
|
||||||
<glossentry>
|
<glossentry>
|
||||||
@ -3609,32 +3654,40 @@ eth1 -</programlisting>
|
|||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">proto=ah|esp|ipcomp</emphasis></member>
|
role="bold">proto[!]=ah|esp|ipcomp</emphasis></member>
|
||||||
|
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">mode=transport|tunnel</emphasis></member>
|
role="bold">mode[!]=transport|tunnel</emphasis></member>
|
||||||
|
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">reqid=<<emphasis>number</emphasis>></emphasis> —
|
role="bold">reqid[!]=<<emphasis>number</emphasis>></emphasis>
|
||||||
A number assiged to a security policy using the
|
— A number assiged to a security policy using the
|
||||||
unique:<number> as the SPD level. See setkey(8).</member>
|
unique:<number> as the SPD level. See setkey(8).</member>
|
||||||
|
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">tunnel-src=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]</emphasis>
|
role="bold">tunnel-src[!]=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]</emphasis>
|
||||||
— Tunnel Source; may only be included with mode=tunnel. Since
|
— Tunnel Source; may only be included with mode=tunnel. Since
|
||||||
tunnel source and destination are dependent on the direction of
|
tunnel source and destination are dependent on the direction of
|
||||||
the traffic, this option and the following one should only be
|
the traffic, this option and the following one should only be
|
||||||
included in the IN OPTIONS and OUT OPTIONS columns.</member>
|
included in the IN OPTIONS and OUT OPTIONS columns.</member>
|
||||||
|
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">tunnel-dst=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]
|
role="bold">tunnel-dst[!]=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]
|
||||||
</emphasis>— Tunnel Destination; may only be included with
|
</emphasis>— Tunnel Destination; may only be included with
|
||||||
mode=tunnel.</member>
|
mode=tunnel.</member>
|
||||||
|
|
||||||
|
<member><emphasis role="bold">mss</emphasis>=<number> — Sets
|
||||||
|
the MSS field in TCP syn packets forwarded to/from this zone. May
|
||||||
|
be used to compensate for the lack of IPSEC pseuo-deviceses with
|
||||||
|
their own MTU in the 2.6 Kernel IPSEC implementation. If specified
|
||||||
|
in the IN OPTIONS, TCP SYN packets from the zone will have MSS
|
||||||
|
altered; if specified in the OUT OPTIONS, TCP SYN packets to the
|
||||||
|
zone will have MSS altered.</member>
|
||||||
|
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">spi=<<emphasis>number</emphasis>></emphasis> —
|
role="bold">spi[!]=<<emphasis>number</emphasis>></emphasis>
|
||||||
The security parameter index of the Security Association. Since a
|
— The security parameter index of the Security Association. Since
|
||||||
different SA is used for incoming and outgoing traffic, this
|
a different SA is used for incoming and outgoing traffic, this
|
||||||
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
||||||
columns.</member>
|
columns.</member>
|
||||||
|
|
||||||
@ -3657,10 +3710,20 @@ eth1 -</programlisting>
|
|||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory>
|
<para><revhistory>
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.20</revnumber>
|
||||||
|
|
||||||
|
<date>2004-10-22</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Changes for Shorewall 2.2 Beta 1.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
<revision>
|
<revision>
|
||||||
<revnumber>1.19</revnumber>
|
<revnumber>1.19</revnumber>
|
||||||
|
|
||||||
<date>2004-09012</date>
|
<date>2004-09-12</date>
|
||||||
|
|
||||||
<authorinitials>TE</authorinitials>
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
|||||||
@ -15,11 +15,13 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2002-12-21</pubdate>
|
<pubdate>2004-10-21</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002</year>
|
<year>2002</year>
|
||||||
|
|
||||||
|
<year>2004</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
@ -29,7 +31,8 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -49,10 +52,11 @@
|
|||||||
address 192.0.2.224.</para>
|
address 192.0.2.224.</para>
|
||||||
|
|
||||||
<para>If PPTP is being used, there are no firewall requirements beyond the
|
<para>If PPTP is being used, there are no firewall requirements beyond the
|
||||||
default loc->net ACCEPT policy. There is one restriction however: Only
|
default loc->net ACCEPT policy. There is one restriction however: Only
|
||||||
one local system at a time can be connected to a single remote gateway
|
one local system at a time can be connected to a single remote gateway
|
||||||
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
