extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6 Beta 1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@628 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-04 16:41:22 +00:00
parent e4fe73b53a
commit 5e73f39c5a
22 changed files with 14258 additions and 13921 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1930
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

383
Shorewall-docs/FAQ.htm
View File

@ -23,6 +23,7 @@
<tr>
<td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
@ -38,9 +39,9 @@
</h1>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address
192.168.1.5. I've looked everywhere and can't find
<b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and
can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
@ -49,9 +50,9 @@
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
<b>connect to port 1022</b> on my firewall and have the <b>firewall forward
the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect
to port 1022</b> on my firewall and have the <b>firewall forward the connection
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p>
<h1><b>DNS and PORT FORWARDING/NAT<br>
@ -65,10 +66,10 @@ the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign
non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918
addresses) so they <b>can't access each other using their
DNS names.</b></a></p>
non-RFC1918 addresses to hosts in Z. Hosts in Z
cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other
using their DNS names.</b></a></p>
<h1><b>NETMEETING/MSN<br>
</b></h1>
@ -85,11 +86,11 @@ DNS names.</b></a></p>
as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as
open!!!!<br>
of my firewall and it showed 100s of ports
as open!!!!<br>
</a></p>
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter
how I change my rules. </a>
how I change my rules. </a>
<h1>CONNECTION PROBLEMS</h1>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
@ -109,13 +110,14 @@ how I change my rules.
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
requests. Can i exclude these error messages for this port temporarily
from logging in Shorewall?</a><br>
requests. Can i exclude these error messages for this port
temporarily from logging in Shorewall?</a><br>
</p>
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
of these <b>DROP messages from port 53</b> <b>to some high numbered
port</b>. They get dropped, but what the heck are they?</a><br>
of these <b>DROP messages from port 53</b> <b>to some high
numbered port</b>. They get dropped, but what the heck are
they?</a><br>
</p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
@ -136,8 +138,8 @@ how I change my rules.
<h1>STARTING AND STOPPING<br>
</h1>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 'shorewall
stop', I can't connect to anything</b>. Why doesn't that command
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -161,13 +163,14 @@ Shorewall starts.</b> Which file do I put them in?</a><br>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it support?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<b>23. </b><a href="#faq23">Why do you
use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
<b><br>
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
@ -177,14 +180,14 @@ use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows
me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also
blocks the <b>cable modems web server</b></a>.</p>
me to configure/monitor it but as expected if I
enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC
1918 address. If I enable RFC 1918 filtering on my
external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1>
@ -195,24 +198,26 @@ external interface, <b>my DHCP client cannot renew its lease</b>
<h1>MISCELLANEOUS<br>
</h1>
<b>19. </b><a href="#faq19">I have added <b>entries to
/etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
/etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I
have just set up a server. <b>Do I have to change Shorewall
to allow access to my server from the internet?</b></a><br>
<b>20. </b><a
href="#faq20">I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b></a><br>
<br>
<b>24. </b><a href="#faq24">How can I <b>allow
conections</b> to let's say the ssh port only<b> from specific
IP Addresses</b> on the internet?</a><br>
<br>
<br>
<br>
<br>
<b>26. </b><a href="#faq26">When I try to use any of the
<b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
not permitted</b>". How can I use nmap with Shorewall?"</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find how to do it.</h4>
I've looked everywhere and can't find how to do
it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
@ -288,9 +293,9 @@ external interface, <b>my DHCP client cannot renew its lease</b>
</blockquote>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
system:</div>
you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall
to an internal system:</div>
<blockquote>
<table border="1" cellpadding="2" cellspacing="0"
@ -334,12 +339,12 @@ in the PORT column specify the range as <i>low-port</i>:<i>high-port</i
<ul>
<li>You are
trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
trying to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have
a more basic problem with your local system such as
an incorrect default gateway configured (it should be set
to the IP address of your firewall's internal interface).</li>
a more basic problem with your local system such as
an incorrect default gateway configured (it should be
set to the IP address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -364,7 +369,7 @@ the redirected port from an external host.</li>
<li>Is the packet count
in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing
to the server. In this case, the problem is usually a missing
or incorrect default gateway setting on the server (the server's
default gateway should be the IP address of the firewall's
interface to the server).</li>
@ -372,18 +377,18 @@ the redirected port from an external host.</li>
is zero:</li>
<ul>
<li>the connection request
is not reaching your server (possibly it is being blocked
by your ISP); or</li>
<li>you are trying to
connect to a secondary IP address on your firewall and
your rule is only redirecting the primary IP address (You
need to specify the secondary IP address in the "ORIG. DEST."
column in your DNAT rule); or</li>
<li>your DNAT rule doesn't
match the connection request in some other way. In that
case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
<li>the connection
request is not reaching your server (possibly it is
being blocked by your ISP); or</li>
<li>you are trying
to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address
(You need to specify the secondary IP address in the "ORIG.
DEST." column in your DNAT rule); or</li>
<li>your DNAT rule
doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such
as tcpdump or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -391,8 +396,8 @@ column in your DNAT rule); or</li>
</ul>
<h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
to connect to port 1022 on my firewall and have the firewall forward the
connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
to connect to port 1022 on my firewall and have the firewall forward
the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
<div align="left">
<blockquote>
@ -430,20 +435,20 @@ column in your DNAT rule); or</li>
</div>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my
local network. External clients can browse http://www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in
my local network. External clients can browse http://www.mydomain.com
but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an
internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If
the server is compromised, there's nothing between
that server and your other internal systems. For the cost
of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems
<li>Having
an internet-accessible server in your local network
is like raising foxes in the corner of your hen house.
If the server is compromised, there's nothing between
that server and your other internal systems. For the
cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility
@ -451,8 +456,8 @@ of another NIC and a cross-over cable, you can put your
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5
internally. That's what I do here at shorewall.net for my
local systems that use static NAT.</li>
internally. That's what I do here at shorewall.net for
my local systems that use static NAT.</li>
</ul>
@ -464,8 +469,8 @@ local systems that use static NAT.</li>
</p>
<p align="left">If you are running Shorewall 1.4.0 or earlier see <a
href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for those
releases.<br>
href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for
those releases.<br>
</p>
<p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
@ -613,21 +618,22 @@ releases.<br>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918
addresses to hosts in Z. Hosts in Z cannot communicate
with each other using their external (non-RFC1918 addresses)
so they can't access each other using their DNS names.</h4>
with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS
names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using
the host's DNS name.</p>
using Bind Version 9 "views". It allows both
external and internal clients to access a NATed
host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts
in Z have non-RFC1918 addresses and can be accessed
externally and internally using the same address. </p>
in Z have non-RFC1918 addresses and can be accessed
externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
b) Masquerade
@ -722,10 +728,11 @@ Z to itself.<br>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a
solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
Look <a href="http://linux-igd.sourceforge.net">here</a> for
a solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter
mailing list archives at <a
href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -733,10 +740,10 @@ Z to itself.<br>
as 'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port
113 rather than dropping them. This is necessary
always rejects connection requests on TCP
port 113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting
that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used
by Windows (Windows <u>can</u> be configured to use the DCE cell
@ -746,7 +753,7 @@ than dropping them cuts down slightly on the amount of Windows chatter
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web
server in violation of your Service Agreement.</p>
server in violation of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
@ -762,13 +769,14 @@ open, temporarily change your net-&gt;all policy to REJECT,
<h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
I change my rules. </h4>
I had a rule that allowed telnet from my local network to my firewall;
I removed that rule and restarted Shorewall but my telnet session still works!!!<br>
I removed that rule and restarted Shorewall but my telnet session still
works!!!<br>
<br>
<b>Answer: </b> Rules only govern the establishment of new connections.
Once a connection is established through the firewall it will be usable
until disconnected (tcp) or until it times out (other protocols).  If you
stop telnet and try to establish a new session your firerwall will block
that attempt.<br>
Once a connection is established through the firewall it will be usable until
disconnected (tcp) or until it times out (other protocols).  If you stop
telnet and try to establish a new session your firerwall will block that
attempt.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -794,12 +802,12 @@ that attempt.<br>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure
to restart syslogd (on a RedHat system, "service syslog
restart"). </p>
@ -807,7 +815,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want
to log all messages, set: </p>
to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br></pre>
@ -840,8 +848,8 @@ to log all messages, set: </p>
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can
i exclude these error messages for this port temporarily from logging
in Shorewall?</h4>
i exclude these error messages for this port temporarily from
logging in Shorewall?</h4>
Temporarily add the following rule:<br>
<pre> DROP net fw udp 10619</pre>
@ -863,7 +871,7 @@ the <b>logunclean</b> option (<a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using
an /etc/shorewall/common file like this:<br>
an /etc/shorewall/common file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -901,10 +909,10 @@ the <b>logunclean</b> option (<a
that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in
/etc/shorewall/routestopped' are activated. If
you want to totally open up your firewall, you must use the
'shorewall clear' command. </p>
a safe state whereby only those hosts listed
in /etc/shorewall/routestopped' are activated.
If you want to totally open up your firewall, you must use
the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
@ -948,9 +956,9 @@ you want to totally open up your firewall, you must use the
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -981,18 +989,17 @@ local zone is defined as all hosts connected through eth1</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows
me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the
internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1
address of the modem in/out but still block all other
rfc1918 addresses?</p>
address of the modem in/out but still block all
other rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -1029,9 +1036,9 @@ following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you
must also make an entry in /etc/shorewall/rfc1918 for
that address. For example, if you configure the address
interface to correspond to the modem address,
you must also make an entry in /etc/shorewall/rfc1918
for that address. For example, if you configure the address
192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
@ -1070,10 +1077,10 @@ following:</p>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
</div>
<div align="left">
@ -1085,10 +1092,10 @@ its lease.</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when
things are working properly. That aside, the most common
causes of this problem are:</p>
the net", I wonder where the poster bought
computers with eyes and what those computers will
"see" when things are working properly. That aside,
the most common causes of this problem are:</p>
<ol>
<li>
@ -1115,19 +1122,19 @@ its lease.</h4>
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see the
'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent
to the console is specified in /etc/sysconfig/init in
the LOGLEVEL variable.<br>
to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging
occurs out of a number of chains (as indicated in
the log message) in Shorewall:<br>
the log message) in Shorewall:<br>
<ol>
<li><b>man1918 -
@ -1140,24 +1147,25 @@ the LOGLEVEL variable.<br>
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged
under that policy. If you intend to ACCEPT this traffic
then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
</b>- You have a<a href="Documentation.htm#Policy"> policy</a>
that specifies a log level and this packet is being
logged under that policy. If you intend to ACCEPT this
traffic then you need a <a href="Documentation.htm#Rules">rule</a> to
that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
matches a <a href="Documentation.htm#Rules">rule</a> that
includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b>
- The packet is being logged under the <b>maclist</b>
<a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b>
- The packet is being logged under the <b>logunclean</b>
- The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>-
The packet is being logged under the <b>dropunclean</b>
@ -1170,18 +1178,17 @@ then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br
</a>file.</li>
<li><b>newnotsyn
</b>- The packet is being logged because it is a
TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such
TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such
packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
</b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or
<b>FORWARD</b> - The packet has a source IP address
<li><b>INPUT</b>
or <b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is
FORWARD and the destination IP isn't in any of your defined
zones.</li>
<li><b>logflags </b>- The packet
is being logged because it failed the checks implemented
and look at the printed zone definitions) or the chain is FORWARD
and the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The
packet is being logged because it failed the checks implemented
by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
@ -1192,22 +1199,22 @@ FORWARD and the destination IP isn't in any of your defined
with Shorewall, and maintain separate rulesets for
different IPs?</h4>
<b>Answer: </b>Yes. See
<a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes
in /etc/shorewall/shorewall.conf so the contents of
the tcrules file are simply being ignored.<br>
the tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from
the internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
used during your initial setup for information about how to set up
rules for your server.<br>
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
you used during your initial setup for information about how to set
up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
@ -1221,49 +1228,49 @@ rules for your server.<br>
<br>
<b>Answer: </b>While most people
associate the Internet Control Message Protocol (ICMP)
with 'ping', ICMP is a key piece of the internet. ICMP is
used to report problems back to the sender of a packet; this is
what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br>
with 'ping', ICMP is a key piece of the internet. ICMP
is used to report problems back to the sender of a packet; this
is what is happening here. Unfortunately, where NAT is involved
(including SNAT, DNAT and Masquerade), there are a lot of broken
implementations. That is what you are seeing with these messages.<br>
<br>
Here is my interpretation of what
is happening -- to confirm this analysis, one would have
to have packet sniffers placed a both ends of the connection.<br>
to have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a
DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
to 172.16.1.10 who no longer had a connection on UDP port 2857.
This causes a port unreachable (type 3, code 3) to be generated back
to 192.0.2.3. As this packet is sent back through 206.124.146.179,
your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as
a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the
packet to 172.16.1.10 who no longer had a connection on UDP port
2857. This causes a port unreachable (type 3, code 3) to be generated
back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
that box correctly changes the source address in the packet to 206.124.146.179
but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result
is that the packet gets logged and dropped in the all2all chain. I have
also seen cases where the source IP in the ICMP itself isn't set back
to the external IP of the remote NAT gateway; that causes your firewall
to log and drop the packet out of the rfc1918 chain because the source
IP is reserved by RFC 1918.<br>
no record of having sent a DNS reply to 172.16.1.10 so this ICMP
doesn't appear to be related to anything that was sent. The final
result is that the packet gets logged and dropped in the all2all
chain. I have also seen cases where the source IP in the ICMP itself
isn't set back to the external IP of the remote NAT gateway; that causes
your firewall to log and drop the packet out of the rfc1918 chain because
the source IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do
I put them in?</h4>
You can place these commands in
one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
I want to <b>run when Shorewall starts.</b> Which file
do I put them in?</h4>
You can place these commands
in one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s) that
you will be modifying with your commands to be sure that the
commands will do what they are intended. Many iptables commands
published in HOWTOs and other instructional material use the -A
command which adds the rules to the end of the chain. Most chains
that Shorewall constructs end with an unconditional DROP, ACCEPT or
REJECT rule and any rules that you add after that will be ignored.
Check "man iptables" and look at the -I (--insert) command.<br>
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
rule and any rules that you add after that will be ignored. Check
"man iptables" and look at the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
@ -1273,7 +1280,8 @@ so the fonts you see are largely the default fonts configured in
your browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
the ssh port only<b> from specific IP Addresses</b> on the
internet?</h4>
In the SOURCE column of the rule, follow "net"
by a colon and a list of the host/subnet addresses as a comma-separated
list.<br>
@ -1291,11 +1299,18 @@ your browser. If you don't like them then reconfigure your browser.<br>
At the shell prompt, type:<br>
<br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 5/29/2003 - <a
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN options
in nmap on or behind the firewall, I get "operation not permitted". How can
I use nmap with Shorewall?"</h4>
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes"
then restart Shorewall.<br>
<br>
<font size="2">Last updated 6/29/2003 - <a
href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
</body>
</html>

