extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6 Beta 1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@628 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-04 16:41:22 +00:00
parent e4fe73b53a
commit 5e73f39c5a
22 changed files with 14258 additions and 13921 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6188
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

2421
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

195
Shorewall-docs/MAC_Validation.html
View File

@ -2,116 +2,119 @@
<html>
<head>
<title>MAC Verification</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
<br>
All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses.
<br>
All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses.
<br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC format
in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>wap eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP
traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it's own MAC address. Consequently, I don't assign the WET11
a fixed IP address in /etc/shorewall/maclist.<br>
<h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/10/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<br>
There are four components to this facility.<br>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
the MAC address of the host (TIPPER) but for other forwarded traffic it uses
it's own MAC address. Consequently, I list the IP addresses of both devices
in /etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that all
traffic being sent to my firewall from the 192.168.4.0/24 segment will
be forwarded by the router so that traffic's MAC address will be that
of the router (00:06:43:45:C6:15) and not that of the host sending the
traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
<br>
<br>
<br>

4385
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

897
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -2,401 +2,367 @@
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface --
no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in
your /etc/shorewall/conf file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a
Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port
3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
<td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="top">INTERFACE<br>
<td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a
Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port
3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from
the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<li>On 192.168.1.3, arrange for the following command to be
executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
@ -414,7 +380,7 @@ following policy in place of the above rule:<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
@ -427,105 +393,142 @@ following policy in place of the above rule:<br>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
<br>
</blockquote>
<blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>

1025
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

File diff suppressed because it is too large Load Diff

175
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,138 +1,139 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
</li>
<li><a
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
</ul>
<ul>
<li> <a
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>

174
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,138 +1,138 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
</li>
<li><a
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
</ul>
<ul>
<li> <a
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>

774
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,407 +1,407 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set
shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of
packets for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at
the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as
they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not
in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking
of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at
the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as
they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,    
norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For
example, if you want to forward the range of tcp ports 4000 through
4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall check,
start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those
files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a
shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if
an error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

282
Shorewall-docs/download.htm
View File

@ -1,191 +1,217 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
    <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a
copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 3/24/2003 - <a
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you
find there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
<br>
<br>
<br>
<br>

356
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

161
Shorewall-docs/quotes.htm
View File

@ -1,108 +1,115 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
<font size="3">"I have fought with IPtables for untold hours. First I tried
the SuSE firewall, which worked for 80% of what I needed. Then gShield, which
also worked for 80%. Then I set out to write my own IPtables parser in shell
and awk, which was a lot of fun but never got me past the "hey, cool" stage.
Then I discovered Shorewall. After about an hour, everything just worked.
I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it
was 'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation involved."
-- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest release
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
up and running with shorewall on several versions - starting with 1.2.2
up to the new 1.2.9 and I never have encountered any problems!" --
SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>

590
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,67 +2,74 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="33%" height="90" valign="middle"
<td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
</a></td>
<td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td>
<td valign="middle">
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<br>
</td>
</tr>
</a></h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<div align="center">
<center>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
@ -70,34 +77,36 @@
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
<br>
This program is distributed in the
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
This program is distributed in the
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
<br>
You should have received a copy of
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a copy of
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -106,360 +115,305 @@ the GNU General Public License
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that
matches the documentation on this site. See the <a
If so, the documentation<b> </b>on this site will not apply
directly to your setup. If you want to use the documentation that you
find here, you will want to consider uninstalling what you have and installing
a setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
match your environment and follow the step by step instructions.<br>
<h2>News</h2>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous
5-character limit by conditionally omitting the log rule number when
the LOGFORMAT doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b> Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b> New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target
behaves for REDIRECT in the same way as DNAT- does for DNAT in that the
Netfilter nat table REDIRECT rule is added but not the companion filter
table ACCEPT rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition).
To use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
<br>
LOGFORMAT="fp=%s:%d a=%s "<br>
<br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log
messages in the 'show log', 'status' and 'hits' commands. This part should
not be omitted (the LOGFORMAT should not begin with "%") and the leading
part should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the
filter table. This way, only those connections that actually undergo DNAT
or redirection will be logged.<br>
</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p>
This version primarily corrects the documentation included in
the .tgz and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
a) tcp - RST<br>
b) udp - ICMP port unreachable<br>
c) icmp - ICMP host unreachable<br>
d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
a) tcp - RST<br>
b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
<b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.</li>
</ol>
<b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By
default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.<br>
</blockquote>
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked around.<br>
<br>
</li>
<li>Previously, where a list of IP addresses appears in the DEST
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Up to 256 servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
Note that this capability has previously been available using a combination
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable
for load-balancing over a large number of servers (&gt; 16) since specifying
a range in the DNAT rule causes one filter table ACCEPT rule to be generated
for each IP address in the range.<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file;
previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<blockquote>
<ol>
</ol>
</blockquote>
<p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on
a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
can find their work at: <a
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
</td>
<td width="88" bgcolor="#4b017c" valign="top"
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font
<font
color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font
<font
face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font
</p>
<font
face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td>
<br>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
</center>
</center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%" style="margin-top: 1px;"
<td width="100%" style="margin-top: 1px;"
valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and find
it useful, please consider making a donation
to <a
<font size="+2"> Shorewall is free but if you try it and
find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
Foundation.</font></a> Thanks!</font></font></p>
</td>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

