extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some 2.1 Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1710 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-23 17:27:42 +00:00
parent e91e189278
commit 584f57cfb0
5 changed files with 407 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
Shorewall-docs2/Documentation.xml
View File

@ -2042,7 +2042,7 @@ ACCEPT fw net tcp www</programlisting>
<para>Also new in the Shorewall 2.1 series, the effect of
ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
interface name by ":" but no digit. </para>
interface name by ":" but no digit.</para>
<para>Examples:</para>
@ -2407,7 +2407,7 @@ eth0 eth1 206.124.146.176</programlisting>
<para>Beginning with Shorewall 2.1.1, the effect of
ADD_IP_ALIASES=Yes can be negated for an entry by following the
interface name by ":" but no digit. </para>
interface name by ":" but no digit.</para>
<para>Example:</para>
@ -2490,6 +2490,24 @@ eth0 eth1 206.124.146.176</programlisting>
<para>This file is used to set the following firewall parameters:</para>
<variablelist>
<varlistentry>
<term>STARTUP_ENABLED</term>
<listitem>
<para>(Added at version 2.2.0) - When set to Yes or yes, Shorewall
may be started. Used as guard against Shorewall being accidentally
started before it has been configured.</para>
</listitem>
</varlistentry>
<varlistentry>
<term></term>
<listitem>
<para></para>
</listitem>
</varlistentry>
<varlistentry>
<term>DYNAMIC_ZONES</term>
@ -3023,6 +3041,25 @@ LOGBURST=5</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>RETAIN_ALIASES</term>
<listitem>
<para>(Added in 2.2.0) - During "shorewall start", IP addresses to
be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <link
linkend="NAT">/etc/shorewall/nat</link> and <link
linkend="Masq">/etc/shorewall/masq</link> are processed then are
re-added later. This is done to help ensure that the addresses can
be added with the specified labels but can have the undesirable side
effect of causing routes to be quietly deleted. When RETAIN_ALIASES
is set to Yes, existing addresses will not be deleted. Regardless of
the setting of RETAIN_ALIASES, addresses added during "shorewall
start" are still deleted at a subsequent "shorewall stop" or
"shorewall restart".</para>
</listitem>
</varlistentry>
<varlistentry>
<term>LOGUNCLEAN</term>
@ -3573,7 +3610,15 @@ eth1 -</programlisting>
<para>This file is used to identify the Security Associations used to
encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a
zone. Columns are:</para>
zone. Use of this file requires a 2.6 kernel that includes the
IPSEC-Netfilter patches and the policy match patch. Your iptables must
also support policy match. For additional information, see the <ulink
url="IPSEC-2.6.html">Shorewall Kernel 2.6 IPSEC
documentation</ulink>.</para>
<para></para>
<para>Columns are:</para>
<glosslist>
<glossentry>
@ -3609,32 +3654,40 @@ eth1 -</programlisting>
<simplelist>
<member><emphasis
role="bold">proto=ah|esp|ipcomp</emphasis></member>
role="bold">proto[!]=ah|esp|ipcomp</emphasis></member>
<member><emphasis
role="bold">mode=transport|tunnel</emphasis></member>
role="bold">mode[!]=transport|tunnel</emphasis></member>
<member><emphasis
role="bold">reqid=&lt;<emphasis>number</emphasis>&gt;</emphasis>
A number assiged to a security policy using the
role="bold">reqid[!]=&lt;<emphasis>number</emphasis>&gt;</emphasis>
A number assiged to a security policy using the
unique:&lt;number&gt; as the SPD level. See setkey(8).</member>
<member><emphasis
role="bold">tunnel-src=&lt;<emphasis>address</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;]</emphasis>
role="bold">tunnel-src[!]=&lt;<emphasis>address</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;]</emphasis>
— Tunnel Source; may only be included with mode=tunnel. Since
tunnel source and destination are dependent on the direction of
the traffic, this option and the following one should only be
included in the IN OPTIONS and OUT OPTIONS columns.</member>
<member><emphasis
role="bold">tunnel-dst=&lt;<emphasis>address</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;]
role="bold">tunnel-dst[!]=&lt;<emphasis>address</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;]
</emphasis>— Tunnel Destination; may only be included with
mode=tunnel.</member>
<member><emphasis role="bold">mss</emphasis>=&lt;number&gt; — Sets
the MSS field in TCP syn packets forwarded to/from this zone. May