53
Shorewall-docs/MAC_Validation.html
View File

@ -37,18 +37,18 @@
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to
MAC verification.</li>
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
@ -64,49 +64,51 @@ not logged.<br>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC format
in this column although you may use that format if you so choose.</li>
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files:</h3>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>wap eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP
traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it's own MAC address. Consequently, I don't assign the WET11
a fixed IP address in /etc/shorewall/maclist.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
the MAC address of the host (TIPPER) but for other forwarded traffic it uses
it's own MAC address. Consequently, I list the IP addresses of both devices
in /etc/shorewall/maclist.<br>
<h3>Example 2: Router in Local Zone</h3>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/10/2002 - <a href="support.htm">Tom Eastep</a>
and from the second wireless segment (192.168.4.0/24). Remember that all
traffic being sent to my firewall from the 192.168.4.0/24 segment will
be forwarded by the router so that traffic's MAC address will be that
of the router (00:06:43:45:C6:15) and not that of the host sending the
traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -116,5 +118,6 @@ the traffic.
<br>
<br>
<br>
<br>
</body>
</html>

907
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

55
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -56,21 +56,23 @@ to run as a transparent proxy as described at <a
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface --
no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in
your /etc/shorewall/conf file<br>
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
@ -79,8 +81,8 @@ your /etc/shorewall/conf file<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
the DMZ</a></li>
@ -90,9 +92,9 @@ the DMZ</a></li>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -142,22 +144,25 @@ the DMZ</a></li>
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a
Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port
3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br>
on 192.168.1.3. It is assumed that web access is already enabled from
the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br>
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
@ -251,7 +256,7 @@ please upgrade to Shorewall 1.4.2 or later.<br>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -294,8 +299,8 @@ following policy in place of the above rule:<br>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<li>On 192.168.1.3, arrange for the following command to be
executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
@ -317,8 +322,8 @@ following policy in place of the above rule:<br>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
@ -520,12 +525,10 @@ following command to be executed after networking has come up<br>
<blockquote> </blockquote>
<p><font size="-1"> Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>

93
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -34,12 +34,12 @@ ifconfig treats them more or less like real interfaces.<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br>
The ifconfig utility is being gradually phased out in favor of the
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip
utility does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects. The ip utility
does provide for interaction with ifconfig in that it allows addresses
to be <i>labeled </i>and labels may take the form of ipconfig virtual interfaces.<br>
<br>
Example:<br>
<br>
@ -49,9 +49,9 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
The iptables program doesn't support virtual interfaces in either
it's "-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
@ -59,9 +59,9 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br>
If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
@ -213,12 +213,45 @@ the INTERFACE column as follows:<br>
</tbody>
</table>
<br>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178-206.124.146.180<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
If you wanted to use static NAT to link eth0:0 with local address
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
@ -257,8 +290,8 @@ the INTERFACE column as follows:<br>
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the
INTERFACE column as follows:<br>
<br>
<blockquote>
@ -343,12 +376,12 @@ you simply qualify the local zone with the internal IP address.<br>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not provide
for any security between the subnetworks if the users of the systems have
administrative privileges because in that case, the users can simply manipulate
their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
subnetworks configured on a LAN segment. This technique does not provide
for any security between the subnetworks if the users of the systems have
administrative privileges because in that case, the users can simply manipulate
their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
@ -497,8 +530,8 @@ the two subnetworks.<br>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
@ -607,17 +640,11 @@ privileges).<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 5/8/2003 A - <a
<p align="left"><font size="2">Last Updated 6/22/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