||||||
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
available at <ulink
|
||||||
|
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
||||||
|
|
||||||
<para>If IPSEC is being used then only one system may connect to the
|
<para>If IPSEC is being used then only one system may connect to the
|
||||||
remote gateway and there are firewall configuration requirements as
|
remote gateway and there are firewall configuration requirements as
|
||||||
@ -118,7 +122,19 @@
|
|||||||
|
|
||||||
<para>If you want to be able to give access to all of your local systems
|
<para>If you want to be able to give access to all of your local systems
|
||||||
to the remote network, you should consider running a VPN client on your
|
to the remote network, you should consider running a VPN client on your
|
||||||
firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
|
firewall. As starting points, see <ulink
|
||||||
|
url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
|
||||||
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
|
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
|
||||||
|
|
||||||
|
<para>Alternatively, you should configure IPSEC to use <firstterm>NAT
|
||||||
|
Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
|
||||||
|
50 or 51) are encapsulated in UDP packets with destination port 4500.
|
||||||
|
Additionally, <firstterm>keep-alive messages</firstterm> are sent
|
||||||
|
frequently so that NATing gateways between the end-points will retain
|
||||||
|
their connection-tracking entries. This is the way that I connect to the
|
||||||
|
HP Intranet and it works flawlessly without anything in Shorewall other
|
||||||
|
than my ACCEPT loc->net policy. NAT traversal is available as a patch
|
||||||
|
for Windows 2K and is a standard feature of Windows XP -- simply select
|
||||||
|
"</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-04-20</pubdate>
|
<pubdate>2004-10-22</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -29,7 +29,8 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -43,64 +44,172 @@
|
|||||||
<section id="Files">
|
<section id="Files">
|
||||||
<title>Files</title>
|
<title>Files</title>
|
||||||
|
|
||||||
<para><itemizedlist><listitem><para><filename>/etc/shorewall/shorewall.conf</filename>
|
<para><itemizedlist>
|
||||||
- used to set several firewall parameters.</para></listitem><listitem><para><filename>/etc/shorewall/params</filename>
|
<listitem>
|
||||||
- use this file to set shell variables that you will expand in other
|
<para><filename>/etc/shorewall/shorewall.conf</filename> - used to
|
||||||
files.</para></listitem><listitem><para><filename>/etc/shorewall/zones</filename>
|
set several firewall parameters.</para>
|
||||||
- partition the firewall's view of the world into zones.</para></listitem><listitem><para><filename>/etc/shorewall/policy</filename>
|
</listitem>
|
||||||
- establishes firewall high-level policy.</para></listitem><listitem><para><filename>/etc/shorewall/interfaces</filename>
|
|
||||||
- describes the interfaces on the firewall system.</para></listitem><listitem><para><filename>/etc/shorewall/hosts</filename>
|
<listitem>
|
||||||
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para><filename>/etc/shorewall/masq</filename>
|
<para><filename>/etc/shorewall/params</filename> - use this file to
|
||||||
- directs the firewall where to use many-to-one (dynamic) Network Address
|
set shell variables that you will expand in other files.</para>
|
||||||
Translation (a.k.a. Masquerading) and Source Network Address Translation
|
</listitem>
|
||||||
(SNAT).</para></listitem><listitem><para><filename>/etc/shorewall/modules</filename>
|
|
||||||
- directs the firewall to load kernel modules.</para></listitem><listitem><para><filename>/etc/shorewall/rules</filename>
|
<listitem>
|
||||||
- defines rules that are exceptions to the overall policies established in
|
<para><filename>/etc/shorewall/zones</filename> - partition the
|
||||||
/etc/shorewall/policy.</para></listitem><listitem><para><filename>/etc/shorewall/nat</filename>
|
firewall's view of the world into zones.</para>
|
||||||
- defines one-to-one NAT rules.</para></listitem><listitem><para><filename>/etc/shorewall/proxyarp</filename>
|
</listitem>
|
||||||
- defines use of Proxy ARP.</para></listitem><listitem><para><filename>/etc/shorewall/routestopped</filename>
|
|
||||||
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
|
<listitem>
|
||||||
stopped.</para></listitem><listitem><para><filename>/etc/shorewall/tcrules
|
<para><filename>/etc/shorewall/policy</filename> - establishes
|
||||||
</filename>- defines marking of packets for later use by traffic
|
firewall high-level policy.</para>
