extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 22:45:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow comma-separated list in routestopped file entries; update documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-18 01:51:36 +00:00
parent 5fe2bef29e
commit 5c4c7d8f41
4 changed files with 2026 additions and 1872 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

554
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -12,125 +12,125 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
and /etc/shorewall/init -- if you don't have those files, siimply create and /etc/shorewall/init -- if you don't have those files, siimply create
them.<br> them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid server file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.<br> still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed </b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
on your firewall.<br> on your firewall.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br> server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
file<br> /etc/shorewall/conf file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
Firewall.</a></li> the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li> local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li> <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your own
http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
@ -141,75 +141,75 @@ local network</a></li>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on 192.168.1.3. Your local interface is eth1. There may also be a web server running on
It is assumed that web access is already enabled from the local zone to the 192.168.1.3. It is assumed that web access is already enabled from the local
internet.<br> zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
@ -220,150 +220,114 @@ internet.<br>
</table> </table>
<br> <br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br> <li>Alternativfely, you can have the following policy:<br>
<br> <br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
@ -383,7 +347,7 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
@ -400,90 +364,130 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br> command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 1/23/2003 - <a <p><font size="-1"> Updated 1/23/2003 - <a href="support.htm">Tom Eastep</a>
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
</font></p>
<a <a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br> size="2">2003 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

