extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-16 22:56:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@448 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-14 21:27:03 +00:00
parent 5f259f6070
commit 6dd91309a8
9 changed files with 6107 additions and 5995 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2318
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

139
STABLE/documentation/ping.html
View File

@ -13,136 +13,137 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest change Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
was added to /etc/shorewall/shorewall.conf. The value of that option determines was added to /etc/shorewall/shorewall.conf. The value of that option determines
the overall handling of ICMP echo requests (pings).<br> the overall handling of ICMP echo requests (pings).<br>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2> <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests from just like any other connection request. In order to accept ping requests
zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT and z1
a rule in /etc/shoreall/rules of the form:<br> is not the firewall zone, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example: <br> Example: <br>
<br> <br>
To permit ping from the local zone to the firewall:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
If you would like to accept 'ping' by default even when the relevant If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br> already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br> you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example:<br> Example:<br>
<br> <br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2> </h2>
There are several aspects to the old Shorewall Ping management:<br> There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf"> <li>The <b>FORWARDPING</b> option in<a
/etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are <li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li> routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the <li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li> ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 1. Accept pings from the net to the dmz (pings are responded to Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br> with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 2. Drop pings from the net to the firewall<br> Example 2. Drop pings from the net to the firewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the destination If no applicable rule is found, then the policy for the source to the
is applied.<br> destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded to <li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li> with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

257
STABLE/documentation/seattlefirewall_index.htm
View File

@ -15,7 +15,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -26,11 +26,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -45,9 +45,10 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1> made easy"</i></font></font></h1>
@ -61,13 +62,14 @@
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr>
</tr>
@ -87,11 +89,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -129,26 +132,27 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of it under the terms of
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
the GNU General Public License</a> as published by the Free Software the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed in
hope that it will be useful, but WITHOUT ANY the hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty of MERCHANTABILITY ANY WARRANTY; without even the implied warranty
or FITNESS FOR A PARTICULAR PURPOSE. See the of MERCHANTABILITY or FITNESS FOR A PARTICULAR
GNU General Public License for more details.<br> PURPOSE. See the GNU General Public License for
more details.<br>
<br> <br>
You should have received a copy of You should have received a copy
the GNU General Public License along of the GNU General Public License along
with this program; if not, write to the Free Software with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA Foundation, Inc., 675 Mass Ave, Cambridge,
02139, USA</p> MA 02139, USA</p>
@ -175,20 +179,22 @@ with this program; if not, write to the Free Software
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric
have a LEAF (router/firewall/gateway on a floppy, Wolzak have a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called <i>Bering</i> CD or compact flash) distribution called <i>Bering</i>
that features Shorewall-1.3.10 and Kernel-2.4.18. that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
@ -208,6 +214,7 @@ Bering 1.0 Final!!! </b><br>
<h2>News</h2> <h2>News</h2>
@ -229,101 +236,118 @@ Bering 1.0 Final!!! </b><br>
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img <p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>New features include</p> <p>New features include</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br> http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