21
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -43,19 +43,17 @@
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
@ -73,11 +71,12 @@ Index</a></b></li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -91,13 +90,15 @@ Site</a></li>
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>

20
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -43,19 +43,17 @@
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
@ -73,8 +71,8 @@ Index</a></b></li>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
@ -91,13 +89,15 @@ Index</a></b></li>
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>

130
Shorewall-docs/configuration_file_basics.htm
View File

@ -39,9 +39,9 @@ files on a system running Microsoft Windows, you <u>must</u>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set
shell variables that you will expand in other files.</li>
several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
@ -51,36 +51,37 @@ interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of
packets for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tcrules - defines marking
of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li>
and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li>
beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at
the completion of a "shorewall stop".</li>
the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul>
@ -88,9 +89,9 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
<p>Examples:</p>
@ -114,11 +115,11 @@ and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
@ -177,30 +178,31 @@ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as
they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
@ -212,19 +214,19 @@ no effect on the firewall's ruleset. </p>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
@ -252,7 +254,7 @@ starting your firewall.<br>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
@ -269,7 +271,8 @@ following the "!".</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     norfc1818</li>
Invalid: routefilter,     dhcp,    
norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
@ -286,9 +289,9 @@ an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For
example, if you want to forward the range of tcp ports 4000 through
4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
@ -298,7 +301,7 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
@ -325,6 +328,7 @@ that you can then use in some of the other configuration files.</p>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
@ -356,10 +360,10 @@ as a series of 6 hex numbers separated by colons. Example:<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
@ -369,39 +373,35 @@ the MAC address in the example above would be written "~02-00-08-E3-
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not
in the alternate directory will be read from /etc/shorewall.</p>
The <a href="starting_and_stopping_shorewall.htm">shorewall check,
start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those
files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
<li> specifying the separate directory in a
shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if
an error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

50
Shorewall-docs/download.htm
View File

@ -38,7 +38,8 @@ for the configuration that most closely matches your own.<br>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
    <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
@ -57,12 +58,12 @@ for the configuration that most closely matches your own.<br>
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a
copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
@ -75,7 +76,7 @@ copy of the documentation).</li>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
which can be obtained using the following command:<br>
</p>
<blockquote>
@ -156,6 +157,17 @@ which can be obtained using the following command:<br>
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
@ -174,13 +186,25 @@ which can be obtained using the following command:<br>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you
find there will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 3/24/2003 - <a
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -190,5 +214,7 @@ which can be obtained using the following command:<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

94
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

39
Shorewall-docs/quotes.htm
View File

@ -26,16 +26,22 @@
</tbody>
</table>
<font size="3">"I have fought with IPtables for untold hours. First I tried
the SuSE firewall, which worked for 80% of what I needed. Then gShield, which
also worked for 80%. Then I set out to write my own IPtables parser in shell
and awk, which was a lot of fun but never got me past the "hey, cool" stage.
Then I discovered Shorewall. After about an hour, everything just worked.
I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
"My case was almost like [the one above]. Well. instead of 'weeks' it
was 'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
@ -48,8 +54,8 @@ enough to uncomment a line in /etc/shorewall/policy.<br>
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
@ -58,20 +64,20 @@ your network configuration info. That really helped me out alot. THANKS!!
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
product as the Shorewall firewall package for no cost or obligation involved."
-- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"one time more to report, that your great shorewall in the latest release
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
up and running with shorewall on several versions - starting with 1.2.2
up to the new 1.2.9 and I never have encountered any problems!" --
SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
@ -86,8 +92,8 @@ by request, Europe</p>
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
@ -96,7 +102,7 @@ by request, Europe</p>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
@ -105,5 +111,6 @@ by request, Europe</p>
<br>
<br>
<br>
<br>
</body>
</html>

360
Shorewall-docs/seattlefirewall_index.htm
View File

@ -3,6 +3,7 @@
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
@ -12,6 +13,7 @@
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
@ -29,10 +31,12 @@
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
@ -45,6 +49,7 @@
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
@ -58,11 +63,13 @@
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
@ -71,6 +78,7 @@
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
@ -90,7 +98,7 @@ General Public License</a> as published by the Free Software
<br>
You should have received a copy of
the GNU General Public License
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -98,6 +106,7 @@ the GNU General Public License
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -107,11 +116,12 @@ the GNU General Public License
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that
matches the documentation on this site. See the <a
If so, the documentation<b> </b>on this site will not apply
directly to your setup. If you want to use the documentation that you
find here, you will want to consider uninstalling what you have and installing
a setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
@ -127,41 +137,147 @@ matches the documentation on this site. See the <a
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked around.<br>
<br>
</li>
<li>Previously, where a list of IP addresses appears in the DEST
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Up to 256 servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
Note that this capability has previously been available using a combination
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable
for load-balancing over a large number of servers (&gt; 16) since specifying
a range in the DNAT rule causes one filter table ACCEPT rule to be generated
for each IP address in the range.<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file;
previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.<br>
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -169,185 +285,12 @@ and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous
5-character limit by conditionally omitting the log rule number when
the LOGFORMAT doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b> Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b> New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target
behaves for REDIRECT in the same way as DNAT- does for DNAT in that the
Netfilter nat table REDIRECT rule is added but not the companion filter
table ACCEPT rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition).
To use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
<br>
LOGFORMAT="fp=%s:%d a=%s "<br>
<br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log
messages in the 'show log', 'status' and 'hits' commands. This part should
not be omitted (the LOGFORMAT should not begin with "%") and the leading
part should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the
filter table. This way, only those connections that actually undergo DNAT
or redirection will be logged.<br>
</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p>
This version primarily corrects the documentation included in
the .tgz and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
a) tcp - RST<br>
b) udp - ICMP port unreachable<br>
c) icmp - ICMP host unreachable<br>
d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
a) tcp - RST<br>
b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
<b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.</li>
</ol>
<b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By
default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.<br>
</blockquote>
<blockquote>
<p><b></b></p>
<ol>
</ol>
</blockquote>
<p><a href="News.htm">More News</a></p>
@ -355,23 +298,25 @@ Ed!
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on
a floppy, CD or compact flash) distribution
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
@ -391,6 +336,7 @@ Ed!
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font
face="Arial" size="-1"> <input type="text" name="words"
@ -414,6 +360,7 @@ Ed!
</tr>
</tbody>
</table>
@ -421,6 +368,7 @@ Ed!
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -443,9 +391,10 @@ Ed!
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and find
it useful, please consider making a donation
<font size="+2"> Shorewall is free but if you try it and
find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
@ -455,11 +404,16 @@ Ed!
</tr>
</tbody>
</table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

94
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -14,112 +14,100 @@
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p>
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an extension
script to do what you want. Shorewall has a wide range of features that cover
most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
chain has been created but before any rules have been added to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in
the file /etc/shorewall/common.def which may be used as a starting
point for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p>
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during processing
of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to use
the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
add the superceding rule before the '.' command. Using this technique
allows you to add new rules while still getting the benefit of the latest
common.def file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 2/18/2003 - <a
<p align="left"><font size="2">Last updated 6/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>

15
Shorewall-docs/shorewall_mirrors.htm
View File

@ -45,11 +45,13 @@
(Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)<br>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
@ -72,17 +74,17 @@
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 6/5/2003 - <a
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -95,5 +97,6 @@ the site in Washington State.<br>
<br>
<br>
<br>
<br>
</body>
</html>

32
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -31,11 +31,11 @@
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at least
2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
With current releases of Shorewall, Traffic Shaping/Control requires at
least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
site</a> .</li>
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
@ -43,21 +43,31 @@ With current releases of Shorewall, Traffic Shaping/Control requires at least
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
<li>Iproute ("ip" utility). The iproute package is included
with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
<li>A Bourne shell or derivative such as bash or ash. This shell
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255)
is left shifted by 24 bits. You can check this at a shell prompt by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 3/19/2003 - <a
<p align="left"><font size="2">Last updated 7/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -67,5 +77,7 @@ download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
<br>
<br>
<br>
<br>
<br>
</body>
</html>