be used to compensate for the lack of IPSEC pseuo-deviceses with
their own MTU in the 2.6 Kernel IPSEC implementation. If specified
in the IN OPTIONS, TCP SYN packets from the zone will have MSS
altered; if specified in the OUT OPTIONS, TCP SYN packets to the
zone will have MSS altered.</member>
<member><emphasis
role="bold">spi=&lt;<emphasis>number</emphasis>&gt;</emphasis>
The security parameter index of the Security Association. Since a
different SA is used for incoming and outgoing traffic, this
role="bold">spi[!]=&lt;<emphasis>number</emphasis>&gt;</emphasis>
The security parameter index of the Security Association. Since
a different SA is used for incoming and outgoing traffic, this
option should only be listed in the IN OPTIONS and OUT OPTIONS
columns.</member>
@ -3657,10 +3710,20 @@ eth1 -</programlisting>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.20</revnumber>
<date>2004-10-22</date>
<authorinitials>TE</authorinitials>
<revremark>Changes for Shorewall 2.2 Beta 1.</revremark>
</revision>
<revision>
<revnumber>1.19</revnumber>
<date>2004-09012</date>
<date>2004-09-12</date>
<authorinitials>TE</authorinitials>

26
Shorewall-docs2/VPN.xml
View File

@ -15,11 +15,13 @@
</author>
</authorgroup>
<pubdate>2002-12-21</pubdate>
<pubdate>2004-10-21</pubdate>
<copyright>
<year>2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -29,7 +31,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -49,10 +52,11 @@
address 192.0.2.224.</para>
<para>If PPTP is being used, there are no firewall requirements beyond the
default loc-&#62;net ACCEPT policy. There is one restriction however: Only
default loc-&gt;net ACCEPT policy. There is one restriction however: Only
one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
available at <ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
<para>If IPSEC is being used then only one system may connect to the
remote gateway and there are firewall configuration requirements as
@ -118,7 +122,19 @@
<para>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
firewall. As starting points, see <ulink
url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
<para>Alternatively, you should configure IPSEC to use <firstterm>NAT
Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
50 or 51) are encapsulated in UDP packets with destination port 4500.
Additionally, <firstterm>keep-alive messages</firstterm> are sent
frequently so that NATing gateways between the end-points will retain
their connection-tracking entries. This is the way that I connect to the
HP Intranet and it works flawlessly without anything in Shorewall other
than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
for Windows 2K and is a standard feature of Windows XP -- simply select
"</para>
</section>
</article>

400
Shorewall-docs2/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-20</pubdate>
<pubdate>2004-10-22</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -43,64 +44,172 @@
<section id="Files">
<title>Files</title>
<para><itemizedlist><listitem><para><filename>/etc/shorewall/shorewall.conf</filename>
- used to set several firewall parameters.</para></listitem><listitem><para><filename>/etc/shorewall/params</filename>
- use this file to set shell variables that you will expand in other
files.</para></listitem><listitem><para><filename>/etc/shorewall/zones</filename>
- partition the firewall&#39;s view of the world into zones.</para></listitem><listitem><para><filename>/etc/shorewall/policy</filename>
- establishes firewall high-level policy.</para></listitem><listitem><para><filename>/etc/shorewall/interfaces</filename>
- describes the interfaces on the firewall system.</para></listitem><listitem><para><filename>/etc/shorewall/hosts</filename>
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para><filename>/etc/shorewall/masq</filename>
- directs the firewall where to use many-to-one (dynamic) Network Address
Translation (a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</para></listitem><listitem><para><filename>/etc/shorewall/modules</filename>
- directs the firewall to load kernel modules.</para></listitem><listitem><para><filename>/etc/shorewall/rules</filename>
- defines rules that are exceptions to the overall policies established in
/etc/shorewall/policy.</para></listitem><listitem><para><filename>/etc/shorewall/nat</filename>
- defines one-to-one NAT rules.</para></listitem><listitem><para><filename>/etc/shorewall/proxyarp</filename>