and policies just like any other connection request. The FORWARDPING=Yes
option in shorewall.conf and the 'noping' and 'filterping' options in
/etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create a "label"
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and </li>
policies just like any other connection request. The FORWARDPING=Yes option <li>Support for VLAN devices with names of the form $DEV.$VID
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces (e.g., eth0.0)<br>
will all generate an error.<br> <br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally followed
by ":" and either 'F' or 'P' to designate that the marking will occur in
the FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a "label" such <li>When an interface name is entered in the SUBNET column of
as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead from only the first subnet defined on that interface. It did not masquerade
of just the interface name:<br> traffic from:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) The subnets associated with other addresses on the interface.<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    b) Subnets accessed through local routers.<br>
 </li>  <br>
<li>Support for OpenVPN Tunnels.<br> Beginning with Shorewall 1.3.14, if you enter an interface name
<br> in the SUBNET column, shorewall will use the firewall's routing table
</li> to construct the masquerading/SNAT rules.<br>
<li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,  <br>
eth0.0)<br> Example 1 -- This is how it works in 1.3.14.<br>
<br>    <br>
</li>
<li>When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
only the first subnet defined on that interface. It did not masquerade
traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface name in the
SUBNET column, shorewall will use the firewall's routing table to construct
the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre> <pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>  <br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets When upgrading to Shorewall 1.3.14, if you have multiple local subnets
connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq connected to an interface that is specified in the SUBNET column of an
entry, your /etc/shorewall/masq file will need changing. In most cases, /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
you will simply be able to remove redundant entries. In some cases though, In most cases, you will simply be able to remove redundant entries. In some
you might want to change from using the interface name to listing specific cases though, you might want to change from using the interface name to
subnetworks if the change described above will cause masquerading to occur listing specific subnetworks if the change described above will cause masquerading
on subnetworks that you don't wish to masquerade.<br> to occur on subnetworks that you don't wish to masquerade.<br>
 <br>  <br>
Example 2 -- Suppose that your current config is as follows:<br> Example 2 -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, the second entry in /etc/shorewall/masq is no longer    In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like this?<br>
 <br>  <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
<br> <br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0 <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
</b><b><img border="0" src="images/new10.gif" width="28" </b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)"> height="12" alt="(New)">
</b></p> </b></p>
Webmin version 1.060 now has Shorewall support included as standard. See Webmin version 1.060 now has Shorewall support included as standard.
<a href="http://www.webmin.com">http://www.webmin.com</a>.<b> </b> See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<p><b></b></p> <p><b></b></p>
<p><b></b></p> <p><b></b></p>
<ul> <ul>
@ -331,6 +355,7 @@ on subnetworks that you don't wish to masquerade.<br>
</ul> </ul>
@ -338,6 +363,7 @@ on subnetworks that you don't wish to masquerade.<br>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -352,13 +378,15 @@ on subnetworks that you don't wish to masquerade.<br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c" </td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -368,9 +396,10 @@ on subnetworks that you don't wish to masquerade.<br>
</table> </table>
</center> </center>
</div>
</div>
@ -378,11 +407,11 @@ on subnetworks that you don't wish to masquerade.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -396,7 +425,8 @@ on subnetworks that you don't wish to masquerade.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
@ -409,13 +439,14 @@ on subnetworks that you don't wish to masquerade.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr>
</tr>
@ -427,9 +458,9 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>
</html> </html>

