extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 13:08:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updates from Shorewall2 docs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1127 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-08 18:31:31 +00:00
parent 7f46981a4c
commit 624ee225ef
13 changed files with 25327 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Shorewall-docs/Multiple_Zones.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-02-04</pubdate> <pubdate>2004-02-07</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -291,4 +291,40 @@ loc1 eth1:192.168.1.8/29</programlisting></para>
loc loc1 NONE loc loc1 NONE
loc1 loc NONE</programlisting> loc1 loc NONE</programlisting>
</section> </section>
<section id="OneArmed">
<title>One-armed Router</title>
<para>Nested zones may also be used to configure a <quote>one-armed</quote>
router (I don&#39;t call it a <quote>firewall</quote> because it is very
insecure. For example, if you connect to the internet via cable modem,
your next door neighbor has full access to your local systems as does
everyone else connected to the same cable modem head-end controller). Here
eth0 is configured with both a public IP address and an RFC 1918 address
(More on that topic may be found <ulink
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
<quote>loc</quote> zone are configured with their default gateway set to
the Shorewall router&#39;s RFC1918 address.<graphic
fileref="images/MultiZone3.png" /></para>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local Zone
net Internet The big bad Internet</programlisting>
<note>
<para>the sub-zone (loc) is defined first!</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
net eth0 detect</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
<programlisting>#ZONE HOSTS
loc eth0:192.168.1.0/24</programlisting>
</section>
</article> </article>