- defines use of Proxy ARP.</para></listitem><listitem><para><filename>/etc/shorewall/routestopped</filename>
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
stopped.</para></listitem><listitem><para><filename>/etc/shorewall/tcrules
</filename>- defines marking of packets for later use by traffic
control/shaping or policy routing.</para></listitem><listitem><para><filename>/etc/shorewall/tos</filename>
- defines rules for setting the TOS field in packet headers.</para></listitem><listitem><para><filename>/etc/shorewall/tunnels</filename>
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
system.</para></listitem><listitem><para><filename>/etc/shorewall/blacklist</filename>
- lists blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para><filename>/etc/shorewall/init</filename>
- commands that you wish to execute at the beginning of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/start</filename>
- commands that you wish to execute at the completion of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para><filename>/etc/shorewall/stop
</filename>- commands that you wish to execute at the beginning of a
<quote>shorewall stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/stopped</filename>
- commands that you wish to execute at the completion of a <quote>shorewall
stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/ecn</filename>
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
and <filename>/usr/share/shorewall/action.template</filename> - define
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
later).</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.std</filename>
- Actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.*</filename>
- Details of actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/rfc1918</filename>
— Defines the behavior of the &#39;norfc1918&#39; interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
you need to change this file, copy it to <filename>/etc/shorewall</filename>
and modify the copy</emphasis>.</para></listitem><listitem><para><filename>/usr/share/bogons</filename>
— Defines the behavior of the &#39;nobogons&#39; interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
you need to change this file, copy it to <filename>/etc/shorewall</filename>
and modify the copy</emphasis>.</para></listitem></itemizedlist></para>
<para><itemizedlist>
<listitem>
<para><filename>/etc/shorewall/shorewall.conf</filename> - used to
set several firewall parameters.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/params</filename> - use this file to
set shell variables that you will expand in other files.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/zones</filename> - partition the
firewall's view of the world into zones.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/policy</filename> - establishes
firewall high-level policy.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/interfaces</filename> - describes the
interfaces on the firewall system.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/hosts</filename> - allows defining
zones in terms of individual hosts and subnetworks.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/masq</filename> - directs the
firewall where to use many-to-one (dynamic) Network Address
Translation (a.k.a. Masquerading) and Source Network Address
Translation (SNAT).</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/modules</filename> - directs the
firewall to load kernel modules.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/rules</filename> - defines rules that
are exceptions to the overall policies established in
/etc/shorewall/policy.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/nat</filename> - defines one-to-one
NAT rules.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/proxyarp</filename> - defines use of
Proxy ARP.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/routestopped</filename> (Shorewall
1.3.4 and later) - defines hosts accessible when Shorewall is
stopped.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/tcrules </filename>- defines marking
of packets for later use by traffic control/shaping or policy
routing.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/tos</filename> - defines rules for
setting the TOS field in packet headers.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/tunnels</filename> - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/blacklist</filename> - lists
