mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Updates to docs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1595 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
346d125bb8
commit
676d0bebe8
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-08-19</pubdate>
|
||||
<pubdate>2004-08-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -98,7 +98,7 @@ DNAT net loc:192.168.1.5 udp 7777</programlisting>
|
||||
# PORT DEST.
|
||||
DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>local port</emphasis>>] <<emphasis>protocol</emphasis>> <<emphasis>port #</emphasis>> - <<emphasis>external IP</emphasis>></programlisting>
|
||||
|
||||
<para>Finally, if you need to forward a range of ports, in the PORT
|
||||
<para>Finally, if you need to forward a range of ports, in the DEST PORT
|
||||
column specify the range as
|
||||
<emphasis><low-port>:<high-port></emphasis>.</para>
|
||||
|
||||
@ -212,8 +212,8 @@ DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>
|
||||
|
||||
<para>In /<filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:192.168.3:22 tcp 1022</programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -317,11 +317,15 @@ DNAT loc loc:192.168.1.5 tcp www - 130.15
|
||||
|
||||
<para>That rule only works of course if you have a static external
|
||||
IP address. If you have a dynamic IP address and are running
|
||||
Shorewall 1.3.4 or later then include this in
|
||||
Shorewall 1.3.4 through Shorewall 2.0.* then include this in
|
||||
<filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>For users of Shorewall 2.1.0 and later:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
@ -1816,6 +1820,17 @@ iptables: Invalid argument
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.30</revnumber>
|
||||
|
||||
<date>2004-08-26</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update FAQ 2 with information about Shorewall
|
||||
2.1.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.29</revnumber>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-08-21</pubdate>
|
||||
<pubdate>2004-08-25</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -55,11 +55,19 @@
|
||||
|
||||
<para>The 2.6 Linux Kernel introduces new facilities for defining
|
||||
encrypted communication between hosts in a network. The network
|
||||
administrator defines a set of Security Policies which are stored in the
|
||||
kernel as a Security Policy Database (SPD). Outgoing traffic is encrypted
|
||||
according to the contents of the SPD and incoming traffic is verified
|
||||
against the SPD to ensure that no unencrypted traffic is accepted in
|
||||
violation of the administrator's policies.</para>
|
||||
administrator defines a set of <firstterm>Security Policies</firstterm>
|
||||
which are stored in the kernel as a <firstterm>Security Policy
|
||||
Database</firstterm> (SPD). Security policies determine which traffic is
|
||||
subject to encryption. <firstterm>Security Associations</firstterm> are
|
||||
created between pairs of hosts in the network (one SA for traffic in each
|
||||
direction); these SAs define how traffic is to be encrypted. Outgoing
|
||||
traffic that is to be encrypted according to the contents of the SPD
|
||||
requires an appropriate SA to exist. SAs may be created manually using
|
||||
<command>setkey</command>(8) but most often, they are created by a
|
||||
cooperative process involving the ISAKMP protocol and daemons such
|
||||
as<command> racoon</command> or <command>isakmpd</command>. Incoming
|
||||
traffic is verified against the SPD to ensure that no unencrypted traffic
|
||||
is accepted in violation of the administrator's policies.</para>
|
||||
|
||||
<para>There are three ways in which IPSEC traffic can interact with
|
||||
Shorewall policies and rules:</para>
|
||||
@ -99,7 +107,8 @@
|
||||
class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
|
||||
implementation does away with these pseudo-interfaces. Outgoing traffic
|
||||
that is going to be encrypted and incoming traffic that has been decrypted
|
||||
must be matched against policies in the SPD.</para>
|
||||
must be matched against policies in the SPD and/or the appropriate
|
||||
SA.</para>
|
||||
|
||||
<para>Shorewall provides support for policy matching in two ways:</para>
|
||||
|
||||
@ -108,8 +117,8 @@
|
||||
<para>In <filename>/etc/shorewall/masq</filename>, traffic that will
|
||||
later be encrypted is exempted from MASQUERADE/SNAT using existing
|
||||
entries. If you want to MASQUERADE/SNAT outgoing traffic that will
|
||||
later be encrypted, you must include an entry in the new IPSEC column