514
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -50,13 +50,13 @@
<p><a href="#DNS">6.0 DNS</a><br>
<a href="#StartingAndStopping">7.0 Starting and Stopping the
Firewall</a></p>
Firewall</a></p>
<h2><a name="Introduction"></a>1.0 Introduction</h2>
<p>This guide is intended for users who are setting up Shorewall in an environment
where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a
where a set of public IP addresses must be managed or who want to
know more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give
you general guidelines and will point you to other resources as necessary.</p>
@ -68,16 +68,16 @@ Shorewall lrp from the shorewall.net site before you proceed.</p>
<p>Shorewall requires that the iproute/iproute2 package be installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13"
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
@ -85,16 +85,16 @@ Shorewall lrp from the shorewall.net site before you proceed.</p>
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p>
Similarly, if you copy a configuration file from your Windows hard
drive to a floppy disk, you must run dos2unix against the copy before
using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
of dos2unix</a></li>
</ul>
@ -140,8 +140,8 @@ of dos2unix</a></li>
file.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> but that may be changed in
the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
the firewall itself is known as <b>fw</b> but that may be changed
in the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
@ -157,9 +157,9 @@ necessary.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You express your default policy for connections from
one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -169,24 +169,24 @@ necessary.</p>
kernel facility. Netfilter implements a <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
tracking function</a> that allows what is often referred to as <i>stateful
inspection</i> of packets. This stateful property allows firewall rules
to be defined in terms of <i>connections</i> rather than in terms
of packets. With Shorewall, you:</p>
inspection</i> of packets. This stateful property allows firewall
rules to be defined in terms of <i>connections</i> rather than in
terms of packets. With Shorewall, you:</p>
<ol>
<li> Identify the source zone.</li>
<li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do
nothing further.</li>
<li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li>
nothing further.</li>
<li> If the POLICY is not what you want, then you
must add a rule. That rule is expressed in terms of the client's
zone and the server's zone.</li>
</ol>
<p> Just because connections of a particular type are allowed from zone
A to the firewall and are also allowed from the firewall to zone B <font
<p> Just because connections of a particular type are allowed from zone A
to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from
@ -194,8 +194,8 @@ A to the firewall and are also allowed from the firewall to zone B <font
to zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common.def.</p>
@ -245,18 +245,18 @@ A to the firewall and are also allowed from the firewall to zone B <font
to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li>
level (<a href="shorewall_logging.html">here</a> is a description of
log levels).</li>
<li>reject all other connection requests and log a message
at the <i>info</i> level. When a request is rejected, the firewall
at the <i>info</i> level. When a request is rejected, the firewall
will return an RST (if the protocol is TCP) or an ICMP port-unreachable
packet for other protocols.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any
changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy and make
any changes that you wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -274,7 +274,7 @@ the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and
Local 3. </li>
<li>All systems from the ISP outward comprise the Internet
Zone. </li>
Zone. </li>
</ul>
@ -288,9 +288,9 @@ Zone. </li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file.</p>
<p align="left">The firewall illustrated above has three network interfaces.
Where Internet connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the Ethernet adapter that is connected to that
"Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
Where Internet connectivity is through a cable or DSL "Modem", the
<i>External Interface</i> will be the Ethernet adapter that is connected
to that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -304,10 +304,10 @@ Zone. </li>
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single
local system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
@ -317,10 +317,10 @@ using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Linux networking
doesn't work at all.</p>
</b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Linux networking
doesn't work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p>
@ -376,11 +376,11 @@ doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Edit the /etc/shorewall/interfaces file and define the network
interfaces on your firewall and associate each interface with a zone.
If you have a zone that is interfaced through more than one interface,
simply include one entry for each interface and repeat the zone name as
many times as necessary.</p>
    Edit the /etc/shorewall/interfaces file and define the
network interfaces on your firewall and associate each interface with
a zone. If you have a zone that is interfaced through more than one
interface, simply include one entry for each interface and repeat the
zone name as many times as necessary.</p>
<p align="left">Example:</p>
@ -456,26 +456,26 @@ doesn't work at all.</p>
<h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to
use one of those addresses permanently and you will then have to decide
how you are going to use the rest of your addresses. Before we tackle
that question though, some background is in order.</p>
IP addresses. You will configure your firewall's external interface
to use one of those addresses permanently and you will then have to
decide how you are going to use the rest of your addresses. Before we
tackle that question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of
addressing and routing. If you are interested in learning more about this
subject, I highly recommend <i>"IP Fundamentals: What Everyone Needs to
Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<p align="left">The following discussion barely scratches the surface of addressing
and routing. If you are interested in learning more about this subject,
I highly recommend <i>"IP Fundamentals: What Everyone Needs to Know about
Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
<p align="left">IP version 4 (<i>IPv4) </i>addresses are 32-bit numbers.
The notation w.x.y.z refers to an address where the high-order byte has
value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
and express it in hexadecimal, we get:</p>
The notation w.x.y.z refers to an address where the high-order byte
has value "w", the next byte has value "x", etc. If we take the address
192.0.2.14 and express it in hexadecimal, we get:</p>
<blockquote>
<p align="left">C0.00.02.0E</p>
@ -490,9 +490,9 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
<h3 align="left"><a name="Subnets"></a>4.2 Subnets</h3>
<p align="left">You will still hear the terms "Class A network", "Class B
network" and "Class C network". In the early days of IP, networks only
came in three sizes (there were also Class D networks but they were
used differently):</p>
network" and "Class C network". In the early days of IP, networks
only came in three sizes (there were also Class D networks but they
were used differently):</p>
<blockquote>
<p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -545,13 +545,13 @@ used differently):</p>
<b>n</b> there are (<b>n</b> - 2) usable addresses (addresses that
can be assigned to hosts). The first and last address in the subnet
are used for the subnet address and subnet broadcast address respectively.
Consequently, small subnetworks are more wasteful of IP addresses than
are large ones. </p>
Consequently, small subnetworks are more wasteful of IP addresses
than are large ones. </p>
<p align="left">Since <b>n</b> is a power of two, we can easily calculate
the <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
common subnet sizes, the size and its natural logarithm are given in the
following table:</p>
common subnet sizes, the size and its natural logarithm are given in
the following table:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -638,9 +638,9 @@ used differently):</p>
</blockquote>
<p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we
can derive the following one which is a little easier to use.</p>
for (32 - log2 <b>n</b>). That number is the <i>Variable Length
Subnet Mask</i> for a network of size <b>n</b>. From the above table,
we can derive the following one which is a little easier to use.</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -732,13 +732,13 @@ used differently):</p>
</blockquote>
<p align="left">Notice that the VLSM is written with a slash ("/") -- you
will often hear a subnet of size 64 referred to as a "slash 26" subnet
and one of size 8 referred to as a "slash 29".</p>
will often hear a subnet of size 64 referred to as a "slash 26"
subnet and one of size 8 referred to as a "slash 29".</p>
<p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
simply a 32-bit number with the first "VLSM" bits set to one and the
remaining bits set to zero. For example, for a subnet of size 64,
the subnet mask has 26 leading one bits:</p>
simply a 32-bit number with the first "VLSM" bits set to one and
the remaining bits set to zero. For example, for a subnet of size
64, the subnet mask has 26 leading one bits:</p>
<blockquote>
<p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -746,11 +746,11 @@ the subnet mask has 26 leading one bits:</p>
</blockquote>
<p align="left">The subnet mask has the property that if you logically AND
the subnet mask with an address in the subnet, the result is the subnet
address. Just as important, if you logically AND the subnet mask
with an address outside the subnet, the result is NOT the subnet address.
As we will see below, this property of subnet masks is very useful
in routing.</p>
the subnet mask with an address in the subnet, the result is the
subnet address. Just as important, if you logically AND the subnet
mask with an address outside the subnet, the result is NOT the subnet
address. As we will see below, this property of subnet masks is very
useful in routing.</p>
<p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork
@ -821,8 +821,8 @@ in routing.</p>
and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface
used to describe the ip configuration of a network interface (the
'ip' utility also uses this syntax). This simply means that the interface
is configured with ip address <b>a.b.c.d</b> and with the netmask that
corresponds to VLSM <b>/v</b>.</p>
@ -850,16 +850,16 @@ in routing.</p>
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default
route</i> and the gateway mentioned in that route is called the <i>default
route</i> and the gateway mentioned in that route is called the <i>default
gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
it starts at the top of the routing table and:</p>
<ul>
<li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
in the table entry.</p>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in
the table entry.</p>
</li>
<li>
<p align="left">The result is compared with the 'Destination' value in
@ -888,14 +888,14 @@ in the table entry.</p>
</ul>
<p align="left">Since the default route matches any IP address (<b>A</b>