blacklisted IP/subnet/MAC addresses.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/init</filename> - commands that you
wish to execute at the beginning of a <quote>shorewall start</quote>
or <quote>shorewall restart</quote>.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/start</filename> - commands that you
wish to execute at the completion of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote></para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/stop </filename>- commands that you
wish to execute at the beginning of a <quote>shorewall
stop</quote>.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/stopped</filename> - commands that
you wish to execute at the completion of a <quote>shorewall
stop</quote>.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/ecn</filename> - disable Explicit
Congestion Notification (ECN - RFC 3168) to remote hosts or
networks.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/accounting</filename> - define IP
traffic accounting rules</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/actions</filename> and
<filename>/usr/share/shorewall/action.template</filename> - define
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9
and later).</para>
</listitem>
<listitem>
<para><filename>/usr/share/shorewall/actions.std</filename> -
Actions defined by Shorewall.</para>
</listitem>
<listitem>
<para><filename>/usr/share/shorewall/actions.*</filename> - Details
of actions defined by Shorewall.</para>
</listitem>
<listitem>
<para><filename>/usr/share/rfc1918</filename> — Defines the behavior
of the 'norfc1918' interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis
role="bold">If you need to change this file, copy it to
<filename>/etc/shorewall</filename> and modify the
copy</emphasis>.</para>
</listitem>
<listitem>
<para><filename>/usr/share/bogons</filename> — Defines the behavior
of the 'nobogons' interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis
role="bold">If you need to change this file, copy it to
<filename>/etc/shorewall</filename> and modify the
copy</emphasis>.</para>
</listitem>
</itemizedlist></para>
</section>
<section>
<title>Special Note about /etc/shorewall/shorewall.conf</title>
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
even if you just add a comment that says &#34;I modified this file&#34;.
That way, your package manager won&#39;t overwrite the file with future
updated versions. Such overwrites can cause unwanted changes in the
behavior of Shorewall.</para>
even if you just add a comment that says "I modified this file". That way,
your package manager won't overwrite the file with future updated
versions. Such overwrites can cause unwanted changes in the behavior of
Shorewall.</para>
</section>
<section id="Comments">
@ -123,7 +232,8 @@ ACCEPT net fw tcp www #This is an end-of-line comment</program
<title>Line Continuation</title>
<para>You may continue lines in the configuration files using the usual
backslash (<quote>\</quote>) followed immediately by a new line character.</para>
backslash (<quote>\</quote>) followed immediately by a new line
character.</para>
<example>
<title>Line Continuation</title>
@ -144,53 +254,53 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
alternate configuration directory if one has been specified for the
command.</para>
<para>INCLUDE&#39;s may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.</para>
<para>INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored with a warning message.</para>
<example>
<title>Use of INCLUDE</title>
<programlisting> shorewall/params.mgmt:
&#x00A0;&#x00A0; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
&#x00A0;&#x00A0; TIME_SERVERS=4.4.4.4
&#x00A0;&#x00A0; BACKUP_SERVERS=5.5.5.5
&nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
&nbsp;&nbsp; TIME_SERVERS=4.4.4.4
&nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5
&#x00A0;&#x00A0; ----- end params.mgmt -----
&nbsp;&nbsp; ----- end params.mgmt -----
&#x00A0;&#x00A0; shorewall/params:
&nbsp;&nbsp; shorewall/params:
&#x00A0;&#x00A0; # Shorewall 1.3 /etc/shorewall/params
&#x00A0;&#x00A0; [..]
&#x00A0;&#x00A0; #######################################
&#x00A0;
&#x00A0;&#x00A0; INCLUDE params.mgmt&#x00A0;&#x00A0;&#x00A0;
&#x00A0;
&#x00A0;&#x00A0; # params unique to this host here
&#x00A0;&#x00A0; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
&nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params
&nbsp;&nbsp; [..]