|
||||||
control/shaping or policy routing.</para></listitem><listitem><para><filename>/etc/shorewall/tos</filename>
|
</listitem>
|
||||||
- defines rules for setting the TOS field in packet headers.</para></listitem><listitem><para><filename>/etc/shorewall/tunnels</filename>
|
|
||||||
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
|
<listitem>
|
||||||
system.</para></listitem><listitem><para><filename>/etc/shorewall/blacklist</filename>
|
<para><filename>/etc/shorewall/interfaces</filename> - describes the
|
||||||
- lists blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para><filename>/etc/shorewall/init</filename>
|
interfaces on the firewall system.</para>
|
||||||
- commands that you wish to execute at the beginning of a <quote>shorewall
|
</listitem>
|
||||||
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/start</filename>
|
|
||||||
- commands that you wish to execute at the completion of a <quote>shorewall
|
<listitem>
|
||||||
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para><filename>/etc/shorewall/stop
|
<para><filename>/etc/shorewall/hosts</filename> - allows defining
|
||||||
</filename>- commands that you wish to execute at the beginning of a
|
zones in terms of individual hosts and subnetworks.</para>
|
||||||
<quote>shorewall stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/stopped</filename>
|
</listitem>
|
||||||
- commands that you wish to execute at the completion of a <quote>shorewall
|
|
||||||
stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/ecn</filename>
|
<listitem>
|
||||||
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
|
<para><filename>/etc/shorewall/masq</filename> - directs the
|
||||||
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
|
firewall where to use many-to-one (dynamic) Network Address
|
||||||
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
|
Translation (a.k.a. Masquerading) and Source Network Address
|
||||||
and <filename>/usr/share/shorewall/action.template</filename> - define
|
Translation (SNAT).</para>
|
||||||
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
|
</listitem>
|
||||||
later).</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.std</filename>
|
|
||||||
- Actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.*</filename>
|
<listitem>
|
||||||
- Details of actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/rfc1918</filename>
|
<para><filename>/etc/shorewall/modules</filename> - directs the
|
||||||
— Defines the behavior of the 'norfc1918' interface option in
|
firewall to load kernel modules.</para>
|
||||||
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
|
</listitem>
|
||||||
you need to change this file, copy it to <filename>/etc/shorewall</filename>
|
|
||||||
and modify the copy</emphasis>.</para></listitem><listitem><para><filename>/usr/share/bogons</filename>
|
<listitem>
|
||||||
— Defines the behavior of the 'nobogons' interface option in
|
<para><filename>/etc/shorewall/rules</filename> - defines rules that
|
||||||
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
|
are exceptions to the overall policies established in
|
||||||
you need to change this file, copy it to <filename>/etc/shorewall</filename>
|
/etc/shorewall/policy.</para>
|
||||||
and modify the copy</emphasis>.</para></listitem></itemizedlist></para>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/nat</filename> - defines one-to-one
|
||||||
|
NAT rules.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/proxyarp</filename> - defines use of
|
||||||
|
Proxy ARP.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/routestopped</filename> (Shorewall
|
||||||
|
1.3.4 and later) - defines hosts accessible when Shorewall is
|
||||||
|
stopped.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/tcrules </filename>- defines marking
|
||||||
|
of packets for later use by traffic control/shaping or policy
|
||||||
|
routing.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/tos</filename> - defines rules for
|
||||||
|
setting the TOS field in packet headers.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/tunnels</filename> - defines IPSEC,
|
||||||
|
GRE and IPIP tunnels with end-points on the firewall system.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/blacklist</filename> - lists
|
||||||
|
blacklisted IP/subnet/MAC addresses.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/init</filename> - commands that you
|
||||||
|
wish to execute at the beginning of a <quote>shorewall start</quote>
|
||||||
|
or <quote>shorewall restart</quote>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/start</filename> - commands that you
|
||||||
|
wish to execute at the completion of a <quote>shorewall