land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
table entries are sent to the <i>default gateway</i> which is usually a
router at your ISP.</p>
<p align="left">Since the default route matches any IP address (<b>A</b> land
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
entries are sent to the <i>default gateway</i> which is usually a router
at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes
in the table but if we logically and that address with 255.255.255.0,
to 192.168.1.5. That address clearly doesn't match any of the host
routes in the table but if we logically and that address with 255.255.255.0,
the result is 192.168.1.0 which matches this routing table entry:</p>
<div align="left">
@ -903,26 +903,25 @@ router at your ISP.</p>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over
eth2.</p>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p>
</div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think
that request packets are like salmon and contain a genetic code that
is magically transferred to reply packets so that the replies follow
the reverse route taken by the request. That isn't the case; the replies
may take a totally different route back to the client than was taken by
the requests -- they are totally independent.</p>
is magically transferred to reply packets so that the replies follow the
reverse route taken by the request. That isn't the case; the replies may
take a totally different route back to the client than was taken by the
requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
addresses. Each Ethernet device has it's own unique  MAC address which
is burned into a PROM on the device during manufacture. You can obtain
the MAC of an Ethernet device using the 'ip' utility:</p>
Rather Ethernet addressing is based on <i>Media Access Control</i>
(MAC) addresses. Each Ethernet device has it's own unique  MAC address
which is burned into a PROM on the device during manufacture. You can
obtain the MAC of an Ethernet device using the 'ip' utility:</p>
<blockquote>
<div align="left">
@ -931,9 +930,9 @@ the requests -- they are totally independent.</p>
</blockquote>
<div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes
(48 bits) wide. A card's MAC is usually also printed on a label attached
to the card itself. </p>
<p align="left">As you can see from the above output, the MAC is 6 bytes (48
bits) wide. A card's MAC is usually also printed on a label attached to
the card itself. </p>
</div>
<div align="left">
@ -969,27 +968,27 @@ to the card itself. </p>
<p align="left">The leading question marks are a result of my having specified
the 'n' option (Windows 'arp' doesn't allow that option) which causes
the 'arp' program to forego IP-&gt;DNS name translation. Had I not given
that option, the question marks would have been replaced with the FQDN
corresponding to each IP address. Notice that the last entry in the table
records the information we saw using tcpdump above.</p>
the 'arp' program to forego IP-&gt;DNS name translation. Had I not
given that option, the question marks would have been replaced with
the FQDN corresponding to each IP address. Notice that the last entry
in the table records the information we saw using tcpdump above.</p>
<h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
<p align="left">IP addresses are allocated by the <i> <a
href="http://www.iana.org">Internet Assigned Number Authority</a> </i>(IANA)
who delegates allocations on a geographic basis to <i>Regional Internet
Registries</i> (RIRs). For example, allocation for the Americas and for
sub-Sahara Africa is delegated to the <i><a
Registries</i> (RIRs). For example, allocation for the Americas and
for sub-Sahara Africa is delegated to the <i><a
href="http://www.arin.net">American Registry for Internet Numbers</a>
</i>(ARIN). These RIRs may in turn delegate to national registries. Most
of us don't deal with these registrars but rather get our IP addresses
</i>(ARIN). These RIRs may in turn delegate to national registries.
Most of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many
Public IP addresses as we have devices to assign them to so we end up making
use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
ranges for this purpose:</p>
<p align="left">It's a fact of life that most of us can't afford as many Public
IP addresses as we have devices to assign them to so we end up making use
of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges
for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -997,10 +996,10 @@ ranges for this purpose:</p>
<div align="left">
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses
for their private use.</p>
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
This is understandable given that anyone can select any of these
addresses for their private use.</p>
</div>
<div align="left">
@ -1011,8 +1010,8 @@ ranges for this purpose:</p>
<div align="left">
<ul>
<li>
<p align="left">As the IPv4 address space becomes depleted, more and
more organizations (including ISPs) are beginning to use RFC 1918 addresses
<p align="left">As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918 addresses
in their infrastructure. </p>
</li>
<li>
@ -1026,8 +1025,8 @@ more organizations (including ISPs) are beginning to use RFC 1918 addresses
<div align="left">
<p align="left">So it's a good idea to check with your ISP to see if they
are using (or are planning to use) private addresses before you decide
the addresses that you are going to use.</p>
are using (or are planning to use) private addresses before you
decide the addresses that you are going to use.</p>
</div>
<div align="left">
@ -1047,9 +1046,9 @@ ways:</p>
<li>
<p align="left"><b>Routed - </b>Traffic to any of your addresses will
be routed through a single <i>gateway address</i>. This will generally
only be done if your ISP has assigned you a complete subnet (/29 or
larger). In this case, you will assign the gateway address as the IP
address of your firewall/router's external interface. </p>
only be done if your ISP has assigned you a complete subnet (/29
or larger). In this case, you will assign the gateway address as the
IP address of your firewall/router's external interface. </p>
</li>
<li>
<p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
@ -1074,7 +1073,7 @@ ways:</p>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br>
</li>
@ -1087,12 +1086,12 @@ ways:</p>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
192.0.2.65. Your ISP has also told you that you should use a netmask
of 255.255.255.0 (so your /28 is part of a larger /24). With this
many IP addresses, you are able to subnet your /28 into two /29's
and set up your network as shown in the following diagram.</p>
routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64
- 192.0.2.79 and that your firewall's external IP address is 192.0.2.65.
Your ISP has also told you that you should use a netmask of 255.255.255.0
(so your /28 is part of a larger /24). With this many IP addresses,
you are able to subnet your /28 into two /29's and set up your network
as shown in the following diagram.</p>
</div>
<div align="left">
@ -1102,10 +1101,10 @@ and set up your network as shown in the following diagram.</p>
</div>
<div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ
would be configured to 192.0.2.66 and the default gateway for hosts in
the local network would be 192.0.2.73.</p>
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
be configured to 192.0.2.66 and the default gateway for hosts in the local
network would be 192.0.2.73.</p>
</div>
<div align="left">
@ -1121,8 +1120,8 @@ the local network would be 192.0.2.73.</p>
<div align="left">
<p align="left">The astute reader may have noticed that the Firewall/Router's
external interface is actually part of the DMZ subnet (192.0.2.64/29).
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
routing table on DMZ 1 will look like this:</p>
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65?
The routing table on DMZ 1 will look like this:</p>
</div>
<div align="left">
@ -1134,18 +1133,18 @@ the local network would be 192.0.2.73.</p>
<div align="left">
<p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
request and no device on the DMZ Ethernet segment has that IP address.
Oddly enough, the firewall will respond to the request with the MAC
address of its <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames
addressed to that MAC address and the frames will be received (correctly)
by the firewall/router.</p>
Oddly enough, the firewall will respond to the request with the
MAC address of its <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet
frames addressed to that MAC address and the frames will be received
(correctly) by the firewall/router.</p>
</div>
<div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of
the Linux Kernel that prompts the warning earlier in this guide regarding
the connecting of multiple firewall/router interfaces to the same hub
or switch. When an ARP request for one of the firewall/router's IP addresses
is sent by another system connected to the hub/switch, all of the firewall's
<p align="left">It is this rather unexpected ARP behavior on the part of the
Linux Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or switch.
When an ARP request for one of the firewall/router's IP addresses is sent
by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then
a race as to which "here-is" response reaches the sender first.</p>
</div>
@ -1155,16 +1154,16 @@ is sent by another system connected to the hub/switch, all of the firewall
</div>
<div align="left">
<p align="left">If you have the above situation but it is non-routed,
you can configure your network exactly as described above with one additional
<p align="left">If you have the above situation but it is non-routed, you
can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall
interfaces in the /etc/shorewall/interfaces file.</p>
interfaces in the /etc/shorewall/interfaces file.</p>
</div>
<div align="left">
<p align="left">Most of us don't have the luxury of having enough public
IP addresses to set up our networks as shown in the preceding example
(even if the setup is routed). </p>
<p align="left">Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even
if the setup is routed). </p>
</div>
<div align="left">
@ -1202,8 +1201,8 @@ IP addresses to set up our networks as shown in the preceding example
</div>
<div align="left">
<p align="left">Often a combination of these techniques is used. Each of
these will be discussed in the sections that follow.</p>
<p align="left">Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.</p>
</div>
<div align="left">
@ -1216,9 +1215,9 @@ these will be discussed in the sections that follow.</p>
a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP
addresses as the source address. When <b>B</b> responds and the response
is received by the firewall, the firewall changes the destination
address back to the RFC 1918 address of <b>A</b> and forwards the response
back to <b>A.</b></p>
is received by the firewall, the firewall changes the destination address
back to the RFC 1918 address of <b>A</b> and forwards the response back
to <b>A.</b></p>
</div>
<div align="left">
@ -1242,7 +1241,7 @@ back to <b>A.</b></p>
<div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    The systems in the local zone would be configured with
a default gateway of 192.168.201.1 (the IP address of the firewall's
a default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).</div>
<div align="left">  </div>
@ -1277,8 +1276,8 @@ a default gateway of 192.168.201.1 (the IP address of the firewall's
<p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have
to use your distributions network configuration tools to add that
IP address to the external interface or you could set ADD_SNAT_ALIASES=Yes