|
||||
in that file.</para>
|
||||
later be encrypted, you must include the appropriate indication in the
|
||||
new IPSEC column in that file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -435,4 +444,4 @@ all all REJECT info
|
||||
occur, NONE policies are used.</para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
@ -15,11 +15,13 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-07-02</pubdate>
|
||||
<pubdate>2003-08-25</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -29,7 +31,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -37,7 +40,8 @@
|
||||
<title>General</title>
|
||||
|
||||
<para>Shorewall is compatible with the Linux 2.6 kernel series and
|
||||
contains support for the following features that are added in that series:</para>
|
||||
contains support for the following features that are added in that
|
||||
series:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -59,5 +63,10 @@
|
||||
names. Netfilter/iptables support for this new implementation is
|
||||
incomplete and therefore Shorewall support is limited. See the <ulink
|
||||
url="IPSEC.htm">Shorewall IPSEC documentation</ulink>.</para>
|
||||
|
||||
<para><emphasis role="bold">Update:</emphasis> The Shorewall 2.1 <ulink
|
||||
url="ReleaseModel.html">Development release</ulink> now contains support
|
||||
for IPSEC under the 2.6 Kernel. See the <ulink url="IPSEC-2.6.html">Kernel
|
||||
2.6 IPSEC documentation</ulink> for details.</para>
|
||||
</section>
|
||||
</article>
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-30</pubdate>
|
||||
<pubdate>2004-09-02</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -27,7 +27,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -55,9 +56,9 @@
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
||||
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
|
||||
For example, do NOT install the 2.0.2 firewall script if you are
|
||||
running 2.0.0-RC2</para>
|
||||
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||
BELOW.</emphasis> For example, do NOT install the 2.0.2 firewall
|
||||
script if you are running 2.0.0-RC2</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
@ -79,7 +80,8 @@
|
||||
<section>
|
||||
<title>Bogons File</title>
|
||||
|
||||
<para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
|
||||
<para><ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.8/bogons">Here</ulink>
|
||||
is the most up to date version of the <ulink
|
||||
url="Documentation.htm#Bogons">bogons file</ulink>.</para>
|
||||
</section>
|
||||
@ -87,13 +89,31 @@
|
||||
<section>
|
||||
<title>Problems in Version 2.0</title>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.3 through 2.0.8</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>An empty PROTO column in /etc/shorewall/tcrules produced
|
||||
iptables errors during <command>shorewall start</command>. A value
|
||||
of <command>all</command> in that column produced a similar
|
||||
error.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.3a through 2.0.7</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Entries in the USER/GROUP column of an action file (made from
|
||||
action.template) may be ignored or cause odd errors. </para>
|
||||
action.template) may be ignored or cause odd errors.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -127,9 +147,9 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
|
||||
source zone and that specify logging cause <command>shorewall start</command>
|
||||
to fail with an iptables error. The problem is corrected for
|
||||
Shorewall 2.0.3 users in <ulink
|
||||
source zone and that specify logging cause <command>shorewall
|
||||
start</command> to fail with an iptables error. The problem is
|
||||
corrected for Shorewall 2.0.3 users in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
@ -153,7 +173,8 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The above problems are corrected in Shorewall version 2.0.3c.</para>
|
||||
<para>The above problems are corrected in Shorewall version
|
||||
2.0.3c.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -170,8 +191,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall fails to start if there is no <command>mktemp</command>
|
||||
utility.</para>
|
||||
<para>Shorewall fails to start if there is no
|
||||
<command>mktemp</command> utility.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -209,8 +230,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>"shorewall restore" and "shorewall -f start"
|
||||
do not load kernel modules.</para>
|
||||
<para>"shorewall restore" and "shorewall -f start" do not load