&nbsp;&nbsp; #######################################
&nbsp;
&nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp;
&nbsp;
&nbsp;&nbsp; # params unique to this host here
&nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
&#x00A0;&#x00A0; ----- end params -----
&nbsp;&nbsp; ----- end params -----
&#x00A0;&#x00A0; shorewall/rules.mgmt:
&nbsp;&nbsp; shorewall/rules.mgmt:
&#x00A0;&#x00A0; ACCEPT net:$MGMT_SERVERS&#x00A0;&#x00A0;&#x00A0;$FW&#x00A0;&#x00A0;&#x00A0; tcp&#x00A0;&#x00A0;&#x00A0; 22
&#x00A0;&#x00A0; ACCEPT $FW&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; net:$TIME_SERVERS&#x00A0;&#x00A0;&#x00A0; udp&#x00A0;&#x00A0;&#x00A0; 123
&#x00A0;&#x00A0; ACCEPT $FW&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; net:$BACKUP_SERVERS&#x00A0; tcp&#x00A0;&#x00A0;&#x00A0; 22
&nbsp;&nbsp; ACCEPT net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;$FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22
&nbsp;&nbsp; ACCEPT $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123
&nbsp;&nbsp; ACCEPT $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22
&#x00A0;&#x00A0; ----- end rules.mgmt -----
&nbsp;&nbsp; ----- end rules.mgmt -----
&#x00A0;&#x00A0; shorewall/rules:
&nbsp;&nbsp; shorewall/rules:
&#x00A0;&#x00A0; # Shorewall version 1.3 - Rules File
&#x00A0;&#x00A0; [..]
&#x00A0;&#x00A0; #######################################
&#x00A0;
&#x00A0;&#x00A0; INCLUDE rules.mgmt&#x00A0;&#x00A0;&#x00A0;&#x00A0;
&#x00A0;
&#x00A0;&#x00A0; # rules unique to this host here
&#x00A0;&#x00A0; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
&nbsp;&nbsp; # Shorewall version 1.3 - Rules File
&nbsp;&nbsp; [..]
&nbsp;&nbsp; #######################################
&nbsp;
&nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;
&nbsp;&nbsp; # rules unique to this host here
&nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
&#x00A0;&#x00A0; ----- end rules -----</programlisting>
&nbsp;&nbsp; ----- end rules -----</programlisting>
</example>
</section>
@ -200,46 +310,47 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<caution>
<para>I personally recommend strongly against using DNS names in
Shorewall configuration files. If you use DNS names and you are called
out of bed at 2:00AM because Shorewall won&#39;t start as a result of
DNS problems then don&#39;t say that you were not forewarned.</para>
out of bed at 2:00AM because Shorewall won't start as a result of DNS
problems then don't say that you were not forewarned.</para>
</caution>
<para>Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS Names.</para>
configuration files may be specified as either IP addresses or DNS
Names.</para>
<para>DNS names in iptables rules aren&#39;t nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&#62;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall&#39;s ruleset.</para>
<para>DNS names in iptables rules aren't nearly as useful as they first
appear. When a DNS name appears in a rule, the iptables utility resolves
the name to one or more IP addresses and inserts those addresses into the
rule. So changes in the DNS-&gt;IP address relationship that occur after
the firewall has started have absolutely no effect on the firewall's
ruleset.</para>
<para>If your firewall rules include DNS names then:</para>
<itemizedlist>
<listitem>
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
firewall won&#39;t start.</para>
firewall won't start.</para>
</listitem>
<listitem>
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
your firewall won&#39;t start.</para>
your firewall won't start.</para>
</listitem>
<listitem>
<para>If your Name Server(s) is(are) down then your firewall won&#39;t
<para>If your Name Server(s) is(are) down then your firewall won't
start.</para>
</listitem>
<listitem>
<para>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won&#39;t start.</para>
starting your DNS server then your firewall won't start.</para>
</listitem>
<listitem>
<para>Factors totally outside your control (your ISP&#39;s router is
down for example), can prevent your firewall from starting.</para>
<para>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</para>
</listitem>
<listitem>
@ -285,7 +396,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<itemizedlist>
<listitem>
<para>The server address in a DNAT rule (/etc/shorewall/rules file)</para>
<para>The server address in a DNAT rule (/etc/shorewall/rules
file)</para>
</listitem>
<listitem>
@ -297,7 +409,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
</listitem>
</itemizedlist>
<para>These restrictions are imposed by Netfilter and not by Shorewall.</para>
<para>These restrictions are imposed by Netfilter and not by
Shorewall.</para>
</section>
<section id="Compliment">
@ -305,8 +418,9 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<para>Where specifying an IP address, a subnet or an interface, you can
precede the item with <quote>!</quote> to specify the complement of the
item. For example, !192.168.1.4 means <quote>any host but 192.168.1.4</quote>.