|
||||||
|
start</quote> or <quote>shorewall restart</quote></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/stop </filename>- commands that you
|
||||||
|
wish to execute at the beginning of a <quote>shorewall
|
||||||
|
stop</quote>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/stopped</filename> - commands that
|
||||||
|
you wish to execute at the completion of a <quote>shorewall
|
||||||
|
stop</quote>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/ecn</filename> - disable Explicit
|
||||||
|
Congestion Notification (ECN - RFC 3168) to remote hosts or
|
||||||
|
networks.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/accounting</filename> - define IP
|
||||||
|
traffic accounting rules</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/etc/shorewall/actions</filename> and
|
||||||
|
<filename>/usr/share/shorewall/action.template</filename> - define
|
||||||
|
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9
|
||||||
|
and later).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/usr/share/shorewall/actions.std</filename> -
|
||||||
|
Actions defined by Shorewall.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/usr/share/shorewall/actions.*</filename> - Details
|
||||||
|
of actions defined by Shorewall.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/usr/share/rfc1918</filename> — Defines the behavior
|
||||||
|
of the 'norfc1918' interface option in
|
||||||
|
<filename>/etc/shorewall/interfaces</filename>. <emphasis
|
||||||
|
role="bold">If you need to change this file, copy it to
|
||||||
|
<filename>/etc/shorewall</filename> and modify the
|
||||||
|
copy</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><filename>/usr/share/bogons</filename> — Defines the behavior
|
||||||
|
of the 'nobogons' interface option in
|
||||||
|
<filename>/etc/shorewall/interfaces</filename>. <emphasis
|
||||||
|
role="bold">If you need to change this file, copy it to
|
||||||
|
<filename>/etc/shorewall</filename> and modify the
|
||||||
|
copy</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Special Note about /etc/shorewall/shorewall.conf</title>
|
<title>Special Note about /etc/shorewall/shorewall.conf</title>
|
||||||
|
|
||||||
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
|
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
|
||||||
even if you just add a comment that says "I modified this file".
|
even if you just add a comment that says "I modified this file". That way,
|
||||||
That way, your package manager won't overwrite the file with future
|
your package manager won't overwrite the file with future updated
|
||||||
updated versions. Such overwrites can cause unwanted changes in the
|
versions. Such overwrites can cause unwanted changes in the behavior of
|
||||||
behavior of Shorewall.</para>
|
Shorewall.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Comments">
|
<section id="Comments">
|
||||||
@ -123,7 +232,8 @@ ACCEPT net fw tcp www #This is an end-of-line comment</program
|
|||||||
<title>Line Continuation</title>
|
<title>Line Continuation</title>
|
||||||
|
|
||||||
<para>You may continue lines in the configuration files using the usual
|
<para>You may continue lines in the configuration files using the usual
|
||||||
backslash (<quote>\</quote>) followed immediately by a new line character.</para>
|
backslash (<quote>\</quote>) followed immediately by a new line
|
||||||
|
character.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Line Continuation</title>
|
<title>Line Continuation</title>
|
||||||
@ -144,53 +254,53 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
alternate configuration directory if one has been specified for the
|
alternate configuration directory if one has been specified for the
|
||||||
command.</para>
|
command.</para>
|
||||||
|
|
||||||
<para>INCLUDE's may be nested to a level of 3 -- further nested
|
<para>INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
|
||||||
INCLUDE directives are ignored with a warning message.</para>
|
directives are ignored with a warning message.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Use of INCLUDE</title>
|
<title>Use of INCLUDE</title>
|
||||||
|
|
||||||
<programlisting> shorewall/params.mgmt:
|
<programlisting> shorewall/params.mgmt:
|
||||||
|
|
||||||
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
||||||
   TIME_SERVERS=4.4.4.4
|
TIME_SERVERS=4.4.4.4
|
||||||
   BACKUP_SERVERS=5.5.5.5
|
BACKUP_SERVERS=5.5.5.5
|
||||||
|
|
||||||
   ----- end params.mgmt -----
|
----- end params.mgmt -----
|
||||||
|
|
||||||
   shorewall/params:
|
shorewall/params:
|
||||||
|
|
||||||
   # Shorewall 1.3 /etc/shorewall/params
|
# Shorewall 1.3 /etc/shorewall/params
|
||||||
   [..]