2821
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

264
STABLE/documentation/sourceforge_index.htm
View File

@ -15,7 +15,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -26,11 +26,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -46,10 +46,10 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font
1.3 - <font size="4">"<i>iptables color="#ffffff">Shorewall 1.3 - <font
made easy"</i></font></font><a href="http://www.sf.net"> size="4">"<i>iptables made easy"</i></font></font><a
</a></h1> href="http://www.sf.net"> </a></h1>
@ -62,8 +62,9 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font <div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div> color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr> </td>
</tr>
@ -82,11 +83,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -111,9 +112,10 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
firewall that can be used on a dedicated firewall system, a multi-function based firewall that can be used on a dedicated firewall system,
gateway/router/server or on a standalone GNU/Linux system.</p> a multi-function gateway/router/server or on a standalone GNU/Linux
system.</p>
@ -127,27 +129,27 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of it under the terms
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of of <a href="http://www.gnu.org/licenses/gpl.html">Version
the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty WITHOUT ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received a copy You should have received a
of the GNU General Public License copy of the GNU General Public License
along with this program; if not, write to the Free along with this program; if not, write to the
Software Foundation, Inc., 675 Mass Ave, Cambridge, Free Software Foundation, Inc., 675 Mass Ave,
MA 02139, USA</p> Cambridge, MA 02139, USA</p>
@ -176,15 +178,15 @@ Software Foundation, Inc., 675 Mass Ave, Cambridge
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric </a>Jacques Nilo and
Wolzak have a LEAF (router/firewall/gateway on Eric Wolzak have a LEAF (router/firewall/gateway
a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 <i>Bering</i> that features Shorewall-1.3.10
and Kernel-2.4.18. You can find their work at: and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and <b>Congratulations to Jacques
Eric on the recent release of Bering 1.0 Final!!! <br> and Eric on the recent release of Bering 1.0 Final!!! <br>
</b> </b>
@ -204,98 +206,106 @@ a floppy, CD or compact flash) distribution called
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img <p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>New features include</p> <p>New features include</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br> http://www.shorewall.net/ping.html).<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
policies just like any other connection request. The FORWARDPING=Yes option and policies just like any other connection request. The FORWARDPING=Yes
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces option in shorewall.conf and the 'noping' and 'filterping' options in
will all generate an error.<br> /etc/shorewall/interfaces will all generate an error.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a "label" such <li>It is now possible to direct Shorewall to create a "label"
as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
of just the interface name:<br> just the interface name:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>  </li>
<li>Support for OpenVPN Tunnels.<br> <li>Support for OpenVPN Tunnels.<br>
<br> <br>
</li> </li>
<li>Support for VLAN devices with names of the form $DEV.$VID (e.g., <li>Support for VLAN devices with names of the form $DEV.$VID
eth0.0)<br> (e.g., eth0.0)<br>
<br> <br>
</li> </li>
<li>When an interface name is entered in the SUBNET column of the <li>In /etc/shorewall/tcrules, the MARK value may be optionally followed
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from by ":" and either 'F' or 'P' to designate that the marking will occur in
only the first subnet defined on that interface. It did not masquerade the FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET column of
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not masquerade
traffic from:<br> traffic from:<br>
 <br>  <br>
   a) The subnets associated with other addresses on the interface.<br>    a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>    b) Subnets accessed through local routers.<br>
 <br>  <br>
Beginning with Shorewall 1.3.14, if you enter an interface name in the Beginning with Shorewall 1.3.14, if you enter an interface name in
SUBNET column, shorewall will use the firewall's routing table to construct the SUBNET column, shorewall will use the firewall's routing table to
the masquerading/SNAT rules.<br> construct the masquerading/SNAT rules.<br>
 <br>  <br>
Example 1 -- This is how it works in 1.3.14.<br> Example 1 -- This is how it works in 1.3.14.<br>
   <br>    <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre> <pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>  <br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets When upgrading to Shorewall 1.3.14, if you have multiple local subnets
connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq connected to an interface that is specified in the SUBNET column of an
entry, your /etc/shorewall/masq file will need changing. In most cases, /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
you will simply be able to remove redundant entries. In some cases though, In most cases, you will simply be able to remove redundant entries. In
you might want to change from using the interface name to listing specific some cases though, you might want to change from using the interface name
subnetworks if the change described above will cause masquerading to occur to listing specific subnetworks if the change described above will cause
on subnetworks that you don't wish to masquerade.<br> masquerading to occur on subnetworks that you don't wish to masquerade.<br>
 <br>  <br>
Example 2 -- Suppose that your current config is as follows:<br> Example 2 -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, the second entry in /etc/shorewall/masq is no longer    In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like this?<br>
 <br>  <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0 <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
</b><b><img border="0" src="images/new10.gif" width="28" </b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)"> height="12" alt="(New)">
</b></p> </b></p>
Webmin version 1.060 now has Shorewall support included as standard. Webmin version 1.060 now has Shorewall support included as standard.
See <a href="http://www.webmin.com">http://www.webmin.com</a> <b> See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</b> </b>
<p><b></b></p> <p><b></b></p>
@ -305,6 +315,7 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<ul> <ul>
@ -313,6 +324,7 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</ul> </ul>
@ -321,6 +333,7 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -340,10 +353,12 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -355,6 +370,7 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
@ -366,13 +382,13 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
@ -383,9 +399,9 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</table> </table>
</center> </center>
</div> </div>
@ -394,11 +410,11 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -413,7 +429,7 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -425,15 +441,15 @@ See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -447,7 +463,7 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