to use your distributions network configuration tools to add that IP
address to the external interface or you could set ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p>
</div>
@ -1299,7 +1298,7 @@ IP address to the external interface or you could set ADD_SNAT_ALIASES=Ye
height="13">
     Suppose that your daughter wants to run a web server
on her system "Local 3". You could allow connections to the internet
to her server by adding the following entry in <a
to her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div>
@ -1343,9 +1342,9 @@ to her server by adding the following entry in <a
</div>
<div align="left">
<p align="left">This example used the firewall's external IP address for
DNAT. You can use another of your public IP addresses but Shorewall will
not add that address to the firewall's external interface for you.</p>
<p align="left">This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not
add that address to the firewall's external interface for you.</p>
</div>
<div align="left">
@ -1359,8 +1358,8 @@ not add that address to the firewall's external interface for you.</p>
<div align="left">
<ul>
<li>
<p align="left">A host <b>H </b>behind your firewall is assigned one
of your public IP addresses (<b>A)</b> and is assigned the same netmask
<p align="left">A host <b>H </b>behind your firewall is assigned one of
your public IP addresses (<b>A)</b> and is assigned the same netmask
<b>(M) </b>as the firewall's external interface. </p>
</li>
<li>
@ -1368,9 +1367,9 @@ of your public IP addresses (<b>A)</b> and is assigned the same netmask
</p>
</li>
<li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an
address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
will respond (with the MAC if the firewall interface to <b>H</b>). </p>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will
respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li>
</ul>
@ -1398,7 +1397,8 @@ will respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    The Shorewall configuration of Proxy ARP is done using
the <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
the <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a>
file.</div>
<div align="left">
<blockquote>
@ -1456,10 +1456,10 @@ the <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</
<div align="left">
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP,
it will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
their routers with a long ARP cache timeout. If you move a system
from parallel to your firewall to behind your firewall with Proxy
ARP, it will probably be HOURS before that system can communicate with
the internet. There are a couple of things that you can try:<br>
</p>
<ol>
@ -1467,18 +1467,20 @@ internet. There are a couple of things that you can try:<br>
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh
their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
address..., this packet causes any other host...that has an entry in
its cache for the old hardware address to update its ARP cache entry
accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
ARP (or static NAT for that matter). Happily enough, recent versions
of Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br>
@ -1487,17 +1489,17 @@ the MAC address for its own IP; in addition to ensuring that the IP address
<br>
Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the
idea that it works most of the time.<br>
idea that it works most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP
cache entry but many either can't or won't purge individual entries.</li>
<li>You can call your ISP and ask them to purge the stale
ARP cache entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 192.0.2.177. On the firewall, run tcpdump
as follows:</div>
You can determine if your ISP's gateway ARP cache is stale
using ping and tcpdump. Suppose that we suspect that the gateway
router has a stale ARP cache entry for 192.0.2.177. On the firewall,
run tcpdump as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1524,10 +1526,10 @@ idea that it works most of the time.<br>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
while 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words,
the gateway's ARP cache still associates 192.0.2.177 with the NIC
in DMZ 1 rather than with the firewall's eth0.</p>
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.177 with the NIC in
DMZ 1 rather than with the firewall's eth0.</p>
</div>
<div align="left">
@ -1536,11 +1538,11 @@ in DMZ 1 rather than with the firewall's eth0.</p>
<div align="left">
<p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination
Network Address Translation) occurs. Let's go back to our earlier example
involving your daughter's web server running on system Local 3.</p>
then establish a one-to-one mapping between those addresses and
public IP addresses. For outgoing connections SNAT (Source Network
Address Translation) occurs and on incoming connections DNAT (Destination
Network Address Translation) occurs. Let's go back to our earlier example
involving your daughter's web server running on system Local 3.</p>
</div>
<div align="left">
@ -1657,10 +1659,10 @@ involving your daughter's web server running on system Local 3.</p>
<div align="left">
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with static NAT,
it will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
their routers with a long ARP cache timeout. If you move a system
from parallel to your firewall to behind your firewall with static
NAT, it will probably be HOURS before that system can communicate with
the internet. There are a couple of things that you can try:<br>
</p>
<ol>
@ -1668,18 +1670,20 @@ internet. There are a couple of things that you can try:<br>
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh
their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
address..., this packet causes any other host...that has an entry in
its cache for the old hardware address to update its ARP cache entry
accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
ARP (or static NAT for that matter). Happily enough, recent versions
of Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br>
@ -1688,16 +1692,17 @@ the MAC address for its own IP; in addition to ensuring that the IP address
<br>
Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the
idea that it works most of the time.<br>
idea that it works most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 209.0.2.179. On the firewall, run tcpdump
as follows:</div>
You can determine if your ISP's gateway ARP cache is stale
using ping and tcpdump. Suppose that we suspect that the gateway
router has a stale ARP cache entry for 209.0.2.179. On the firewall,
run tcpdump as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1724,10 +1729,10 @@ we will assume is 192.0.2.254):</p>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
while 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words,
the gateway's ARP cache still associates 192.0.2.179 with the NIC
in the local zone rather than with the firewall's eth0.</p>
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.179 with the NIC in
the local zone rather than with the firewall's eth0.</p>
</div>
<h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
@ -1736,13 +1741,13 @@ in the local zone rather than with the firewall's eth0.</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    With the default policies, your local systems (Local 1-3)
can access any servers on the internet and the DMZ can't access any
other host (including the firewall). With the exception of <a
    With the default policies, your local systems (Local
1-3) can access any servers on the internet and the DMZ can't access
any other host (including the firewall). With the exception of <a
href="#DNAT">DNAT rules</a> which cause address translation and allow
the translated connection request to pass through the firewall, the
way to allow connection requests through your firewall is to use ACCEPT
rules.</p>
way to allow connection requests through your firewall is to use
ACCEPT rules.</p>
</div>
<div align="left">
@ -1897,8 +1902,8 @@ in the local zone rather than with the firewall's eth0.</p>
</div>
<div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would
need to add the following rules:</p>
<p align="left">If you run a public DNS server on 192.0.2.177, you would need
to add the following rules:</p>
</div>
<div align="left">
@ -1986,8 +1991,9 @@ need to add the following rules:</p>
<div align="left">
<p align="left">You probably want some way to communicate with your firewall
and DMZ systems from the local network -- I recommend SSH which through
its scp utility can also do publishing and software update distribution.</p>
and DMZ systems from the local network -- I recommend SSH which
through its scp utility can also do publishing and software update
distribution.</p>
</div>
<div align="left">
@ -2030,10 +2036,10 @@ need to add the following rules:</p>
</div>
<div align="left">
<p align="left">The above discussion reflects my personal preference for
using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
I prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have it's own public IP. </p>
<p align="left">The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
prefer to use NAT only in cases where a system that is part of an RFC 1918
subnet needs to have it's own public IP. </p>
</div>
<div align="left">
@ -2048,14 +2054,13 @@ Shorewall can do.</p>
</div>
<div align="left">
<p align="left">In case you haven't been keeping score, here's the final
set of configuration files for our sample network. Only those that were
modified from the original installation are shown.</p>
<p align="left">In case you haven't been keeping score, here's the final set
of configuration files for our sample network. Only those that were modified
from the original installation are shown.</p>
</div>
<div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</p>
<p align="left">/etc/shorewall/interfaces (The "options" will be very site-specific).</p>
</div>
<div align="left">
@ -2097,8 +2102,8 @@ site-specific).</p>
<p align="left">The setup described here requires that your network interfaces
be brought up before Shorewall can start. This opens a short window
during which you have no firewall protection. If you replace 'detect'
with the actual broadcast addresses in the entries above, you can bring
up Shorewall before you bring up your network interfaces.</p>
with the actual broadcast addresses in the entries above, you can
bring up Shorewall before you bring up your network interfaces.</p>
</div>
<div align="left">
@ -2435,10 +2440,10 @@ site-specific).</p>
</div>
<div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in
this setup, it only makes sense to have separate internal and external
DNS servers. You can combine the two into a single BIND 9 server using
<i>Views. </i> If you are not interested in Bind 9 views, you can <a
<p align="left">Given the collection of RFC 1918 and public addresses in this
setup, it only makes sense to have separate internal and external DNS
servers. You can combine the two into a single BIND 9 server using <i>Views.
</i> If you are not interested in Bind 9 views, you can <a
href="#StartingAndStopping">go to the next section</a>.</p>
</div>
@ -2578,9 +2583,9 @@ DNS servers. You can combine the two into a single BIND 9 server using
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
@ -2593,21 +2598,20 @@ DNS servers. You can combine the two into a single BIND 9 server using
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 6/7/2003 - <a
<p align="left"><font size="2">Last updated 6/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Easte</font></a><br>
</p>
<br>
</p>
</body>
</html>