485
Shorewall-docs/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-20</pubdate> <pubdate>2004-02-04</pubdate>
<copyright> <copyright>
<year>2003-2004</year> <year>2003-2004</year>
@ -50,8 +50,8 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>In all cases, Squid should be configured to run as a <para>In all cases, Squid should be configured to run as a transrent
transparent proxy as described at proxy as described at
http://tldp.org/HOWTO/mini/TransparentProxy.html.</para> http://tldp.org/HOWTO/mini/TransparentProxy.html.</para>
</listitem> </listitem>
@ -90,11 +90,11 @@ MANGLE_ENABLED=Yes</programlisting>
<para>Three different configurations are covered:</para> <para>Three different configurations are covered:</para>
<simplelist> <simplelist>
<member><xref linkend="Firewall" /></member> <member>Squid (transparent) Running on the Firewall</member>
<member><xref linkend="Local" /></member> <member>Squid (transparent) Running in the local Network</member>
<member><xref linkend="DMZ" /></member> <member>Squid (transparent) Running in a DMZ</member>
</simplelist> </simplelist>
<section id="Firewall"> <section id="Firewall">
@ -105,65 +105,12 @@ MANGLE_ENABLED=Yes</programlisting>
proxy running on the firewall and listening on port 3128. Squid will of proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.</para> course require access to remote web servers.</para>
<para>In /etc/shorewall/rules:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<table> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
<title>/etc/shorewall/rules</title> # PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177
<tgroup cols="7"> ACCEPT fw net tcp www</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>REDIRECT</entry>
<entry>loc</entry>
<entry>3128</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>!206.124.146.177</entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>There may be a requirement to exclude additional destination hosts <para>There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want or networks from being redirected. For example, you might also want
@ -171,54 +118,16 @@ MANGLE_ENABLED=Yes</programlisting>
<para>If you are running Shorewall version 1.4.5 or later, you may just <para>If you are running Shorewall version 1.4.5 or later, you may just
add the additional hosts/networks to the ORIGINAL DEST column in your add the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule:</para> REDIRECT rule.</para>
<table> <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
<title>/etc/shorewall/rules</title> # PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>REDIRECT</entry>
<entry>loc</entry>
<entry>3128</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>!206.124.146.177,130.252.100.0/24</entry>
</row>
</tbody>
</tgroup>
</table>
<para>If you are running a Shorewall version earlier than 1.4.5, you <para>If you are running a Shorewall version earlier than 1.4.5, you
must add a manual rule in /etc/shorewall/start:</para> must add a manual rule in /etc/shorewall/start:</para>
<programlisting>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</programlisting> <programlisting><command>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</command></programlisting>
<para>To exclude additional hosts or networks, just add additional <para>To exclude additional hosts or networks, just add additional
similar rules.</para> similar rules.</para>
@ -237,18 +146,18 @@ MANGLE_ENABLED=Yes</programlisting>
<listitem> <listitem>
<para>* On your firewall system, issue the following command</para> <para>* On your firewall system, issue the following command</para>
<programlisting>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</programlisting> <programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/init, put:</para> <para>In /etc/shorewall/init, put:</para>
<programlisting>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache ip route flush cache
echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
fi</programlisting> fi</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -258,144 +167,49 @@ fi</programlisting>
</important> </important>
<para>If you are running Shorewall 1.4.2 or later, then in <para>If you are running Shorewall 1.4.2 or later, then in
/etc/shorewall/interfaces:</para> <filename>/etc/shorewall/interfaces</filename>:</para>
<table> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<title>/etc/shorewall/interfaces</title> loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</table>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/rules:</para> <para>In /etc/shorewall/rules:</para>
<table> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<title>/etc/shorewall/rules</title> ACCEPT loc loc tcp www</programlisting>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>loc</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>Alternativfely, if you are running Shorewall 1.4.0 you can <para>Alternativfely, if you are running Shorewall 1.4.0 you can
have the following policy in place of the above rule:</para> have the following policy in place of the above rule.</para>
<table> <para><filename>/etc/shorewall/policy</filename></para>
<title>/etc/shorewall/policy</title>
<tgroup cols="5"> <programlisting>#SOURCE DESTINATION POLICY
<thead> loc loc ACCEPT</programlisting>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
<entry align="center">BURST PARAMETERS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/start add:</para> <para>In <filename>/etc/shorewall/start</filename> add:</para>
<programlisting>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</programlisting> <programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>On 192.168.1.3, arrange for the following command to be <para>On 192.168.1.3, arrange for the following command to be
executed after networking has come up</para> executed after networking has come up</para>
<programlisting>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</programlisting> <programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply <para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables execute the following commands after you have typed the iptables
command above:</para> command above:</para>
<programlisting>iptables-save &#62; /etc/sysconfig/iptables <programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</programlisting> chkconfig --level 35 iptables on</command></programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -411,17 +225,17 @@ chkconfig --level 35 iptables on</programlisting>
<listitem> <listitem>
<para>On your firewall system, issue the following command</para> <para>On your firewall system, issue the following command</para>
<programlisting>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</programlisting> <programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/init, put:</para> <para>In /etc/shorewall/init, put:</para>
<programlisting>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache ip route flush cache
fi</programlisting> fi</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -429,174 +243,49 @@ fi</programlisting>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>In /etc/shorewall/start add</para> <para>In <filename>/etc/shorewall/start</filename> add</para>
<programlisting>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</programlisting> <programlisting><command>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>Set MARK_IN_FORWARD_CHAIN=No in <para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
/etc/shorewall/shorewall.conf and add the following entry in and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
/etc/shorewall/tcrules:</para>
<table> <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
<title>/etc/shorewall/tcrules</title> 202 eth2 0.0.0.0 tcp 80</programlisting>
<tgroup cols="6">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
</row>
</thead>
<tbody>
<row>
<entry>202</entry>
<entry>eth2</entry>
<entry>0.0.0.0/0</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry>-</entry>
</row>
</tbody>
</tgroup>
</table>
</listitem> </listitem>
<listitem> <listitem>
<para>Run Shorewall 1.3.14 or later and add the following entry <para>Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:</para> in <filename>/etc/shorewall/tcrules</filename>:</para>
<table> <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
<title>/etc/shorewall/tcrules</title> 202:P eth2 0.0.0.0 tcp 80</programlisting>
<tgroup cols="6">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
</row>
</thead>
<tbody>
<row>
<entry>202:P</entry>
<entry>eth2</entry>
<entry>0.0.0.0/0</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry>-</entry>
</row>
</tbody>
</tgroup>
</table>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/rules, you will need:</para> <para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
<table> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<title>/etc/shorewall/rules</title> ACCEPT loc dmz tcp 80
ACCEPT dmz net tcp 80</programlisting>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">CLIENT PORT(2)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>dmz</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>dmz</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</listitem> </listitem>
<listitem> <listitem>
<para>On 192.0.2.177 (your Web/Squid server), arrange for the <para>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up</para> following command to be executed after networking has come up</para>
<programlisting>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</programlisting> <programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply <para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables execute the following commands after you have typed the iptables
command above:</para> command above:</para>
<programlisting>iptables-save &#62; /etc/sysconfig/iptables <programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</programlisting> chkconfig --level 35 iptables on</command></programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -608,75 +297,21 @@ chkconfig --level 35 iptables on</programlisting>
<para>Assume that Squid is running in zone SZ and listening on port SP; <para>Assume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the all web sites that are to be accessed through Squid are in the
<quote>net</quote> zone. Then for each zone Z that needs access to the <quote>net</quote> zone. Then for each zone Z that needs access to the
Squid server:</para> Squid server.</para>
<table> <para><filename>/etc/shorewall/rules</filename>:</para>
<title>/etc/shorewall/rules</title>
<tgroup cols="7"> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<thead> ACCEPT Z SZ tcp SP
<row> ACCEPT SZ net tcp 80</programlisting>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">CLIENT PORT(2)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>Z</entry>
<entry>SZ</entry>
<entry>tcp</entry>
<entry>SP</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>SZ</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<example> <example>
<title>Squid on the firewall listening on port 8080 with access from the <title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title> <quote>loc</quote> zone:</title>
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry <para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry ACCEPT loc fw tcp 8080
align="center">DEST</entry><entry align="center">PROTO</entry><entry ACCEPT fw net tcp 80</programlisting></para>
align="center">DEST PORT(S)</entry><entry align="center">CLIENT PORT(2)</entry><entry
align="center">ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>loc</entry><entry>$FW</entry><entry>tcp</entry><entry>8080</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>$FW</entry><entry>net</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
</example> </example>
</section> </section>
</article> </article>