301
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -20,18 +20,18 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run "chkconfig --add firewall". This will start the firewall in run
levels 2-5 and stop it in run levels 1 and 6. If you want to configure levels 2-5 and stop it in run levels 1 and 6. If you want to configure
your firewall differently from this default, you can use the "--level" your firewall differently from this default, you can use the "--level"
option in chkconfig (see "man chkconfig") or using your favorite option in chkconfig (see "man chkconfig") or using your favorite
graphical run-level editor.</p> graphical run-level editor.</p>
@ -57,22 +57,22 @@ graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have configured <li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set Note: Users of the .deb package must edit /etc/default/shorewall and
'startup=1'.<br> set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall in <li>If you use dialup, you may want to start the firewall in
your /etc/ppp/ip-up.local script. I recommend just placing "shorewall your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> <p>
</p> </p>
@ -82,19 +82,19 @@ your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li> running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li> installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a If you include the keyword <i>debug</i> as the first argument, then a
shell trace of the command is produced as in:<br> shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
@ -102,65 +102,65 @@ shell trace of the command is produced as in:<br>
<p>The above command would trace the 'start' command and place the trace information <p>The above command would trace the 'start' command and place the trace
in the file /tmp/trace<br> information in the file /tmp/trace<br>
</p> </p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br> bottom of this page.<br>
</p> </p>
<p>The "shorewall" program may also be used to monitor the firewall.</p> <p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <li>shorewall show <i>chain</i> - produce a verbose report about
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li> <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat <li>shorewall show nat - produce a verbose report about the nat
table (iptables -t nat -L -n -v)</li> table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections
being tracked by the firewall.</li> currently being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays information
about the traffic control/shaping configuration.</li> about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li> changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation <li>shorewall check - Performs a <u>cursory</u> validation
of the zones, interfaces, hosts, rules and policy files. <font of the zones, interfaces, hosts, rules and policy files. <font
size="4" color="#ff6666"><b>The "check" command does not parse and validate size="4" color="#ff6666"><b>The "check" command does not parse and validate
the generated iptables commands so even though the "check" command the generated iptables commands so even though the "check" command
completes successfully, the configuration may fail to start. See the completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font> recommended way to make configuration changes described below. </b></font>
</li> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an ] - Restart shorewall using the specified configuration and if an
error occurs or if the<i> timeout </i> option is given and the new configuration error occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using has been up for that many seconds then shorewall is restarted using
the standard configuration.</li> the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new <a href="#Conf">LOGFILE </a>and produces an audible alarm when new
Shorewall messages are logged.</li> Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br> contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
the specified interface (and host if included) to the specified zone.</li> the specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified Deletes the specified interface (and host if included) from the specified
zone.</li> zone.</li>
@ -169,11 +169,11 @@ zone.</li>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font> <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
@ -186,8 +186,8 @@ zone.</li>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
@ -199,32 +199,32 @@ zone.</li>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li> <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start, to restore the old configuration. If the new configuration fails to
the "try" command will automatically start the old one for you.</p> start, the "try" command will automatically start the old one for you.</p>
@ -236,11 +236,11 @@ zone.</li>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
@ -248,82 +248,83 @@ zone.</li>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p> </p>
<div align="center"><img
src="file:///J:/Shorewall-docs/images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle">
<br> <br>
</div> </div>
<p>  <br> <p>  <br>
</p> </p>
You will note that the commands that result in state transitions use You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual the word "firewall" rather than "shorewall". That is because the actual transitions
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br> Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br> <br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">shorewall start<br> <td valign="top">shorewall start<br>
</td> </td>
<td valign="top">firewall start<br> <td valign="top">firewall start<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br> <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br> If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 1/29/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/10/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