|
[..]
|
||||||
   #######################################
|
#######################################
|
||||||
 
|
|
||||||
   INCLUDE params.mgmt   
|
INCLUDE params.mgmt
|
||||||
 
|
|
||||||
   # params unique to this host here
|
# params unique to this host here
|
||||||
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
|
||||||
   ----- end params -----
|
----- end params -----
|
||||||
|
|
||||||
   shorewall/rules.mgmt:
|
shorewall/rules.mgmt:
|
||||||
|
|
||||||
   ACCEPT net:$MGMT_SERVERS   $FW    tcp    22
|
ACCEPT net:$MGMT_SERVERS $FW tcp 22
|
||||||
   ACCEPT $FW          net:$TIME_SERVERS    udp    123
|
ACCEPT $FW net:$TIME_SERVERS udp 123
|
||||||
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
|
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
|
||||||
|
|
||||||
   ----- end rules.mgmt -----
|
----- end rules.mgmt -----
|
||||||
|
|
||||||
   shorewall/rules:
|
shorewall/rules:
|
||||||
|
|
||||||
   # Shorewall version 1.3 - Rules File
|
# Shorewall version 1.3 - Rules File
|
||||||
   [..]
|
[..]
|
||||||
   #######################################
|
#######################################
|
||||||
 
|
|
||||||
   INCLUDE rules.mgmt    
|
INCLUDE rules.mgmt
|
||||||
 
|
|
||||||
   # rules unique to this host here
|
# rules unique to this host here
|
||||||
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
||||||
   ----- end rules -----</programlisting>
|
----- end rules -----</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -200,46 +310,47 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
<caution>
|
<caution>
|
||||||
<para>I personally recommend strongly against using DNS names in
|
<para>I personally recommend strongly against using DNS names in
|
||||||
Shorewall configuration files. If you use DNS names and you are called
|
Shorewall configuration files. If you use DNS names and you are called
|
||||||
out of bed at 2:00AM because Shorewall won't start as a result of
|
out of bed at 2:00AM because Shorewall won't start as a result of DNS
|
||||||
DNS problems then don't say that you were not forewarned.</para>
|
problems then don't say that you were not forewarned.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 1.3.9, Host addresses in Shorewall
|
<para>Beginning with Shorewall 1.3.9, Host addresses in Shorewall
|
||||||
configuration files may be specified as either IP addresses or DNS Names.</para>
|
configuration files may be specified as either IP addresses or DNS
|
||||||
|
Names.</para>
|
||||||
|
|
||||||
<para>DNS names in iptables rules aren't nearly as useful as they
|
<para>DNS names in iptables rules aren't nearly as useful as they first
|
||||||
first appear. When a DNS name appears in a rule, the iptables utility
|
appear. When a DNS name appears in a rule, the iptables utility resolves
|
||||||
resolves the name to one or more IP addresses and inserts those addresses
|
the name to one or more IP addresses and inserts those addresses into the
|
||||||
into the rule. So changes in the DNS->IP address relationship that
|
rule. So changes in the DNS->IP address relationship that occur after
|
||||||
occur after the firewall has started have absolutely no effect on the
|
the firewall has started have absolutely no effect on the firewall's
|
||||||
firewall's ruleset.</para>
|
ruleset.</para>
|
||||||
|
|
||||||
<para>If your firewall rules include DNS names then:</para>
|
<para>If your firewall rules include DNS names then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
||||||
firewall won't start.</para>
|
firewall won't start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