376
Shorewall-docs/sourceforge_index.htm
View File

@ -3,15 +3,17 @@
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
@ -29,10 +31,12 @@
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br>
</a></h1>
@ -44,6 +48,7 @@
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
@ -57,23 +62,27 @@
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used
on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
a <a
href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
@ -84,16 +93,17 @@ GNU General Public License</a> as published by the Free Software
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a copy
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -105,11 +115,12 @@ FOR A PARTICULAR PURPOSE. See the GNU General
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
If so, the documentation<b> </b>on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a setup that matches the documentation on this site. See
the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
<h2>Getting Started with Shorewall</h2>
@ -124,205 +135,161 @@ FOR A PARTICULAR PURPOSE. See the GNU General
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
<p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing" target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked around.<br>
<br>
</li>
<li>Previously, where a list of IP addresses appears in the DEST
column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Up to 256 servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
Note that this capability has previously been available using a combination
of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable
for load-balancing over a large number of servers (&gt; 16) since specifying
a range in the DNAT rule causes one filter table ACCEPT rule to be generated
for each IP address in the range.<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file;
previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b>    Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b>    New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition). To
use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
 <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log messages
in the 'show log', 'status' and 'hits' commands. This part should not
be omitted (the LOGFORMAT should not begin with "%") and the leading part
should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the filter
table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br>
</p>
This version primarily corrects the documentation included in the
.tgz and in the .rpm. In addition: <br>
<p><b></b></p>
<ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
    <b>Problems Corrected:<br>
</b>
<p><b></b></p>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if Netfilter
connection tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
file.</li>
<li value="2">You may now change the leading portion
of the --log-prefix used by Shorewall using the LOGMARKER variable in
shorewall.conf. By default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint
and is best viewed using Internet Explorer (although Konqueror also
seems to work reasonably well as does Opera 7.1.0). Neither Opera
6 nor Netscape work well to view the presentation.</blockquote>
@ -331,11 +298,13 @@ seems to work reasonably well as does Opera 7.1.0). Neither Opera
<blockquote>
<ol>
</ol>
</blockquote>
@ -347,25 +316,28 @@ seems to work reasonably well as does Opera 7.1.0). Neither Opera
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -383,28 +355,32 @@ on a floppy, CD or compact flash) distribution
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<td width="88" bgcolor="#4b017c"
valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
@ -413,6 +389,7 @@ on a floppy, CD or compact flash) distribution
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font
@ -426,6 +403,7 @@ on a floppy, CD or compact flash) distribution
</form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
@ -438,6 +416,7 @@ on a floppy, CD or compact flash) distribution
</tr>
</tbody>
</table>
@ -445,6 +424,7 @@ on a floppy, CD or compact flash) distribution
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -467,9 +447,10 @@ on a floppy, CD or compact flash) distribution
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and find
it useful, please consider making a donation
<font size="+2">Shorewall is free but if you try it and
find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
@ -479,11 +460,16 @@ on a floppy, CD or compact flash) distribution
</tr>
</tbody>
</table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

117
Shorewall-docs/support.htm
View File

@ -30,8 +30,8 @@
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There
are a number of sources of Shorewall information. Please try these
before you post.
are a number of sources of Shorewall information. Please try
these before you post.
<ul>
<li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br>
@ -46,11 +46,11 @@
solutions to more than 20 common problems. </li>
<li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
Information contains a number of tips to help
you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has
links to download updated components. </li>
<li> The
Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
@ -63,6 +63,7 @@ help you solve common problems. </li>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
@ -103,7 +104,7 @@ help you solve common problems. </li>
<ul>
<li>Please remember we only know
what is posted in your message. Do not leave out any information
what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
@ -115,10 +116,10 @@ what is posted in your message. Do not leave out any information
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of error
messages, log entries, command output, and other output is better than
a paraphrase or summary.<br>
<br>
</li>
<li>
@ -147,8 +148,8 @@ your job for you.<br>
</ul>
<ul>
<li>the exact kernel version you
are running<br>
<li>the exact kernel version
you are running<br>
<br>
<font color="#009900"><b>uname
-a<br>
@ -159,7 +160,7 @@ your job for you.<br>
<ul>
<li>the complete, exact output
of<br>
of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
@ -170,7 +171,7 @@ addr show<br>
<ul>
<li>the complete, exact output
of<br>
of<br>
<br>
<font color="#009900"><b>ip
route show<br>
@ -197,12 +198,13 @@ route show<br>
<li><font color="#ff0000"><u><i><big><b>If you are having
connection problems of any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
1. <b><font color="#009900">/sbin/shorewall
reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
@ -226,15 +228,15 @@ route show<br>
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained
in the SMTP headers of your post).<br>
a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
@ -242,18 +244,19 @@ so, include the message(s) in your post along with a copy of your /etc/sh
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
<li>If an error occurs when you try to
"<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc.
to the Mailing List -- your post will be rejected.</b></li>
<li><b>The list server limits posts to 120kb so
don't post GIFs of your network layout,
etc. to the Mailing List -- your post will be rejected.</b></li>
</ul>
@ -265,29 +268,29 @@ one also knows the policies).<br>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML
is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML
based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list
server at shorewall.net to strip all HTML from outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To
avoid this problem, you should configure your MTA to forward posts to shorewall.net
through an MTA that <u>does</u> have a valid PTR record (such as the one
at your ISP). </b></font></big><br>
</blockquote>
unless/until the postmaster notices that your posts are being rejected.
To avoid this problem, you should configure your MTA to forward posts to
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
as the one at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
@ -297,18 +300,13 @@ at your ISP). </b></font></big><br>
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can
MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>If you have a question, you may post it on the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>:
<font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR
ASKING FOR HELP WITH PROBLEMS.<br>
</b></font><br>
Otherwise, please post your question or problem to the <a
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p>
@ -322,10 +320,11 @@ ASKING FOR HELP WITH PROBLEMS.<br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 6/24/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

289
Shorewall-docs/three-interface.htm
View File

@ -55,36 +55,36 @@ Relay, dial-up, ...</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are marked with <img
src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -92,18 +92,18 @@ Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration,
@ -141,19 +141,19 @@ instructions and default entries.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from
one zone to another zone in the<a
<li>You express your default policy for connections
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
@ -238,7 +238,7 @@ instructions and default entries.</p>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file
and make any changes that you wish.</p>
and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -247,9 +247,9 @@ and make any changes that you wish.</p>
</p>
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter that is connected to
that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -265,30 +265,30 @@ and make any changes that you wish.</p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
only a single local system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch.
Your DMZ computers will be connected to the same switch (note: If
you have only a single DMZ system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Shorewall doesn't
work at all.</p>
</b></u>Do not connect more than one interface to the
same hub or switch (even for testing). It won't work the way that
you expect it to and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
    The Shorewall three-interface sample configuration
assumes that the external interface is <b>eth0, </b>the local interface
is <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -299,7 +299,7 @@ the computer using a <i>cross-over </i> cable).</p>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
the option list. </p>
</li>
</ul>
@ -307,17 +307,18 @@ the option list. </p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>Regardless
of how the address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
for your internal network (the local and DMZ Interfaces on your firewall
plus your other computers). RFC 1918 reserves several <i>Private </i>IP
address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -327,23 +328,23 @@ network (the local and DMZ Interfaces on your firewall plus your other computer
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
IP address of your external interface and if it is one of the
above ranges, you should remove the 'norfc1918' option from the
external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
subnet. For our purposes, we can consider a subnet to consists
of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from
the left of the subnet mask. </p>
by "/24". The "24" refers to the number of consecutive "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -394,17 +395,18 @@ IP address of your external interface and if it is one of the above
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2)
should be configured with their<i> default gateway</i> set to the
IP address of the firewall's internal interface and your DMZ computers
( DMZ Computers 1 &amp; 2) should be configured with their default
gateway set to the IP address of the firewall's DMZ interface.   </p>
should be configured with their<i> default gateway</i> set to
the IP address of the firewall's internal interface and your DMZ
computers ( DMZ Computers 1 &amp; 2) should be configured with their
default gateway set to the IP address of the firewall's DMZ interface.  
</p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -429,24 +431,24 @@ then you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed accross the internet). When the firewall receives a return
packet, it rewrites the destination address back to 10.10.10.1 and forwards
the packet on to local computer 1. </p>
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume local computer 1) sends
a connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the firewall
(remember that packets whose destination address is reserved by RFC
1918 can't be routed accross the internet). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -469,7 +471,7 @@ the packet on to local computer 1. </p>
height="13">
    If your external firewall interface is <b>eth0</b>,
your local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -485,11 +487,11 @@ the third column in the /etc/shorewall/masq entry if you like although
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
change them appropriately:<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br>
</li>
@ -498,13 +500,13 @@ change them appropriately:<br>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
DMZ computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to your firewall who rewrites the destination
address to the address of your server and forwards the packet to that
server. When your server responds, the firewall automatically performs
SNAT to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -541,8 +543,8 @@ them. It is rather necessary for those clients to address their connection
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -588,10 +590,10 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your
local systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000 (e.g., connect to
<a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000 (e.g., connect
to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
is your external IP).</li>
</ul>
@ -625,7 +627,7 @@ is your external IP).</li>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you
can replace the loc-&gt;dmz rule above with:</p>
can replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -696,7 +698,7 @@ can replace the loc-&gt;dmz rule above with:</p>
</blockquote>
<p>If you want to access your server from the DMZ using your external IP
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your
@ -705,44 +707,45 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. It is <u>your</u>
responsibility to configure the resolver in your internal systems.
You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the caching name server as their primary (and
only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to
talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the server; you do that by adding
the rules in /etc/shorewall/rules. </p>
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
<p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -904,7 +907,7 @@ the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -1045,8 +1048,8 @@ allowing all connections from the firewall to the internet.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -1146,8 +1149,8 @@ other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -1163,8 +1166,8 @@ you have completed configuration of your firewall, you can enable Shorewall
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
@ -1179,16 +1182,16 @@ different set of hosts, modify /etc/shorewall/routestopped accordingly.
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 5/19/2003 - <a
<p align="left"><font size="2">Last updated 6/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003