There must be no white space following the <quote>!</quote>.</para>
item. For example, !192.168.1.4 means <quote>any host but
192.168.1.4</quote>. There must be no white space following the
<quote>!</quote>.</para>
</section>
<section id="Lists">
@ -318,7 +432,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<itemizedlist>
<listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
Invalid: routefilter,&#x00A0;&#x00A0;&#x00A0;&#x00A0; dhcp,&#x00A0;&#x00A0;&#x00A0;&#x00A0; norfc1818</programlisting></para>
Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</programlisting></para>
</listitem>
<listitem>
@ -328,11 +442,37 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
</listitem>
<listitem>
<para>Entries in a comma-separated list may appear in any order.</para>
<para>Entries in a comma-separated list may appear in any
order.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>IP Address Ranges</title>
<para>Beginning with Shorewall 2.2.0, if you kernel and iptables have
iprange match support, you may use IP address ranges in Shorewall
configuration file entries; IP address ranges have the syntax
&lt;<emphasis>low IP address</emphasis>&gt;-&lt;<emphasis>high IP
address</emphasis>&gt;. Example: 192.168.1.5-192.168.1.12.</para>
<para>To see if your kernel and iptables have the required support, use
the <command>shorewall check</command> command:</para>
<programlisting>&gt;~ <command>shorewall check</command>
...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
<emphasis role="bold">IP range Match: Available &lt;-------------- </emphasis></programlisting>
</section>
<section id="Ports">
<title>Port Numbers/Service Names</title>
@ -344,8 +484,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<title>Port Ranges</title>
<para>If you need to specify a range of ports, the proper syntax is
&#60;low port number&#62;:&#60;high port number&#62;. For example, if you
want to forward the range of tcp ports 4000 through 4100 to local host
&lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
@ -368,22 +508,23 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<example>
<title>Using Shell Variables</title>
<programlisting>&#x00A0;&#x00A0;&#x00A0; /etc/shorewall/params
<programlisting>&nbsp;&nbsp;&nbsp; /etc/shorewall/params
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
&#x00A0;&#x00A0;&#x00A0; /etc/shorewall/interfaces record:
&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS
&#x00A0;&#x00A0;&#x00A0; The result will be the same as if the record had been written
&nbsp;&nbsp;&nbsp; The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,norfc1918
</programlisting>
<para>Variables may be used anywhere in the other configuration files.</para>
<para>Variables may be used anywhere in the other configuration
files.</para>
</example>
</section>
@ -407,16 +548,16 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<example>
<title>MAC Address of an Ethernet Controller</title>
<programlisting> &#x00A0;&#x00A0;&#x00A0;&#x00A0; [root@gateway root]# <command>ifconfig eth0</command>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; eth0 Link encap:Ethernet HWaddr <emphasis
role="bold">02:00:08:E3:FA:55</emphasis>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
&#x00A0;&#x00A0;&#x00A0;&#x00A0; RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; collisions:30394 txqueuelen:100
&#x00A0;&#x00A0;&#x00A0;&#x00A0; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
&#x00A0;&#x00A0;&#x00A0;&#x00A0; Interrupt:11 Base address:0x1800
<programlisting> &nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# <command>ifconfig eth0</command>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <emphasis
role="bold">02:00:08:E3:FA:55</emphasis>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800
</programlisting>
</example>
@ -424,11 +565,13 @@ role="bold">02:00:08:E3:FA:55</emphasis>
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
the example above would be written <emphasis
role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
<note>
<para>It is not necessary to use the special Shorewall notation in the
<filename><ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
<filename><ulink
url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
file.</para>
</note>
</section>
@ -465,8 +608,9 @@ role="bold">02:00:08:E3:FA:55</emphasis>