|
||||
kernel modules.</para>
|
||||
|
||||
<para><emphasis role="bold">The above two problems are corrected in
|
||||
Shorewall 2.0.2a</emphasis></para>
|
||||
@ -261,19 +282,19 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set
|
||||
in shorewall.conf</para>
|
||||
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
|
||||
shorewall.conf</para>
|
||||
|
||||
<para><emphasis role="bold">All of the above problems are corrected
|
||||
in Shorewall 2.0.2f</emphasis></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems are all corrected by the <filename>firewall</filename>
|
||||
and <filename>functions</filename> files in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
|
||||
Both files must be installed in <filename>/usr/share/shorewall/</filename>
|
||||
as described above.</para>
|
||||
<para>These problems are all corrected by the
|
||||
<filename>firewall</filename> and <filename>functions</filename> files
|
||||
in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
|
||||
directory</ulink>. Both files must be installed in
|
||||
<filename>/usr/share/shorewall/</filename> as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -285,20 +306,22 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Modules listed in /etc/shorewall/modules don't load or
|
||||
produce errors on Mandrake 10.0 Final.</para>
|
||||
<para>Modules listed in /etc/shorewall/modules don't load or produce
|
||||
errors on Mandrake 10.0 Final.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <command>shorewall delete</command> command does not
|
||||
remove all dynamic rules pertaining to the host(s) being deleted.</para>
|
||||
remove all dynamic rules pertaining to the host(s) being
|
||||
deleted.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems are corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
|
||||
firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename>
|
||||
as described above.</para>
|
||||
firewall script</ulink> which may be installed in
|
||||
<filename>/usr/share/shorewall/firewall</filename> as described
|
||||
above.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -322,10 +345,11 @@
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
|
||||
file</ulink> as /etc/init.d/shorewall (replacing the existing file
|
||||
with that name). If you are just installing or upgrading to
|
||||
Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename>
|
||||
file in the Shorewall distribution directory (shorewall-2.0.x) with
|
||||
the updated file before running <command>install.sh</command> from
|
||||
that directory.</para>
|
||||
Shorewall 2.0.0 or 2.0.1, then replace the
|
||||
<filename>init.debian.sh</filename> file in the Shorewall
|
||||
distribution directory (shorewall-2.0.x) with the updated file
|
||||
before running <command>install.sh</command> from that
|
||||
directory.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
@ -347,11 +371,13 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
|
||||
<para>The first problem has been corrected in Shorewall update
|
||||
2.0.0a.</para>
|
||||
|
||||
<para>All of these problems may be corrected by installing <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
|
||||
firewall script</ulink> in /usr/share/shorewall as described above.</para>
|
||||
firewall script</ulink> in /usr/share/shorewall as described
|
||||
above.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -369,7 +395,8 @@
|
||||
Final) or later then you need to patch your iptables 1.2.9 with <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
|
||||
patch</ulink> or you need to use the <ulink
|
||||
url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para>
|
||||
url="http://www.netfilter.org/downloads.html#cvs">CVS version of
|
||||
iptables</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -380,10 +407,12 @@
|
||||
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
||||
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
||||
kernel patch and precompiled modules to fix this problem are available at
|
||||
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
||||
<ulink
|
||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
||||
|
||||
<note>
|
||||
<para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
|
||||
<para>RedHat have corrected this problem in their 2.4.20-27.x
|
||||
kernels.</para>
|
||||
</note>
|
||||
</section>
|
||||
</article>
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-29</pubdate>
|
||||
<pubdate>2004-09-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,7 +29,14 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