||||||
your firewall won't start.</para>
|
your firewall won't start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your Name Server(s) is(are) down then your firewall won't
|
<para>If your Name Server(s) is(are) down then your firewall won't
|
||||||
start.</para>
|
start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your startup scripts try to start your firewall before
|
<para>If your startup scripts try to start your firewall before
|
||||||
starting your DNS server then your firewall won't start.</para>
|
starting your DNS server then your firewall won't start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Factors totally outside your control (your ISP's router is
|
<para>Factors totally outside your control (your ISP's router is down
|
||||||
down for example), can prevent your firewall from starting.</para>
|
for example), can prevent your firewall from starting.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -285,7 +396,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The server address in a DNAT rule (/etc/shorewall/rules file)</para>
|
<para>The server address in a DNAT rule (/etc/shorewall/rules
|
||||||
|
file)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -297,7 +409,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>These restrictions are imposed by Netfilter and not by Shorewall.</para>
|
<para>These restrictions are imposed by Netfilter and not by
|
||||||
|
Shorewall.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Compliment">
|
<section id="Compliment">
|
||||||
@ -305,8 +418,9 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
|
|
||||||
<para>Where specifying an IP address, a subnet or an interface, you can
|
<para>Where specifying an IP address, a subnet or an interface, you can
|
||||||
precede the item with <quote>!</quote> to specify the complement of the
|
precede the item with <quote>!</quote> to specify the complement of the
|
||||||
item. For example, !192.168.1.4 means <quote>any host but 192.168.1.4</quote>.
|
item. For example, !192.168.1.4 means <quote>any host but
|
||||||
There must be no white space following the <quote>!</quote>.</para>
|
192.168.1.4</quote>. There must be no white space following the
|
||||||
|
<quote>!</quote>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Lists">
|
<section id="Lists">
|
||||||
@ -318,7 +432,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
|
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
|
||||||
Invalid: routefilter,     dhcp,     norfc1818</programlisting></para>
|
Invalid: routefilter, dhcp, norfc1818</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -328,11 +442,37 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Entries in a comma-separated list may appear in any order.</para>
|
<para>Entries in a comma-separated list may appear in any
|
||||||
|
order.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>IP Address Ranges</title>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 2.2.0, if you kernel and iptables have
|
||||||
|
iprange match support, you may use IP address ranges in Shorewall
|
||||||
|
configuration file entries; IP address ranges have the syntax
|
||||||
|
<<emphasis>low IP address</emphasis>>-<<emphasis>high IP
|
||||||
|
address</emphasis>>. Example: 192.168.1.5-192.168.1.12.</para>
|
||||||
|
|
||||||
|
<para>To see if your kernel and iptables have the required support, use
|
||||||
|
the <command>shorewall check</command> command:</para>
|
||||||
|
|
||||||
|
<programlisting>>~ <command>shorewall check</command>
|
||||||
|
...