501
STABLE/documentation/errata.htm
View File

@ -8,6 +8,7 @@
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
@ -21,14 +22,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -37,68 +38,67 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the first
first time and plan to use the .tgz and install.sh script, you can time and plan to use the .tgz and install.sh script, you can untar
untar the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are running a Shorewall version earlier <p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
/etc/shorewall/firewall or /var/lib/shorewall/firewall before or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall and /var/lib/shorewall/firewall are symbolic links that point
are symbolic links that point to the 'shorewall' file used by to the 'shorewall' file used by your system initialization scripts
your system initialization scripts to start Shorewall during to start Shorewall during boot. It is that file that must be
boot. It is that file that must be overwritten with the corrected overwritten with the corrected script. Beginning with Shorewall
script. Beginning with Shorewall 1.3.11, you may rename the existing file 1.3.11, you may rename the existing file before copying in the new file.</b></p>
before copying in the new file.</b></p> </li>
</li> <li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems <li> <b><a
in Version 1.3</a></b></li> href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
RedHat iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -106,113 +106,127 @@ version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address. This has been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
</li>
</ul>
<h3>Version 1.3.13</h3> <h3>Version 1.3.13</h3>
<ul> <ul>
<li>The 'shorewall add' command produces an error message referring <li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li> to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li> <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion <li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br> too big".<br>
</li> </li>
</ul> </ul>
All three problems are corrected by <a All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
<ul> <ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.12. If you need such support, are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br> post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12</h3> <h3>Version 1.3.12</h3>
<ul> <ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li> above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.13. If you need such support, are not supported in this version or in 1.3.13. If you need such support,
post on the users list and I can provide you with a patched version.<br> post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12 LRP</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a <li>The .lrp was missing the /etc/shorewall/routestopped file --
new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br> a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
</li> problem.<br>
</li>
</ul> </ul>
<h3>Version 1.3.11a</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.11</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive <li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br> the following warnings:<br>
<br> <br>
     user teastep does not exist - using root<br>      user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>      group teastep does not exist - using root<br>
<br> <br>
These warnings are harmless and may be ignored. Users downloading These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li> as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains <li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall ! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br> fails to start.<br>
<br> <br>
Install <a Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br> Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br> <br>
This problem is corrected in version 1.3.11a.<br> This problem is corrected in version 1.3.11a.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running <li>If you experience problems connecting to a PPTP server
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the the old version of /usr/lib/shorewall/firewall before copying in the new
new one since /usr/lib/shorewall/firewall is the real script now and one since /usr/lib/shorewall/firewall is the real script now and not
not just a symbolic link to the real script.<br> just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.9a</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li> then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
@ -221,108 +235,106 @@ not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br> as described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message <li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas "Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer the file is installed in /usr/lib/shorewall/functions. The installer also
also performs incorrectly when updating old configurations that had the performs incorrectly when updating old configurations that had the file
file /etc/shorewall/functions. <a /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
script at <a script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS <li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li> columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these as described above corrects these
problems. problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this problem.</p>
problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this problem.</p>
problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is <li>If the firewall is
running a DHCP server, the client running a DHCP server, the client
won't be able to obtain an IP address won't be able to obtain an IP address
lease from that server.</li> lease from that server.</li>
<li>With this order of <li>With this order of
checking, the "dhcp" option cannot checking, the "dhcp" option cannot
be used as a noise-reduction measure be used as a noise-reduction measure
where there are both dynamic and static where there are both dynamic and static
clients on a LAN segment.</li> clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be
in /var/lib/shorewall as described installed in /var/lib/shorewall as
above.</p> described above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
@ -335,55 +347,56 @@ where there are both dynamic and static
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to an error occurs when the firewall script attempts to add
add an SNAT alias. </p> an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
@ -392,121 +405,120 @@ add an SNAT alias. </p>
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy file
file have been previously defined in the /etc/shorewall/zones have been previously defined in the /etc/shorewall/zones file.
file. The "shorewall check" command does perform this verification The "shorewall check" command does perform this verification so
so it's a good idea to run that command after you have made configuration it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in that specifies an interface that you didn't include in
/etc/shorewall/interfaces. To correct this problem, you /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
and later versions produce a clearer error message in this later versions produce a clearer error message in this case.</p>
case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct version
version has a size of 38126 bytes.</p> has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface <li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that prevented entry in /etc/shorewall/interfaces contained a typo that
it from working correctly. </li> prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it
just like "NAT_BEFORE_RULES=Yes".</li> behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted <li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li> (i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain <li>An unnecessary jump to the policy chain
is sometimes generated for a CONTINUE policy.</li> is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than <li>When an option is given for more than
one interface in /etc/shorewall/interfaces then depending one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first on the option, Shorewall may ignore all but the first
appearence of the option. For example:<br> appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described <li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options: dhcp, in the prior bullet affects the following options: dhcp,
dropunclean, logunclean, norfc1918, routefilter, multi, dropunclean, logunclean, norfc1918, routefilter, multi,
filterping and noping. An additional bug has been found filterping and noping. An additional bug has been found
that affects only the 'routestopped' option.<br> that affects only the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script Users who downloaded the corrected script
prior to 1850 GMT today should download and install prior to 1850 GMT today should download and install the
the corrected script again to ensure that this second corrected script again to ensure that this second problem
problem is corrected.</li> is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links <li>Folks who downloaded 1.3.0 from the links
on the download page before 23:40 GMT, 29 May 2002 may on the download page before 23:40 GMT, 29 May 2002 may
have downloaded 1.2.13 rather than 1.3.0. The "shorewall have downloaded 1.2.13 rather than 1.3.0. The "shorewall
version" command will tell you which version that you version" command will tell you which version that you
have installed.</li> have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
@ -523,51 +535,51 @@ problem is corrected.</li>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can download
download from<font color="#ff6633"> <a from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -577,74 +589,75 @@ fine.</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to of iptables, you will need to specify the --oldpackage option
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No
/etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
The 2.4.19 kernel contains corrected support under a new kernel configuraiton it. The 2.4.19 kernel contains corrected support under a new kernel
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/8/2003 - <p><font size="2"> Last updated 2/17/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

1903
STABLE/documentation/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

6
STABLE/firewall
View File

@ -1281,8 +1281,10 @@ stop_firewall() {
while read interface host; do while read interface host; do
expandv interface host expandv interface host
[ "x$host" = "x-" ] && host= [ "x$host" = "x-" ] && host=0.0.0.0/0
hosts="$hosts $interface:${host:-0.0.0.0/0}" for h in `separate_list $host`; do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/routestopped done < $TMP_DIR/routestopped
for host in $hosts; do for host in $hosts; do