327
Shorewall-docs/two-interface.htm
View File

@ -30,19 +30,19 @@
</table>
<p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and
follow the documentation.</p>
is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p>
Shorewall. It rather focuses on what is required to configure
Shorewall in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small
local network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN,
Frame Relay, dial-up ...</li>
<li>Internet connection through cable modem, DSL,
ISDN, Frame Relay, dial-up ...</li>
</ul>
@ -53,14 +53,14 @@
</p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
configure the above setup using the Mandrake "Internet Connection Sharing"
applet. From the Mandrake Control Center, select "Network &amp; Internet"
then "Connection Sharing".<br>
configure the above setup using the Mandrake "Internet Connection
Sharing" applet. From the Mandrake Control Center, select "Network
&amp; Internet" then "Connection Sharing".<br>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq"
Internet Connection Sharing is strange and is apt to confuse you if you
use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -69,38 +69,38 @@
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended
are flagged with <img border="0" src="images/BD21298_.gif"
width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering
are marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy before
using it with Shorewall.</p>
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying
to use them. Similarly, if you copy a configuration file from your
Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -110,11 +110,12 @@ using it with Shorewall.</p>
alt="">
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
to /etc/shorewall (these files will replace files with the same
name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
@ -122,7 +123,7 @@ using it with Shorewall.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration,
the following zone names are used:</p>
the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -154,22 +155,22 @@ the following zone names are used:</p>
<ul>
<li>You express your default policy for connections
from one zone to another zone in the<a
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -238,8 +239,8 @@ the following policies:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network
to the internet</li>
<li>allow all connection requests from your local
network to the internet</li>
<li>drop (ignore) all connection requests from the
internet to your firewall or local network</li>
<li>optionally accept all connection requests from
@ -250,7 +251,7 @@ the firewall to the internet (if you uncomment the additional policy)<
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and
make any changes that you wish.</p>
make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -258,9 +259,9 @@ make any changes that you wish.</p>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -270,31 +271,32 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b> 
then you will want to set CLAMPMSS=yes in <a
    If your external interface is <b>ppp0</b> or<b>
ippp0</b>  then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
(eth1 or eth0) and will be connected to a hub or switch. Your
other computers will be connected to the same hub/switch (note:
If you have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface
to the same hub or switch (even for testing). It won't work the way
that you think that it will and you will end up confused and believing
that Shorewall doesn't work at all.</p>
to the same hub or switch (even for testing). It won't work the
way that you think that it will and you will end up confused and
believing that Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
    The Shorewall two-interface sample configuration
assumes that the external interface is <b>eth0</b> and the internal
interface is <b>eth1</b>. If your configuration is different, you
will have to modify the sample <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -313,17 +315,18 @@ to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -332,19 +335,19 @@ the Internet. You will have to assign your own addresses in your internal
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at
the IP address of your external interface and if it is one of
the above ranges, you should remove the 'norfc1918' option from
the external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The
address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
@ -399,17 +402,17 @@ a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2
in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>     
    Your local computers (computer 1 and computer
2 in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -424,51 +427,52 @@ gateway</i> to be the IP address of the firewall's internal interface.
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network.</b><br>
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume computer 1) sends a connection
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response
to computer 1). When the firewall receives a return packet, it rewrites
the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p>
Address Translation </i>(NAT). The firewall rewrites the source
address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the
firewall (remember that packets whose destination address is reserved
by RFC 1918 can't be routed across the internet so the remote host
can't address its response to computer 1). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.
</p>
firewall system automatically detect the external interface
address. </p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local
network to use. </p>
the source address that you want outbound packets from your
local network to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading
if your external IP is dynamic and SNAT if the IP is static.</p>
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -480,11 +484,11 @@ is initiating the connection.
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external IP is static, you can enter it in
the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes processing outgoing packets a little
more efficient.<br>
    If your external IP is static, you can enter it
in the third column in the /etc/shorewall/masq entry if you like
although your firewall will work fine if you leave that column empty.
Entering your static IP in column 3 makes processing outgoing packets
a little more efficient.<br>
<br>
<img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
@ -494,7 +498,7 @@ is initiating the connection.
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br>
</li>
@ -505,11 +509,11 @@ is initiating the connection.
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -580,13 +584,13 @@ to them. It is rather necessary for those clients to address their connect
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to
access your web server using the IP address of your external interface,
of your local network (i.e., don't test from a browser running
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000.</li>
port 80. If you have problems connecting to your web server,
try the following rule and try connecting to port 5000.</li>
</ul>
@ -619,29 +623,29 @@ the following rule and try connecting to port 5000.</li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add
any DNAT rules that you require.</p>
any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. Regardless of how DNS
gets configured on your firewall, it is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of
two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless of
how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -654,8 +658,8 @@ internal systems to use the firewall itself as their primary (and only)
name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you
do that by adding the following rules in /etc/shorewall/rules. </p>
53 (both UDP and TCP) from the local network to the firewall; you do
that by adding the following rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -744,8 +748,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
removed if you uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -821,8 +825,7 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
</div>
<div align="left">
@ -865,8 +868,8 @@ system:</p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on
your firewall"</p>
listed above under "You can configure a Caching Name Server
on your firewall"</p>
</div>
<div align="left">
@ -877,7 +880,8 @@ system:</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
you want shell access to your firewall from the internet, use
SSH:</p>
</div>
<div align="left">
@ -975,7 +979,7 @@ or delete other connections as required.</p>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -991,8 +995,8 @@ you have completed configuration of your firewall, you can enable Shorewall
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
@ -1000,27 +1004,28 @@ you have completed configuration of your firewall, you can enable Shorewall
height="13">
    The two-interface sample assumes that you want to
enable routing to/from <b>eth1 </b>(the local network) when Shorewall
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a
<p align="left"><font size="2">Last updated 6/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br>
</p>
</p>
<br>
</body>
</html>

130
Shorewall-docs/upgrade_issues.htm
View File

@ -55,16 +55,20 @@ are currently running.<br>
<h3> </h3>
<h3>Version &gt;= 1.4.6</h3>
The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed from
shorewall.conf. These capabilities are now automatically detected by Shorewall.<br>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then you
must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br>
<br>
<h3>Version 1.4.4<br>
</h3>
If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long.
</h3>
If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long.
Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3>
@ -85,14 +89,14 @@ Upgrade to Version 1.4.4a to fix this problem..<br>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the
same zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
same zone is accepted by default. Previously, traffic from a zone to
itself was treated just like any other traffic; any matching rules were
applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
traffic between the groups in zone Z will be accepted. If you do have one
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
then the behavior is as it was in prior versions.</li>
</ul>
@ -101,8 +105,8 @@ same zone is accepted by default. Previously, traffic from a zone to itself
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent traffic
between two interfaces to a zone Z and you have no rules for Z-&gt;Z then
@ -124,16 +128,16 @@ between them. </li>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to
be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to
handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is
asymetric routing where only the traffic on one direction flows through
Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
@ -142,47 +146,47 @@ between them. </li>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
option is no longer available so if you want to route traffic between
two subnetworks on the same interface then I recommend that you upgrade
to Version 1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br>
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and
hosts file has been eliminated; use entries in the routestopped file
instead.</li>
hosts file has been eliminated; use entries in the routestopped file
instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3
with ALLOWRELATED=Yes.</li>
is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li>
@ -217,8 +221,8 @@ file.</li>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and
does not use the 'all' reserved word.</li>
or from the destination zone. An explicit policy names both zones and
does not use the 'all' reserved word.</li>
</ul>
@ -247,9 +251,9 @@ and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the
firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets
is masqueraded or has SNAT applied.</li>
firewall's routing table to determine ALL subnets routed through the
named interface. Traffic originating in ANY of those subnets is masqueraded
or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
@ -263,7 +267,7 @@ is masqueraded or has SNAT applied.</li>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is
as follows:<br>
as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -272,7 +276,7 @@ as follows:<br>
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is
like this?<br>
like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
@ -285,16 +289,16 @@ like this?<br>
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to
be used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
the old handling indefinitely so I urge current users to migrate to using
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
@ -343,8 +347,8 @@ floppy with the later one. If you did
instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not
forget to backup root.lrp !</li>
entry if present. Then do not forget
to backup root.lrp !</li>
</ol>
@ -362,19 +366,20 @@ forget to backup root.lrp !</li>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can
be rebuilt<br>
                                    # from
non-SYN packets after takeover.<br>
                                    #
from non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
@ -428,14 +433,15 @@ Acks to rebuild connection<br>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>