|
||||||
|
Shorewall has detected the following iptables/netfilter capabilities:
|
||||||
|
NAT: Available
|
||||||
|
Packet Mangling: Available
|
||||||
|
Multi-port Match: Available
|
||||||
|
Connection Tracking Match: Available
|
||||||
|
Packet Type Match: Not available
|
||||||
|
Policy Match: Available
|
||||||
|
Physdev Match: Available
|
||||||
|
<emphasis role="bold">IP range Match: Available <-------------- </emphasis></programlisting>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section id="Ports">
|
<section id="Ports">
|
||||||
<title>Port Numbers/Service Names</title>
|
<title>Port Numbers/Service Names</title>
|
||||||
|
|
||||||
@ -344,8 +484,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
<title>Port Ranges</title>
|
<title>Port Ranges</title>
|
||||||
|
|
||||||
<para>If you need to specify a range of ports, the proper syntax is
|
<para>If you need to specify a range of ports, the proper syntax is
|
||||||
<low port number>:<high port number>. For example, if you
|
<low port number>:<high port number>. For example, if you want
|
||||||
want to forward the range of tcp ports 4000 through 4100 to local host
|
to forward the range of tcp ports 4000 through 4100 to local host
|
||||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||||
@ -368,22 +508,23 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
|||||||
<example>
|
<example>
|
||||||
<title>Using Shell Variables</title>
|
<title>Using Shell Variables</title>
|
||||||
|
|
||||||
<programlisting>    /etc/shorewall/params
|
<programlisting> /etc/shorewall/params
|
||||||
|
|
||||||
NET_IF=eth0
|
NET_IF=eth0
|
||||||
NET_BCAST=130.252.100.255
|
NET_BCAST=130.252.100.255
|
||||||
NET_OPTIONS=routefilter,norfc1918
|
NET_OPTIONS=routefilter,norfc1918
|
||||||
|
|
||||||
    /etc/shorewall/interfaces record:
|
/etc/shorewall/interfaces record:
|
||||||
|
|
||||||
net $NET_IF $NET_BCAST $NET_OPTIONS
|
net $NET_IF $NET_BCAST $NET_OPTIONS
|
||||||
|
|
||||||
    The result will be the same as if the record had been written
|
The result will be the same as if the record had been written
|
||||||
|
|
||||||
net eth0 130.252.100.255 routefilter,norfc1918
|
net eth0 130.252.100.255 routefilter,norfc1918
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>Variables may be used anywhere in the other configuration files.</para>
|
<para>Variables may be used anywhere in the other configuration
|
||||||
|
files.</para>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -407,16 +548,16 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
|||||||
<example>
|
<example>
|
||||||
<title>MAC Address of an Ethernet Controller</title>
|
<title>MAC Address of an Ethernet Controller</title>
|
||||||
|
|
||||||
<programlisting>      [root@gateway root]# <command>ifconfig eth0</command>
|
<programlisting> [root@gateway root]# <command>ifconfig eth0</command>
|
||||||
     eth0 Link encap:Ethernet HWaddr <emphasis
|
eth0 Link encap:Ethernet HWaddr <emphasis
|
||||||
role="bold">02:00:08:E3:FA:55</emphasis>
|
role="bold">02:00:08:E3:FA:55</emphasis>
|
||||||
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
|
inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
|
||||||
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
||||||
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
|
RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
|
||||||
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
|
TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
|
||||||
     collisions:30394 txqueuelen:100
|
collisions:30394 txqueuelen:100
|
||||||
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
|
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
|
||||||
     Interrupt:11 Base address:0x1800
|
Interrupt:11 Base address:0x1800
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
@ -424,11 +565,13 @@ role="bold">02:00:08:E3:FA:55</emphasis>
|
|||||||
Shorewall requires MAC addresses to be written in another way. In
|
Shorewall requires MAC addresses to be written in another way. In
|
||||||
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
|
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
|
||||||
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
|
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
|
||||||
the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
|
the example above would be written <emphasis
|
||||||
|
role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>It is not necessary to use the special Shorewall notation in the
|
<para>It is not necessary to use the special Shorewall notation in the
|
||||||
<filename><ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
|
<filename><ulink
|
||||||
|
url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
|
||||||
file.</para>
|
file.</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
@ -465,8 +608,9 @@ role="bold">02:00:08:E3:FA:55</emphasis>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>The <ulink url="starting_and_stopping_shorewall.htm">try command</ulink>
|
<para>The <ulink url="starting_and_stopping_shorewall.htm">try
|
||||||
allows you to attempt to restart using an alternate configuration and if
|
command</ulink> allows you to attempt to restart using an alternate
|
||||||