170
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -1,126 +1,114 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p>
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an extension
script to do what you want. Shorewall has a wide range of features that cover
most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in
the file /etc/shorewall/common.def which may be used as a starting
point for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p>
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during processing
of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to use
the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
add the superceding rule before the '.' command. Using this technique
allows you to add new rules while still getting the benefit of the latest
common.def file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<p align="left"><font size="2">Last updated 2/18/2003 - <a
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 6/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

115
Shorewall-docs/shorewall_mirrors.htm
View File

@ -1,93 +1,96 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 6/5/2003 - <a
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>

90
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -1,68 +1,80 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall Requires:<br>
<br>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at least
2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at
least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included
with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255)
is left shifted by 24 bits. You can check this at a shell prompt by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 3/19/2003 - <a
<p align="left"><font size="2">Last updated 7/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>

4566
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

652
Shorewall-docs/sourceforge_index.htm
View File

@ -2,488 +2,474 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="33%" height="90" valign="middle"
<td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
</a></td>
<td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td>
<td valign="middle">
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br>
</a></h1>
<br>
</td>
</tr>
</a></h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<div align="center">
<center>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used
on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
a <a
href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
<br>
This program is distributed in the
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
This program is distributed in the
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
<br>
You should have received a copy of
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a copy
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2>
<b> </b>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b>    Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b>    New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition). To
use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
 <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log messages
in the 'show log', 'status' and 'hits' commands. This part should not
be omitted (the LOGFORMAT should not begin with "%") and the leading part
should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the filter
table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br>
</p>
This version primarily corrects the documentation included in the
.tgz and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if Netfilter
connection tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
file.</li>
<li value="2">You may now change the leading portion
of the --log-prefix used by Shorewall using the LOGMARKER variable in
shorewall.conf. By default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
If so, the documentation<b> </b>on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a setup that matches the documentation on this site. See
the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<h2><b>News</b></h2>
<b> </b>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing" target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked around.<br>
<br>
</li>
<li>Previously, where a list of IP addresses appears in the DEST
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Up to 256 servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
Note that this capability has previously been available using a combination
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable
for load-balancing over a large number of servers (&gt; 16) since specifying
a range in the DNAT rule causes one filter table ACCEPT rule to be generated
for each IP address in the range.<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file;
previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
</li>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint
and is best viewed using Internet Explorer (although Konqueror also
seems to work reasonably well as does Opera 7.1.0). Neither Opera
6 nor Netscape work well to view the presentation.</blockquote>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<p><b></b></p>
<p><b></b></p>
<blockquote>
<ol>
</ol>
</blockquote>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
can find their work at: <a
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.2!!!
</b><br>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.2!!!
</b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1>
<b> </b>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<td width="88" bgcolor="#4b017c"
valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
 </p>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
</center>
</center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and find
it useful, please consider making a donation
to <a
<font size="+2">Shorewall is free but if you try it and
find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
Foundation.</font></a> Thanks!</font></font></p>
</td>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