319
STABLE/documentation/support.htm
View File

@ -26,51 +26,52 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span on the Shorewall Users Mailing List.</font></big><span
style="font-weight: 400;"></span></big></b></p> style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1> <h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot more <i>"Well at least you tried to read the documentation, which is a lot more
than some people on this list appear to do.</i>"<br> than some people on this list appear to do.</i>"<br>
<br> <br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br> <div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div> </div>
<br> <br>
There are a number of sources for There are a number of sources for
problem solution information. Please try these before you post. problem solution information. Please try these before you post.
<h3> </h3> <h3> </h3>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> <br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a> <li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li> has solutions to more than 20 common problems. </li>
</ul> </ul>
@ -78,27 +79,27 @@ problem solution information. Please try these before you post.
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li> a number of tips to help you solve common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The Mailing List <li> The Mailing List
Archives search facility can locate posts about similar problems: Archives search facility can locate posts about similar
</li> problems: </li>
</ul> </ul>
@ -116,13 +117,13 @@ Archives search facility can locate posts about similar problem
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -132,57 +133,58 @@ Archives search facility can locate posts about similar problem
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" </font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2>Problem Reporting Guidelines </h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world <i>"Let me see if I can translate your message into a real-world
example. It would be like saying that you have three rooms at home, example. It would be like saying that you have three rooms at home,
and when you walk into one of the rooms, you detect this strange smell. and when you walk into one of the rooms, you detect this strange smell.
Can anyone tell you what that strange smell is?<br> Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the Now, all of us could do some wonderful guessing as to the
smell and even what's causing it. You would be absolutely amazed smell and even what's causing it. You would be absolutely amazed at
at the range and variety of smells we could come up with. Even more the range and variety of smells we could come up with. Even more amazing
amazing is that all of the explanations for the smells would be completely is that all of the explanations for the smells would be completely plausible."<br>
plausible."<br> </i><br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div> </div>
<br> <br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>Please remember we only know what is posted in your message. <li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was mentioned Do not leave out any information that appears to be correct, or was
in a previous post. There have been countless posts by people who were mentioned in a previous post. There have been countless posts by people
sure that some part of their configuration was correct when it actually who were sure that some part of their configuration was correct when
contained a small error. We tend to be skeptics where detail is lacking.<br> it actually contained a small error. We tend to be skeptics where detail
<br> is lacking.<br>
</li> <br>
<li>Please keep in mind that you're asking for <strong>free</strong> </li>
technical support. Any help we offer is an act of generosity, not an obligation. <li>Please keep in mind that you're asking for <strong>free</strong>
Try to make it easy for us to help you. Follow good, courteous practices technical support. Any help we offer is an act of generosity, not an
in writing and formatting your e-mail. Provide details that we need if obligation. Try to make it easy for us to help you. Follow good, courteous
you expect good answers. <em>Exact quoting </em> of error messages, log practices in writing and formatting your e-mail. Provide details that
entries, command output, and other output is better than a paraphrase or we need if you expect good answers. <em>Exact quoting </em> of error messages,
summary.<br> log entries, command output, and other output is better than a paraphrase
<br> or summary.<br>
</li> <br>
<li> Please don't describe your </li>
environment and then ask us to send you custom configuration <li> Please don't describe