an error occurs to automatically restart the standard configuration.</para>
|
configuration and if an error occurs to automatically restart the standard
|
||||||
|
configuration.</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-10-16</pubdate>
|
<pubdate>2004-10-20</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -741,15 +741,16 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
|||||||
<title>ipsec</title>
|
<title>ipsec</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The mss=1400 in the OUT OPTIONS uses a feature added in 2.1.12
|
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
|
||||||
and sets the MSS field in forwarded TCP SYN packets from the 'sec'
|
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
|
||||||
zone to 1400. This works around a problem whereby ICMP
|
the 'net' zone to 1400. This works around a problem whereby ICMP
|
||||||
fragmentation-needed packets are being dropped somewhere between my
|
fragmentation-needed packets are being dropped somewhere between my
|
||||||
main firewall and the IMAP server at my work.</para>
|
main firewall and the IMAP server at my work.</para>
|
||||||
|
|
||||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||||
# ONLY OPTIONS OPTIONS
|
# ONLY OPTIONS OPTIONS
|
||||||
sec yes mode=tunnel - <emphasis
|
sec yes mode=tunnel
|
||||||
|
net no - - <emphasis
|
||||||
role="bold">mss=1400</emphasis>
|
role="bold">mss=1400</emphasis>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-19</pubdate>
|
<pubdate>2004-10-22</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -29,7 +29,8 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -53,35 +54,48 @@
|
|||||||
|
|
||||||
<para>If you already have a router on your premises and you simply want
|
<para>If you already have a router on your premises and you simply want
|
||||||
to add a firewall between the router and your local system then you want
|
to add a firewall between the router and your local system then you want
|
||||||
a <ulink url="quick_bridge.html">simple bridge configuration</ulink>.</para>
|
a <ulink url="bridge.html">bridge configuration</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>If you have a <emphasis role="bold">single public IP address</emphasis></title>
|
<title>If you have a <emphasis role="bold">single public IP
|
||||||
|
address</emphasis></title>
|
||||||
|
|
||||||
<para>These guides are designed to get your first firewall up and
|
<para>These guides are designed to get your first firewall up and
|
||||||
running quickly in the three most common Shorewall configurations. If
|
running quickly in the three most common Shorewall configurations. If
|
||||||
you want to learn more about Shorewall than is explained in these simple
|
you want to learn more about Shorewall than is explained in these simple
|
||||||
guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||||
Guide</ulink> is for you.<itemizedlist><listitem><para><ulink
|
Guide</ulink> is for you.<itemizedlist>
|
||||||
url="standalone.htm">Standalone</ulink> Linux System (<ulink
|
<listitem>
|
||||||
url="standalone_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
|
<para><ulink url="standalone.htm">Standalone</ulink> Linux System
|
||||||
url="two-interface.htm">Two-interface</ulink> Linux System acting as a
|
(<ulink url="standalone_fr.html">Version Française</ulink>)</para>
|
||||||
firewall/router for a small local network (<ulink
|
</listitem>
|
||||||
url="two-interface_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
|
|
||||||
url="three-interface.htm">Three-interface</ulink> Linux System acting as
|
<listitem>
|
||||||
a firewall/router for a small local network and a DMZ.. (<ulink
|
<para><ulink url="two-interface.htm">Two-interface</ulink> Linux
|
||||||
url="three-interface_fr.html">Version Française</ulink>)</para></listitem></itemizedlist></para>
|
System acting as a firewall/router for a small local network
|
||||||
|
(<ulink url="two-interface_fr.html">Version
|
||||||
|
Française</ulink>)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="three-interface.htm">Three-interface</ulink>
|
||||||
|
Linux System acting as a firewall/router for a small local network
|
||||||
|
and a DMZ.. (<ulink url="three-interface_fr.html">Version
|
||||||
|
Française</ulink>)</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>If you have more than one public IP address</title>
|
<title>If you have more than one public IP address</title>
|
||||||
|
|
||||||
<para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>
|
<para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||||
outlines the steps necessary to set up a firewall where there are
|
Guide</ulink> outlines the steps necessary to set up a firewall where
|
||||||
multiple public IP addresses involved or if you want to learn more about
|
there are multiple public IP addresses involved or if you want to learn
|
||||||
Shorewall than is explained in the single-address guides above (<ulink
|
more about Shorewall than is explained in the single-address guides
|
||||||
url="shorewall_setup_guide_fr.htm">Version Française</ulink>)</para>
|
above (<ulink url="shorewall_setup_guide_fr.htm">Version
|
||||||
|
Française</ulink>)</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user