485
Shorewall-docs/support.htm
View File

@ -1,81 +1,82 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td
width="100%">
<tbody>
<tr>
<td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</font></h1>
</td>
</tr>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There
are a number of sources of Shorewall information. Please try these
before you post.
</h2>
There
are a number of sources of Shorewall information. Please try
these before you post.
<ul>
<li>Shorewall versions earlier
<li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li>
<li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help
you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> The
Site and Mailing List Archives search facility can locate
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has
links to download updated components. </li>
<li> The
Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -84,248 +85,246 @@ help you solve common problems. </li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config"
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
size="-1"> Include Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words"
</font><br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
</h2>
<ul>
<li>Please remember we only know
what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then ask
us to send you custom configuration files. We're
here to answer your questions but we can't do
<li>Please remember we only know
what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of error
messages, log entries, command output, and other output is better than
a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then ask
us to send you custom configuration files. We're
here to answer your questions but we can't do
your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall
you are running.<br>
<br>
<b><font color="#009900">shorewall
version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall
you are running.<br>
<br>
<b><font color="#009900">shorewall
version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you
are running<br>
<br>
<font color="#009900"><b>uname
-a<br>
<br>
</b></font></li>
<li>the exact kernel version
you are running<br>
<br>
<font color="#009900"><b>uname
-a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output
of<br>
<br>
<font color="#009900"><b>ip
<li>the complete, exact output
of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
<br>
</b></font></li>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output
of<br>
<br>
<font color="#009900"><b>ip
<li>the complete, exact output
of<br>
<br>
<font color="#009900"><b>ip
route show<br>
<br>
</b></font></li>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
</ul>
</ul>
<ul>
<ul>
<li><font color="#ff0000"><u><i><big><b>If you are having
<li><font color="#ff0000"><u><i><big><b>If you are having
connection problems of any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>the exact wording of any <code
<br>
1. <b><font color="#009900">/sbin/shorewall
reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
<br>
</b></li>
</ul>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained
in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc.
to the Mailing List -- your post will be rejected.</b></li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to
"<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so
don't post GIFs of your network layout,
etc. to the Mailing List -- your post will be rejected.</b></li>
</ul>
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML
is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To
avoid this problem, you should configure your MTA to forward posts to shorewall.net
through an MTA that <u>does</u> have a valid PTR record (such as the one
at your ISP). </b></font></big><br>
</blockquote>
<blockquote> A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML
is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML
based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list
server at shorewall.net to strip all HTML from outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected.
To avoid this problem, you should configure your MTA to forward posts to
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
as the one at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>If you have a question, you may post it on the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>:
<font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR
ASKING FOR HELP WITH PROBLEMS.<br>
</b></font><br>
Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p>
style="font-weight: 400;">please post your question or problem
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
</blockquote>
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p>
</p>
<p align="left"><font size="2">Last Updated 6/24/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

2039
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

1725
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

714
Shorewall-docs/upgrade_issues.htm
View File

@ -1,441 +1,447 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you
are currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.6</h3>
The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed from
shorewall.conf. These capabilities are now automatically detected by Shorewall.<br>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then you
must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br>
<br>
<br>
<h3>Version 1.4.4<br>
</h3>
If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long.
</h3>
If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long.
Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the
same zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
<li>Beginning with Version 1.4.1, traffic between groups in the
same zone is accepted by default. Previously, traffic from a zone to
itself was treated just like any other traffic; any matching rules were
applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
traffic between the groups in zone Z will be accepted. If you do have one
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
then the behavior is as it was in prior versions.</li>
</ul>
<blockquote>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent traffic
between two interfaces to a zone Z and you have no rules for Z-&gt;Z then
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent traffic
between two interfaces to a zone Z and you have no rules for Z-&gt;Z then
you should add an explicit DROP or REJECT policy for Z to Z.<br>
</li>
</li>
</ol>
</blockquote>
</blockquote>
<ul>
<li> Sometimes, you want two separate zones on one interface but
you don't want Shorewall to set up any infrastructure to handle traffic
<li> Sometimes, you want two separate zones on one interface but
you don't want Shorewall to set up any infrastructure to handle traffic
between them. </li>
</ul>
<blockquote>Example:<br>
<blockquote>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to
be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to
handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is
asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and
hosts file has been eliminated; use entries in the routestopped file
instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3
with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version'
file have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you
include it from /etc/shorewall/icmpdef, you will need to modify that
file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and
does not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
</ul>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the
firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets
is masqueraded or has SNAT applied.</li>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between
two subnetworks on the same interface then I recommend that you upgrade
to Version 1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq
with an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is
as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is
like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and
hosts file has been eliminated; use entries in the routestopped file
instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version'
file have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you
include it from /etc/shorewall/icmpdef, you will need to modify that
file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and
does not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
</ul>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to
be used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
the old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
     Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the
firewall's routing table to determine ALL subnets routed through the
named interface. Traffic originating in ANY of those subnets is masqueraded
or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq
with an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
 <b>Example 1</b> -- Suppose that your current config is
as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is
like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you have
a backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering
floppy with the later one. If you did
not obtain the later version from Jacques's site, see additional
<li>Be sure you have
a backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering
floppy with the later one. If you did
not obtain the later version from Jacques's site, see additional
instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not
forget to backup root.lrp !</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a
href="two-interface.htm">instructions for setting up a two-interface
firewall</a> plus you also need to add the following two Bering-specific
href="two-interface.htm">instructions for setting up a two-interface
firewall</a> plus you also need to add the following two Bering-specific
rules to /etc/shorewall/rules:</p>
<blockquote>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can
be rebuilt<br>
                                    # from
non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept
                                    #
from non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept
Acks to rebuild connection<br>
                                                                   
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>