10
Shorewall-docs/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-19</pubdate> <pubdate>2004-02-04</pubdate>
<copyright> <copyright>
<year>2003-2004</year> <year>2003-2004</year>
@ -45,7 +45,8 @@
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
<quote>loc</quote> zone).</para> <quote>loc</quote> zone).</para>
<programlisting> QUEUE loc net tcp <programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp
QUEUE loc net udp QUEUE loc net udp
QUEUE loc fw udp</programlisting> QUEUE loc fw udp</programlisting>
@ -53,7 +54,8 @@
and restart Shorewall.</para> and restart Shorewall.</para>
<tip> <tip>
<para>There is an ftwall init script for use with <trademark>SuSE</trademark> <para>There are ftwall init scripts for use with <trademark>SuSE</trademark>
Linux at <ulink url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para> and <trademark>Debian</trademark> Linux at <ulink
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip> </tip>
</article> </article>

42
Shorewall-docs/errata.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-19</pubdate> <pubdate>2004-02-04</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -73,6 +73,22 @@
<section> <section>
<title>Problems in Version 1.4</title> <title>Problems in Version 1.4</title>
<section>
<title>Shorewall 1.4.10</title>
<itemizedlist>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section> <section>
<title>Shorewall 1.4.9</title> <title>Shorewall 1.4.9</title>
@ -94,10 +110,15 @@
or ADD_SNAT_ALIASES=Yes are specified in or ADD_SNAT_ALIASES=Yes are specified in
/etc/shorewall/shorewall.conf.</para> /etc/shorewall/shorewall.conf.</para>
</listitem> </listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>This problem has been corrected in <ulink <para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this url="http://shorewall.net/pub/shorewall/errata/1.4.9/firewall">this
firewall script</ulink> which may be installed in firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para> /usr/share/shorewall/firewall as described above.</para>
</section> </section>
@ -112,9 +133,14 @@
column), the SNAT specification is effectively ignored in some column), the SNAT specification is effectively ignored in some
cases.</para> cases.</para>
</listitem> </listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>This problem has been corrected in <ulink <para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
firewall script</ulink> which may be installed in firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para> /usr/share/shorewall/firewall as described above.</para>
@ -155,6 +181,11 @@
column), the SNAT specification is effectively ignored in some column), the SNAT specification is effectively ignored in some
cases.</para> cases.</para>
</listitem> </listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>These problems have been corrected in <ulink <para>These problems have been corrected in <ulink
@ -467,7 +498,8 @@ Aborted (core dumped)</programlisting>
<appendix> <appendix>
<title>Revision History4</title> <title>Revision History4</title>
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6 <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
Problem</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated

BIN
Shorewall-docs/images/MultiZone3.png Executable file
View File

Binary file not shown.