</listitem>
</orderedlist>
<para>The <ulink url="starting_and_stopping_shorewall.htm">try command</ulink>
allows you to attempt to restart using an alternate configuration and if
an error occurs to automatically restart the standard configuration.</para>
<para>The <ulink url="starting_and_stopping_shorewall.htm">try
command</ulink> allows you to attempt to restart using an alternate
configuration and if an error occurs to automatically restart the standard
configuration.</para>
</section>
</article>

11
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-10-16</pubdate>
<pubdate>2004-10-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -741,15 +741,16 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
<title>ipsec</title>
<blockquote>
<para>The mss=1400 in the OUT OPTIONS uses a feature added in 2.1.12
and sets the MSS field in forwarded TCP SYN packets from the 'sec'
zone to 1400. This works around a problem whereby ICMP
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
the 'net' zone to 1400. This works around a problem whereby ICMP
fragmentation-needed packets are being dropped somewhere between my
main firewall and the IMAP server at my work.</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec yes mode=tunnel - <emphasis
sec yes mode=tunnel
net no - - <emphasis
role="bold">mss=1400</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>

50
Shorewall-docs2/shorewall_quickstart_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-06-19</pubdate>
<pubdate>2004-10-22</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -53,35 +54,48 @@
<para>If you already have a router on your premises and you simply want
to add a firewall between the router and your local system then you want
a <ulink url="quick_bridge.html">simple bridge configuration</ulink>.</para>
a <ulink url="bridge.html">bridge configuration</ulink>.</para>
</section>
<section>
<title>If you have a <emphasis role="bold">single public IP address</emphasis></title>
<title>If you have a <emphasis role="bold">single public IP
address</emphasis></title>
<para>These guides are designed to get your first firewall up and
running quickly in the three most common Shorewall configurations. If
you want to learn more about Shorewall than is explained in these simple
guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> is for you.<itemizedlist><listitem><para><ulink
url="standalone.htm">Standalone</ulink> Linux System (<ulink
url="standalone_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
url="two-interface.htm">Two-interface</ulink> Linux System acting as a
firewall/router for a small local network (<ulink
url="two-interface_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
url="three-interface.htm">Three-interface</ulink> Linux System acting as
a firewall/router for a small local network and a DMZ.. (<ulink
url="three-interface_fr.html">Version Française</ulink>)</para></listitem></itemizedlist></para>
Guide</ulink> is for you.<itemizedlist>
<listitem>
<para><ulink url="standalone.htm">Standalone</ulink> Linux System
(<ulink url="standalone_fr.html">Version Française</ulink>)</para>
</listitem>
<listitem>
<para><ulink url="two-interface.htm">Two-interface</ulink> Linux
System acting as a firewall/router for a small local network
(<ulink url="two-interface_fr.html">Version
Française</ulink>)</para>
</listitem>
<listitem>
<para><ulink url="three-interface.htm">Three-interface</ulink>
Linux System acting as a firewall/router for a small local network
and a DMZ.. (<ulink url="three-interface_fr.html">Version
Française</ulink>)</para>
</listitem>
</itemizedlist></para>
</section>
<section>
<title>If you have more than one public IP address</title>
<para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>
outlines the steps necessary to set up a firewall where there are
multiple public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above (<ulink
url="shorewall_setup_guide_fr.htm">Version Française</ulink>)</para>
<para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> outlines the steps necessary to set up a firewall where
there are multiple public IP addresses involved or if you want to learn
more about Shorewall than is explained in the single-address guides
above (<ulink url="shorewall_setup_guide_fr.htm">Version
Française</ulink>)</para>
</section>
<section>