files. We're here to answer your questions but we can't your environment and then ask us to send you custom
do your job for you.<br> configuration files. We're here to answer your questions but
<br> we can't do your job for you.<br>
</li> <br>
<li>When reporting a problem, <strong>ALWAYS</strong> include </li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li> this information:</li>
</ul> </ul>
@ -190,83 +192,83 @@ this information:</li>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact output from<br> <li>If your kernel is modularized, the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, please <li>If you installed Shorewall using one of the QuickStart Guides,
indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br> installation of Shorewall, please say so.</b><br>
<br> <br>
</li> </li>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead, if you are having connection color="#009900">iptables -L</font></b>". Instead, <b>if you are having
problems of any kind, post the exact output of<br> connection problems of any kind</b>, post the exact output of<br>
<br> <br>
<b><font color="#009900">/sbin/shorewall status<br> <b><font color="#009900">/sbin/shorewall status<br>
<br> <br>
</font></b>Since that command generates a lot of output, we </font></b>Since that command generates a lot of output, we
suggest that you redirect the output to a file and attach the file to suggest that you redirect the output to a file and attach the file to
your post<br> your post<br>
<br> <br>
<b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br> <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
</li> </li>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask, information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li> anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul> </ul>
@ -283,18 +285,18 @@ your post<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> Do you see any "Shorewall" <li> Do you see any
messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>") "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show
when you exercise the function that is giving you problems? If log</font></b>") when you exercise the function that is giving
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces you problems? If so, include the message(s) in your post along with a
file.<br> copy of your /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified (especially the /etc/shorewall/hosts file if you have modified
that file) that you think are relevant. If you include /etc/shorewall/rules, that file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless unless please include /etc/shorewall/policy as well (rules are meaningless
one also knows the policies). </li> unless one also knows the policies). </li>
</ul> </ul>
@ -307,25 +309,25 @@ your post<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> If an error occurs <li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>", when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li> section for instructions). </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of <h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3> post will be rejected.</b></h3>
</li> </li>
</ul> </ul>
The author gratefully acknowleges that the above list was heavily The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
@ -333,19 +335,19 @@ when you try to "<font color="#009900"><b>shorewall start</b></font>",
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
<blockquote> </blockquote> <blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the list
list subscribers whose MTAs are bouncing all shorewall.net mail. As subscribers whose MTAs are bouncing all shorewall.net mail. As one
one list subscriber wrote to me privately "These e-mail admin's need list subscriber wrote to me privately "These e-mail admin's need to get
to get a <i>(expletive deleted)</i> life instead of trying to rid the a <i>(expletive deleted)</i> life instead of trying to rid the planet
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive of HTML based e-mail". Nevertheless, to allow subscribers to receive list
list posts as must as possible, I have now configured the list server posts as must as possible, I have now configured the list server at shorewall.net
at shorewall.net to strip all HTML from outgoing posts.<br> to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -354,33 +356,34 @@ at shorewall.net to strip all HTML from outgoing posts.<br>
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4> mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then (MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br> list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p> list.</a></p>
</blockquote> </blockquote>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 2/9/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