13850
Shorewall-docs/images/MultiZone3.vdx Executable file
View File

File diff suppressed because it is too large Load Diff

BIN
Shorewall-docs/images/basics2.png Executable file
View File

Binary file not shown.

11212
Shorewall-docs/images/basics2.vdx Executable file
View File

File diff suppressed because it is too large Load Diff

21
Shorewall-docs/myfiles2.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-02-04</pubdate> <pubdate>2004-02-08</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -47,7 +47,7 @@
<caution> <caution>
<para>The configuration shown here corresponds to Shorewall version <para>The configuration shown here corresponds to Shorewall version
2.0.0-Alpha2. It may use features not available in earlier Shorewall 2.0.0-Beta1. It may use features not available in earlier Shorewall
releases.</para> releases.</para>
</caution> </caution>
@ -341,16 +341,14 @@ gre net $TEXAS
</blockquote> </blockquote>
</section> </section>
<section> <section id="Actions">
<title>Actions File</title> <title>Actions File</title>
<blockquote> <blockquote>
<programlisting>#ACTION <programlisting>#ACTION
DropBcast #Silently Drops Broadcast Traffic
DropSMB #Silently Drops Microsoft SMB Traffic DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes DropUPnP #Silently Drop UPnP Probes
DropNonSyn #Silently Drop Non-syn TCP packets
RejectAuth #Silently Reject Auth RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies DropDNSrep #Silently Drop DNS Replies
@ -391,10 +389,10 @@ ACCEPT $MIRRORS
# PORT(S) PORT(S) LIMIT GROUP # PORT(S) PORT(S) LIMIT GROUP
RejectAuth RejectAuth
AllowPing AllowPing
DropBcast dropBcast
DropSMB DropSMB
DropUPnP DropUPnP
DropNonSyn dropNonSyn
DropDNSrep</programlisting> DropDNSrep</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -411,11 +409,14 @@ DropDNSrep</programlisting>
# PORT(S) PORT(S) LIMIT GROUP # PORT(S) PORT(S) LIMIT GROUP
RejectAuth RejectAuth
AllowPing AllowPing
DropBcast dropBcast
RejectSMB RejectSMB
DropUPnP DropUPnP
DropNonSyn dropNonSyn
DropDNSrep</programlisting> DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn&#39;t flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting>
</blockquote> </blockquote>
</section> </section>

13
Shorewall-docs/ports.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-26</pubdate> <pubdate>2004-02-05</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
@ -220,12 +220,18 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<section> <section>
<title>VNC</title> <title>VNC</title>
<para>TCP port 5900 + &#60;display number&#62;.</para> <para>Vncviewer -&#62; Vncserver is TCP port 5900 + &#60;display
number&#62;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1 ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2 ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2
...</programlisting> ...</programlisting>
<para>Vncserver to Vncviewer in listen mode is TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5500</programlisting>
</section> </section>
<section> <section>
@ -249,7 +255,8 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para> version converted to Docbook XML</revremark></revision></revhistory></para>

26
Shorewall-docs/samba.xml
View File

@ -15,11 +15,13 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2002-10-22</pubdate> <pubdate>2004-02-08</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -36,15 +38,25 @@
<para>If you wish to run Samba on your firewall and access shares between <para>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</para> the firewall and local hosts, you need the following rules:</para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><informaltable><tgroup <para><emphasis role="bold">/etc/shorewall/rules:</emphasis><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
cols="7"><thead><row><entry>ACTION</entry><entry>SOURCE</entry><entry>DESTINATION</entry><entry>PROTOCOL</entry><entry>PORT(S)</entry><entry>SOURCE # PORT(S)
PORT(S)</entry><entry>ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row></tbody></tgroup></informaltable></para> ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139,445
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139,445
ACCEPT loc fw udp 1024: 137</programlisting></para>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para> <para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><informaltable><tgroup <para><emphasis role="bold">/etc/shorewall/rules:</emphasis><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
cols="7"><thead><row><entry>ACTION</entry><entry>SOURCE</entry><entry>DESTINATION</entry><entry>PROTOCOL</entry><entry>PORT(S)</entry><entry>SOURCE # PORT(S)
PORT(S)</entry><entry>ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row></tbody></tgroup></informaltable></para> ACCEPT Z1 Z2 udp 137:139
ACCEPT Z1 Z2 tcp 137,139,445
ACCEPT Z1 Z2 udp 1024: 137
ACCEPT Z2 Z1 udp 137:139
ACCEPT Z2 Z1 tcp 137,139,445
ACCEPT Z1 Z1 udp 1024: 137</programlisting></para>
<para>To make network browsing (<quote>Network Neighborhood</quote>) work <para>To make network browsing (<quote>Network Neighborhood</quote>) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a properly between Z1 and Z2 requires a Windows Domain Controller and/or a

8
Shorewall-docs/three-interface.xml
View File

@ -15,13 +15,15 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-11-15</pubdate> <pubdate>2004-12-05</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
<year>2003</year> <year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -649,8 +651,8 @@ ACCEPT dmz fw udp 53 </programlist
Run name server on DMZ computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Run name server on DMZ computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc dmz:10.10.11.1 tcp 53 ACCEPT loc dmz:10.10.11.1 tcp 53
ACCEPT loc dmz:10.10.11.1 udp 53 ACCEPT loc dmz:10.10.11.1 udp 53
ACCEPT dmz dmz:10.10.11.1 tcp 53 ACCEPT fw dmz:10.10.11.1 tcp 53
ACCEPT dmz dmz:10.10.11.1 udp 53 </programlisting></para> ACCEPT fw dmz:10.10.11.1 udp 53 </programlisting></para>
</section> </section>
<section> <section>

81
Shorewall-docs/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2003-01-26</pubdate> <pubdate>2003-02-08</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
@ -604,4 +604,83 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work</progra
page</ulink> -- it contains helpful tips about Shorewall features than page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para> make administering your firewall easier.</para>
</section> </section>
<section>
<title>Adding a Wireless Segment to your Two-Interface Firewall</title>
<para>Once you have the two-interface setup working, the next logical step
is to add a Wireless Network. The first step involves adding an additional
network card to your firewall, either a Wireless card or an ethernet card
that is connected to a Wireless Access Point.<caution><para>When you add a
network card, it won&#39;t necessarily be detected as the next highest
ethernet interface. For example, if you have two ethernet cards in your
system (<filename class="devicefile">eth0</filename> and <filename
class="devicefile">eth1</filename>) and you add a third card that uses the
same driver as one of the other two, that third card won&#39;t necessarily
be detected as <filename class="devicefile">eth2</filename>; it could
rather be detected as <filename class="devicefile">eth0</filename> or
<filename class="devicefile">eth1</filename>! You can either live with
that or you can shuffle the cards around in the slots until the new card
is detected as <filename class="devicefile">eth2</filename>.</para></caution></para>
<para>Your new network will look similar to what is shown in the following
figure.<graphic fileref="images/basics2.png" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN.
In the above example, we have chosen to use the network 10.10.11.0/24.
Computers 3 and 4 would be configured with a default gateway IP address of
10.10.11.254.</para>
<para>Second, we have chosen to include the wireless network as part of
the local zone. Since Shorewall allows intra-zone traffic by default,
traffic may flow freely between the local wired network and the wireless
network.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>There are only two changes that need to be made to the Shorewall
configuration:</para>
<itemizedlist>
<listitem>
<para>An entry needs to be added to <filename>/etc/shorewall/interfaces</filename>
for the wireless network interface. If the wireless interface is
<filename class="devicefile">wlan0</filename>, the entry might look
like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc wlan0 detect maclist</programlisting>
<para>As shown in the above entry, I recommend using the <ulink
url="MAC_Validation.html">maclist option</ulink> for the wireless
segment. By adding entries for computers 3 and 4 in
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
neighbors aren&#39;t getting a free ride on your internet connection.
Start by omitting that option; when you have everything working, then
add the option and configure your <filename>/etc/shorewall/maclist</filename>
file.</para>
</listitem>
<listitem>
<para>You need to add an entry to the <filename>/etc/shorewall/masq</filename>
file to masquerade traffic from the wireless network to the internet.
If your internet interface is <filename class="devicefile">eth0</filename>
and your wireless interface is <filename class="devicefile">wlan0</filename>,
the entry would be:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 wlan0</programlisting>
</listitem>
</itemizedlist>
<para>One other thing to note. To get <trademark>Microsoft</trademark>
networking working between the wireless and wired networks, you will need
either a WINS server or a PDC. I personally use Samba configured as a WINS
server running on my firewall. Running a WINS server on your firewall
requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
documentation</ulink>. </para>
</section>
</article> </article>