<important>
|
||||
<para>Problem reports that do not include the information requested in
|
||||
the <link linkend="Guidelines">Problem Reporting Guidelines</link>
|
||||
below will not be answered by the Shorewall author.</para>
|
||||
</important>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -57,8 +64,9 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <ulink url="troubleshoot.htm">Troubleshooting Information</ulink>
|
||||
contains a number of tips to help you solve common problems.</para>
|
||||
<para>The <ulink url="troubleshoot.htm">Troubleshooting
|
||||
Information</ulink> contains a number of tips to help you solve common
|
||||
problems.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -67,74 +75,26 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
|
||||
and Mailing List Archives search facility</ulink> can locate documents
|
||||
and posts about similar problems:</para>
|
||||
<para>The <ulink
|
||||
url="http://lists.shorewall.net/htdig/search.html">Site and Mailing
|
||||
List Archives search facility</ulink> can locate documents and posts
|
||||
about similar problems:</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Guidelines">
|
||||
<title>Problem Reporting Guidelines</title>
|
||||
|
||||
<note>
|
||||
<para>Shorewall versions earlier that 1.4.0 are no longer supported.</para>
|
||||
<para>Shorewall versions earlier that 1.4.0 are no longer
|
||||
supported.</para>
|
||||
</note>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Please remember we only know what is posted in your message. Do
|
||||
not leave out any information that appears to be correct, or was
|
||||
mentioned in a previous post. There have been countless posts by
|
||||
people who were sure that some part of their configuration was correct
|
||||
when it actually contained a small error. We tend to be skeptics where
|
||||
detail is lacking.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please keep in mind that you're asking for <emphasis
|
||||
role="bold">free</emphasis> technical support. Any help we offer is an
|
||||
act of generosity, not an obligation. Try to make it easy for us to
|
||||
help you. Follow good, courteous practices in writing and formatting
|
||||
your e-mail. Provide details that we need if you expect good answers.
|
||||
Exact quoting of error messages, log entries, command output, and
|
||||
other output is better than a paraphrase or summary.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please don't describe your problem as <quote>Computer A
|
||||
can't see Computer B</quote>. Of course it can't -- it
|
||||
hasn't any eyes! If ping from A to B fails, say so (and see below
|
||||
for information about reporting <quote>ping</quote> problems). If
|
||||
Computer B doesn't show up in <quote>Network Neighborhood</quote>
|
||||
then say so.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please give details about what doesn't work. Reports that
|
||||
say <quote>I followed the directions and it didn't work</quote>
|
||||
will elicit sympathy but probably little in the way of help. Again --
|
||||
if ping from A to B fails, say so (and see below for information about
|
||||
reporting <quote>ping</quote> problems). If Computer B doesn't
|
||||
show up in <quote>Network Neighborhood</quote> then say so. If access
|
||||
by IP address works but by DNS names it doesn't then say so.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please don't describe your environment and then ask us to
|
||||
send you custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please do NOT include the output of <command>iptables -L</command>
|
||||
— the output of <emphasis role="bold">shorewall show</emphasis> or
|
||||
<command>shorewall status</command> is much more useful.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When reporting a problem, <emphasis role="bold">ALWAYS</emphasis>
|
||||
include this information:</para>
|
||||
<para>When reporting a problem, <emphasis
|
||||
role="bold">ALWAYS</emphasis> include this information:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -158,13 +118,14 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">THIS IS IMPORTANT!</emphasis> If your
|
||||
problem is that some type of connection to/from or through your
|
||||
firewall isn't working then please perform the following four
|
||||
firewall isn't working then please perform the following four
|
||||
steps:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>If Shorewall isn't started then <command>/sbin/shorewall/start</command>.
|
||||
Otherwise <command>/sbin/shorewall reset</command>.</para>
|
||||
<para>If Shorewall isn't started then
|
||||
<command>/sbin/shorewall/start</command>. Otherwise
|
||||
<command>/sbin/shorewall reset</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -172,7 +133,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>/sbin/shorewall status > /tmp/status.txt</command></para>
|
||||
<para><command>/sbin/shorewall status >
|
||||
/tmp/status.txt</command></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -188,25 +150,77 @@
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">If you installed Shorewall using one
|
||||
of the QuickStart Guides, please indicate which one</emphasis>.</para>
|
||||
of the QuickStart Guides, please indicate which
|
||||
one</emphasis>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As a general matter, <emphasis role="bold">please do not edit
|
||||
the diagnostic information</emphasis> in an attempt to conceal your IP
|
||||
address, netmask, nameserver addresses, domain name, etc. These
|
||||
aren't secrets, and concealing them often misleads us (and 80% of
|
||||
the time, a hacker could derive them anyway from information contained
|
||||
in the SMTP headers of your post).</para>
|
||||
<para>Please remember we only know what is posted in your message. Do
|
||||
not leave out any information that appears to be correct, or was
|
||||
mentioned in a previous post. There have been countless posts by
|
||||
people who were sure that some part of their configuration was correct
|
||||
when it actually contained a small error. We tend to be skeptics where
|
||||
detail is lacking.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do you see any <quote>Shorewall</quote> messages (<quote><command>/sbin/shorewall
|
||||
show log</command></quote>) when you exercise the function that is
|
||||
giving you problems? If so, include the message(s) in your post along
|
||||
with a copy of your /etc/shorewall/interfaces file.</para>
|
||||
<para>Please keep in mind that you're asking for <emphasis
|
||||
role="bold">free</emphasis> technical support. Any help we offer is an
|
||||
act of generosity, not an obligation. Try to make it easy for us to
|
||||
help you. Follow good, courteous practices in writing and formatting
|
||||
your e-mail. Provide details that we need if you expect good answers.
|
||||
Exact quoting of error messages, log entries, command output, and
|
||||
other output is better than a paraphrase or summary.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please don't describe your problem as <quote>Computer A can't
|
||||
see Computer B</quote>. Of course it can't -- it hasn't any eyes! If
|
||||
ping from A to B fails, say so (and see below for information about
|
||||
reporting <quote>ping</quote> problems). If Computer B doesn't show up
|
||||
in <quote>Network Neighborhood</quote> then say so.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please give details about what doesn't work. Reports that say
|
||||
<quote>I followed the directions and it didn't work</quote> will
|
||||
elicit sympathy but probably little in the way of help. Again -- if
|
||||
ping from A to B fails, say so (and see below for information about
|
||||
reporting <quote>ping</quote> problems). If Computer B doesn't show up
|
||||
in <quote>Network Neighborhood</quote> then say so. If access by IP
|
||||
address works but by DNS names it doesn't then say so.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your questions
|
||||
but we can't do your job for you.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Please do NOT include the output of <command>iptables
|
||||
-L</command> — the output of <emphasis role="bold">shorewall
|
||||
show</emphasis> or <command>shorewall status</command> is much more
|
||||
useful.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As a general matter, <emphasis role="bold">please do not edit
|
||||
the diagnostic information</emphasis> in an attempt to conceal your IP
|
||||
address, netmask, nameserver addresses, domain name, etc. These aren't
|
||||
secrets, and concealing them often misleads us (and 80% of the time, a
|
||||
hacker could derive them anyway from information contained in the SMTP
|
||||
headers of your post).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do you see any <quote>Shorewall</quote> messages
|
||||
(<quote><command>/sbin/shorewall show log</command></quote>) when you
|
||||
exercise the function that is giving you problems? If so, include the
|
||||
message(s) in your post along with a copy of your
|
||||
/etc/shorewall/interfaces file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -226,14 +240,14 @@
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">The list server limits posts to 120kb so
|
||||
don't post graphics of your network layout, etc. to the Mailing
|
||||
List -- your post will be rejected</emphasis>.</para>
|
||||
don't post graphics of your network layout, etc. to the Mailing List
|
||||
-- your post will be rejected</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The author gratefully acknowleges that the above list was
|
||||
heavily plagiarized from the excellent LEAF document by
|
||||
<emphasis>Ray Olszewski</emphasis> found at <ulink
|
||||
heavily plagiarized from the excellent LEAF document by <emphasis>Ray
|
||||
Olszewski</emphasis> found at <ulink
|
||||
url="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -250,10 +264,10 @@
|
||||
<para>I think that blocking all HTML is a Draconian way to control spam
|
||||
and that the ultimate losers here are not the spammers but the list
|
||||
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
|
||||
subscriber wrote to me privately <quote>These e-mail admin's need to
|
||||
get a (expletive deleted) life instead of trying to rid the planet of HTML
|
||||
based e-mail</quote>. Nevertheless, to allow subscribers to receive list
|
||||
posts as must as possible, I have now configured the list server at
|
||||
subscriber wrote to me privately <quote>These e-mail admin's need to get a
|
||||
(expletive deleted) life instead of trying to rid the planet of HTML based
|
||||
e-mail</quote>. Nevertheless, to allow subscribers to receive list posts
|
||||
as must as possible, I have now configured the list server at
|
||||
shorewall.net to convert all HTML to plain text. These converted posts are
|
||||
difficult to read so all of us will appreciate it if you just post in
|
||||
plain text to begin with.</para>
|
||||
@ -262,17 +276,18 @@
|
||||
<section>
|
||||
<title>Where to Send your Problem Report or to Ask for Help</title>
|
||||
|
||||
<para><emphasis role="bold">If you run the current development release</emphasis>
|
||||
(see the <ulink url="ReleaseModel.html">Shorewall Release Model page</ulink>)
|
||||
-- please post your question or problem to the <ulink
|
||||
url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
|
||||
Mailing List</ulink>.</para>
|
||||
<para><emphasis role="bold">If you run the current development
|
||||
release</emphasis> (see the <ulink url="ReleaseModel.html">Shorewall
|
||||
Release Model page</ulink>) -- please post your question or problem to the
|
||||
<ulink url="mailto:shorewall-devel@lists.shorewall.net">Shorewall
|
||||
Development Mailing List</ulink>.</para>
|
||||
|
||||
<para><emphasis role="bold">If you run Shorewall under MandrakeSoft Multi
|
||||
Network Firewall (MNF) and you have not purchased an MNF license from
|
||||
MandrakeSoft then you can post non MNF-specific Shorewall questions to the
|
||||
<ulink url="mailto:shorewall-users@lists.shorewall.net">Shorewall users
|
||||
mailing list</ulink>. Do not expect to get free MNF support on the list</emphasis>.</para>
|
||||
mailing list</ulink>. Do not expect to get free MNF support on the
|
||||
list</emphasis>.</para>
|
||||
|
||||
<para>Otherwise, please post your question or problem to the <ulink
|
||||
url="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
@ -292,19 +307,75 @@
|
||||
<title>Other Mailing Lists</title>
|
||||
|
||||
<para>For information on other Shorewall mailing lists, go to <ulink
|
||||
url="http://lists.shorewall.net">http://lists.shorewall.net</ulink> .</para>
|
||||
url="http://lists.shorewall.net">http://lists.shorewall.net</ulink>
|
||||
.</para>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.6</revnumber><date>2003-07-03</date><authorinitials>TE</authorinitials><revremark>New
|
||||
Release Model</revremark></revision><revision><revnumber>1.5</revnumber><date>2003-05-16</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
link to the troubleshooting section</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
|
||||
Newbies Mailing List.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
|
||||
against including "iptables -L" output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
|
||||
.GIF and moved note about unsupported releases. Move Revision History to
|
||||
this Appendix.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-19</date><authorinitials>TE</authorinitials><revremark>Corrected
|
||||
URL for Newbies List</revremark></revision></revhistory></para>
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2003-07-03</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>New Release Model</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2003-05-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add link to the troubleshooting section</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-03-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Remove Newbies Mailing List.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-02-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Admonish against including "iptables -L"
|
||||
output.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.2</revnumber>
|
||||
|
||||
<date>2003-01-01</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Removed .GIF and moved note about unsupported releases.
|
||||
Move Revision History to this Appendix.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
|
||||
<date>2003-12-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Corrected URL for Newbies List</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user