433
STABLE/documentation/traffic_shaping.htm
View File

@ -17,94 +17,98 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support <p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall, for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package version 0.3.0 or later. You must also install the iproute (iproute2)
to provide the "ip" and "tc" utilities.</p> package to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li> Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in
1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the
this variable determines whether Shorewall clears the traffic shaping configuration setting of this variable determines whether Shorewall clears the traffic
during Shorewall [re]start and Shorewall stop. <br> shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can specify <li><b>/etc/shorewall/tcrules</b> - A file where you can specify
firewall marking of packets. The firewall mark value may be used to firewall marking of packets. The firewall mark value may be used
classify packets for traffic shaping/control.<br> to classify packets for traffic shaping/control.<br>
</li> </li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that
is sourced by Shorewall during "shorewall start" and which you can is sourced by Shorewall during "shorewall start" and which you can
use to define your traffic shaping disciplines and classes. I have use to define your traffic shaping disciplines and classes. I have
provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>
that does table-driven CBQ shaping but if you read the traffic shaping that does table-driven CBQ shaping but if you read the traffic shaping
sections of the HOWTO mentioned above, you can probably code your sections of the HOWTO mentioned above, you can probably code your
own faster than you can learn how to use my sample. I personally use own faster than you can learn how to use my sample. I personally
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). use <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see
HTB support may eventually become an integral part of Shorewall since below). HTB support may eventually become an integral part of Shorewall
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the In tcstart, when you want to run the 'tc' utility, use the
run_tc function supplied by shorewall if you want tc errors to stop run_tc function supplied by shorewall if you want tc errors to stop
the firewall.<br> the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by simply You can generally use off-the-shelf traffic shaping scripts by simply
copying them to /etc/shorewall/tcstart. I use <a copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you modified it according to the Wonder Shaper README). <b>WARNING: </b>If
use use Masquerading or SNAT (i.e., you only have one external IP address) you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br> address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that
is sourced by Shorewall when it is clearing traffic shaping. This is sourced by Shorewall when it is clearing traffic shaping. This
file is normally not required as Shorewall's method of clearing qdisc file is normally not required as Shorewall's method of clearing qdisc
and filter definitions is pretty general.</li> and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts Shorewall allows you to start traffic shaping when Shorewall itself starts
or it allows you to bring up traffic shaping when you bring up your interfaces.<br> or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
<br> <br>
To start traffic shaping when Shorewall starts:<br> To start traffic shaping when Shorewall starts:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping <li>Supply an /etc/shorewall/tcstart script to configure your traffic
rules.</li> shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li> shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark packets <li>If your tcstart script uses the 'fwmark' classifier, you can mark
using entries in /etc/shorewall/tcrules.</li> packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
To start traffic shaping when you bring up your network interfaces, you will To start traffic shaping when you bring up your network interfaces, you
have to arrange for your traffic shaping configuration script to be run at will have to arrange for your traffic shaping configuration script to be run
that time. How you do that is distribution dependent and will not be covered at that time. How you do that is distribution dependent and will not be covered
here. You then should:<br> here. You then should:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li> <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier, you <li value="4">If your tcstart script uses the 'fwmark' classifier, you
can mark packets using entries in /etc/shorewall/tcrules.</li> can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
@ -113,173 +117,178 @@ can mark packets using entries in /etc/shorewall/tcrules.</li>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br> a means for specifying these marks in a tabular fashion.<br>
</p> </p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br> in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case <li>MARK - Specifies the mark value is to be assigned in case
of a match. This is an integer in the range 1-255.<br> of a match. This is an integer in the range 1-255. Beginning with Shorewall
<br> version 1.3.14, this value may be optionally followed by ":" and either 'F'
Example - 5<br> or 'P' to designate that the marking will occur in the FORWARD or PREROUTING
</li> chains respectively. If this additional specification is omitted, the chain
<li>SOURCE - The source of the packet. If the packet originates used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN
on the firewall, place "fw" in this column. Otherwise, this is a option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
comma-separated list of interface names, IP addresses, MAC addresses in <br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list of <li>DEST -- Destination of the packet. Comma-separated list
IP addresses and/or subnets.<br> of IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port <li>PORT(S) - Destination Ports. A comma-separated list of
names (from /etc/services), port numbers or port ranges (e.g., 21:22); Port names (from /etc/services), port numbers or port ranges (e.g.,
if the protocol is "icmp", this column is interpreted as the 21:22); if the protocol is "icmp", this column is interpreted as
destination icmp type(s).<br> the destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
omitted, any source port is acceptable. Specified as a comma-separate If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with 2. with 1. All packets arriving on eth2 and eth3 should be marked with 2.
All packets originating on the firewall itself should be marked with 3.</p> All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>1</td>
<td>eth1</td> <td>eth1</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td>2</td>
<td>eth2</td> <td>eth2</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">2<br> <td valign="top">2<br>
</td> </td>
<td valign="top">eth3<br> <td valign="top">eth3<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">all<br> <td valign="top">all<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>3</td> <td>3</td>
<td>fw</td> <td>fw</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with on the firewall and destined for 155.186.235.151 should be marked with
12.</p> 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>47</td> <td>47</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>22</td> <td>22</td>
<td>192.168.1.0/24</td> <td>192.168.1.0/24</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3>My Setup<br> <h3>My Setup<br>
</h3> </h3>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown in wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
the Wondershaper README), I have also run with the following set of hand-crafted in the Wondershaper README), I have also run with the following set of
rules in my <b>/etc/shorewall/tcstart</b> file:<br> hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
@ -295,30 +304,28 @@ rules in my <b>/etc/shorewall/tcstart</b> file:<br>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote> </blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1 <p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at my <a href="myfiles.htm">network configuration</a> above. You can look at my <a href="myfiles.htm">network configuration</a>
to get an idea of why I wanted these particular rules.<br> to get an idea of why I wanted these particular rules.<br>
</p> </p>
<ol> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from <li>I wanted to allow up to 140kbits/second for traffic outbound
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li> or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li> <li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br> <li>My firewall could use up to 20kbits/second.<br>
</li> </li>
</ol> </ol>
<p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

1550
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff