diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 0d7f3fd54..b9b568290 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License.
+ GNU Free Documentation
+ License.
@@ -50,9 +51,10 @@
params
- a parameter file installed in /etc/shorewall
- that can be used to establish the values of shell variables for use
- in other files.
+ a parameter file installed in /etc/shorewall that can be used to
+ establish the values of shell variables for use in other
+ files.
@@ -60,8 +62,9 @@
shorewall.conf
- a parameter file installed in /etc/shorewall
- that is used to set several firewall parameters.
+ a parameter file installed in /etc/shorewall that is used to set
+ several firewall parameters.
@@ -69,8 +72,9 @@
zones
- a parameter file installed in /etc/shorewall
- that defines a network partitioning into zones
+ a parameter file installed in /etc/shorewall that defines a network
+ partitioning into zones
@@ -78,8 +82,9 @@
policy
- a parameter file installed in /etc/shorewall
- that establishes overall firewall policy.
+ a parameter file installed in /etc/shorewall that establishes overall
+ firewall policy.
@@ -87,9 +92,10 @@
rules
- a parameter file installed in /etc/shorewall
- and used to express firewall rules that are exceptions to the
- high-level policies established in /etc/shorewall/policy.
+ a parameter file installed in /etc/shorewall and used to express
+ firewall rules that are exceptions to the high-level policies
+ established in /etc/shorewall/policy.
@@ -97,8 +103,9 @@
blacklist
- a parameter file installed in /etc/shorewall
- and used to list blacklisted IP/subnet/MAC addresses.
+ a parameter file installed in /etc/shorewall and used to list
+ blacklisted IP/subnet/MAC addresses.
@@ -106,9 +113,9 @@
ecn
- a parameter file installed in /etc/shorewall
- and used to selectively disable Explicit Congestion Notification
- (ECN - RFC 3168).
+ a parameter file installed in /etc/shorewall and used to selectively
+ disable Explicit Congestion Notification (ECN - RFC 3168).
@@ -117,7 +124,8 @@
a set of shell functions used by both the firewall and
- shorewall shell programs. Installed in /usr/share/shorewall.
+ shorewall shell programs. Installed in /usr/share/shorewall.
@@ -125,9 +133,10 @@
modules
- a parameter file installed in /etc/shorewall
- and that specifies kernel modules and their parameters. Shorewall
- will automatically load the modules specified in this file.
+ a parameter file installed in /etc/shorewall and that specifies
+ kernel modules and their parameters. Shorewall will automatically
+ load the modules specified in this file.
@@ -135,9 +144,9 @@
tos
- a parameter file installed in /etc/shorewall
- that is used to specify how the Type of Service (TOS) field in
- packets is to be set.
+ a parameter file installed in /etc/shorewall that is used to specify
+ how the Type of Service (TOS) field in packets is to be set.
@@ -145,10 +154,10 @@
init.sh and init.debian.sh
- a shell script installed in /etc/init.d
- to automatically start Shorewall during boot. The
- particular script installed depends on which distribution you are
- running.
+ a shell script installed in /etc/init.d to automatically start
+ Shorewall during boot. The particular script installed depends on
+ which distribution you are running.
@@ -156,8 +165,9 @@
interfaces
- a parameter file installed in /etc/shorewall
- and used to describe the interfaces on the firewall system.
+ a parameter file installed in /etc/shorewall and used to describe the
+ interfaces on the firewall system.
@@ -165,8 +175,9 @@
hosts
- a parameter file installed in /etc/shorewall
- and used to describe individual hosts or subnetworks in zones.
+ a parameter file installed in /etc/shorewall and used to describe
+ individual hosts or subnetworks in zones.
@@ -174,9 +185,10 @@
maclist
- a parameter file installed in /etc/shorewall
- and used to verify the MAC address (and possibly also the IP
- address(es)) of devices.
+ a parameter file installed in /etc/shorewall and used to verify the
+ MAC address (and possibly also the IP address(es)) of
+ devices.
@@ -185,7 +197,8 @@
This file also describes IP masquerading under Shorewall and
- is installed in /etc/shorewall.
+ is installed in /etc/shorewall.
@@ -195,7 +208,8 @@
a shell program that reads the configuration files in
/etc/shorewall and configures
- your firewall. This file is installed in /usr/share/shorewall.
+ your firewall. This file is installed in /usr/share/shorewall.
@@ -203,8 +217,9 @@
nat
- a parameter file in /etc/shorewall
- used to define one-to-one NAT.
+ a parameter file in /etc/shorewall used to define one-to-one NAT.
@@ -212,8 +227,9 @@
proxyarp
- a parameter file in /etc/shorewall
- used to define Proxy Arp.
+ a parameter file in /etc/shorewall used to define Proxy Arp.
@@ -221,9 +237,10 @@
rfc1918
- a parameter file in /usr/share/shorewall
- used to define the treatment of packets under the norfc1918 interface option.
+ a parameter file in /usr/share/shorewall used to define the
+ treatment of packets under the norfc1918
+ interface option.
@@ -231,9 +248,10 @@
bogons
- a parameter file in /usr/share/shorewall
- used to define the treatment of packets under the nobogons interface option.
+ a parameter file in /usr/share/shorewall used to define the
+ treatment of packets under the nobogons
+ interface option.
@@ -241,9 +259,9 @@
routestopped
- a parameter file in /etc/shorewall
- used to define those hosts that can access the firewall when
- Shorewall is stopped.
+ a parameter file in /etc/shorewall used to define those
+ hosts that can access the firewall when Shorewall is stopped.
@@ -261,8 +279,9 @@
tunnels
- a parameter file in /etc/shorewall
- used to define IPSec tunnels.
+ a parameter file in /etc/shorewall used to define IPSec
+ tunnels.
@@ -274,7 +293,8 @@
to control and monitor the firewall. This should be placed in
/sbin or in /usr/sbin (the install.sh script and
- the rpm install this file in /sbin).
+ the rpm install this file in /sbin).
@@ -282,9 +302,9 @@
accounting
- a parameter file in /etc/shorewall
- used to define traffic accounting rules. This file was added in
- version 1.4.7.
+ a parameter file in /etc/shorewall used to define traffic
+ accounting rules. This file was added in version 1.4.7.
@@ -292,8 +312,9 @@
version
- a file created in /usr/share/shorewall
- that describes the version of Shorewall installed on your system.
+ a file created in /usr/share/shorewall that describes the
+ version of Shorewall installed on your system.
@@ -305,7 +326,8 @@
files in /etc/shorewall
and /usr/share/shorewall
respectively that allow you to define your own actions for rules in
- /etc/shorewall/rules.
+ /etc/shorewall/rules.
@@ -313,8 +335,9 @@
actions.std and action.*
- files in /usr/share/shorewall
- that define the actions included as a standard part of Shorewall.
+ files in /usr/share/shorewall that define the
+ actions included as a standard part of Shorewall.
@@ -348,7 +371,8 @@ NET_OPTIONS=blacklist,norfc1918
net eth0 130.252.100.255 blacklist,norfc1918
- Variables may be used anywhere in the other configuration files.
+ Variables may be used anywhere in the other configuration
+ files.
@@ -380,7 +404,8 @@ NET_OPTIONS=blacklist,norfc1918
DISPLAY
- The name of the zone as displayed during Shorewall startup.
+ The name of the zone as displayed during Shorewall
+ startup.
@@ -399,25 +424,28 @@ net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
- You may add, delete and modify entries in the /etc/shorewall/zones
- file as desired so long as you have at least one zone defined.
+ You may add, delete and modify entries in the
+ /etc/shorewall/zones file as desired so long as you
+ have at least one zone defined.
- If you rename or delete a zone, you should perform shorewall
- stop; shorewall start to install the change rather
- than shorewall restart.
+ If you rename or delete a zone, you should perform
+ shorewall stop; shorewall start to
+ install the change rather than shorewall
+ restart.
- The order of entries in the /etc/shorewall/zones
- file is significant in some cases.
+ The order of entries in the
+ /etc/shorewall/zones file is significant in some cases./etc/shorewall/interfaces
- This file is used to tell the firewall which of your firewall's
+ This file is used to tell the firewall which of your firewall's
network interfaces are connected to which zone. There will be one entry in
/etc/shorewall/interfaces for each of your interfaces. Columns in an entry
are:
@@ -462,12 +490,14 @@ dmz DMZ Demilitarized zone
- the interface must be up before you start your firewall
+ the interface must be up before you start your
+ firewallthe interface must only be attached to a single
- sub-network (i.e., there must have a single broadcast address).
+ sub-network (i.e., there must have a single broadcast
+ address).
@@ -477,7 +507,8 @@ dmz DMZ Demilitarized zone
OPTIONS
- a comma-separated list of options. Possible options include:
+ a comma-separated list of options. Possible options
+ include:
@@ -485,7 +516,7 @@ dmz DMZ Demilitarized zone
(Added in version 1.4.7) - This option causes
- /proc/sys/net/ipv4/conf/<interface>/arp_filter
+ /proc/sys/net/ipv4/conf/<interface>/arp_filter
to be set with the result that this interface will only answer
ARP who-has requests from hosts that are routed
out of that interface. Setting this option facilitates testing
@@ -516,7 +547,8 @@ dmz DMZ Demilitarized zone
(Added in version 1.4.2) - This option causes Shorewall
to set up handling for routing packets that arrive on this
interface back out the same interface. If this option is
- specified, the ZONE column may not contain -.
+ specified, the ZONE column may not contain
+ -.
@@ -531,7 +563,8 @@ dmz DMZ Demilitarized zone
typically used for silent port scans. Packets
failing these checks are logged according to the
TCP_FLAGS_LOG_LEVEL option in and are
- disposed of according to the TCP_FLAGS_DISPOSITION option.
+ disposed of according to the TCP_FLAGS_DISPOSITION
+ option.
@@ -540,7 +573,8 @@ dmz DMZ Demilitarized zone
This option causes incoming packets on this interface to
- be checked against the blacklist.
+ be checked against the blacklist.
@@ -579,10 +613,10 @@ dmz DMZ Demilitarized zone
within their own infrastructure. Also, many cable and DSL
modems have an RFC 1918 address that can be
used through a web browser for management and monitoring
- functions. If you want to specify norfc1918
- on your external interface but need to allow access to certain
- addresses from the above list, see FAQ
- 14.
+ functions. If you want to specify norfc1918 on your external interface
+ but need to allow access to certain addresses from the above
+ list, see FAQ 14.
@@ -601,7 +635,7 @@ dmz DMZ Demilitarized zone
routefilter
- Invoke the Kernel's route filtering (anti-spoofing)
+ Invoke the Kernel's route filtering (anti-spoofing)
facility on this interface. The kernel will reject any packets
incoming on this interface that have a source address that
would be routed outbound through another interface on the
@@ -619,7 +653,8 @@ dmz DMZ Demilitarized zone
(Added in version 1.3.5) - This option causes Shorewall
- to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
+ to set
+ /proc/sys/net/ipv4/conf/<interface>/proxy_arp
and is used when implementing Proxy ARP Sub-netting as
described at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/.
@@ -664,7 +699,8 @@ dmz DMZ Demilitarized zone
they do not have a broadcast or multicast address as their
source. Any such packets will be dropped after being
optionally logged according to the setting of SMURF_LOG_LEVEL
- in /etc/shorewall/shorewall.conf.
+ in /etc/shorewall/shorewall.conf.
@@ -673,11 +709,13 @@ dmz DMZ Demilitarized zone
- External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfs
+ External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfs
- Wireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfs
+ Wireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfs
@@ -693,8 +731,9 @@ dmz DMZ Demilitarized zone
You have a conventional firewall setup in which eth0 connects to
a Cable or DSL modem and eth1 connects to your local network and eth0
gets its IP address via DHCP. You want to check all packets entering
- from the internet against the <link linkend="Blacklist">black list</link>.
- Your /etc/shorewall/interfaces file would be as follows:
+ from the internet against the black
+ list. Your /etc/shorewall/interfaces file would be as
+ follows:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918,blacklist
@@ -726,12 +765,13 @@ loc eth1 192.168.1.255,192.168.12.255
purpose of the /etc/shorewall/hosts file.
- The only time that you need entries in /etc/shorewall/hosts
- is where you have more than one zone
- connecting through a single interface.
+ The only time that you need entries in
+ /etc/shorewall/hosts is where you have more than one zone connecting through a single
+ interface.
- IF YOU DON'T HAVE THIS SITUATION THEN
- DON'T TOUCH THIS FILE!!
+ IF YOU DON'T HAVE THIS SITUATION THEN DON'T
+ TOUCH THIS FILE!!Columns in this file are:
@@ -751,8 +791,8 @@ loc eth1 192.168.1.255,192.168.12.255
The name of an interface defined in the /etc/shorewall/interfaces file followed
- by a colon (":") and a comma-separated list whose elements
- are either:
+ by a colon (":") and a comma-separated list whose elements are
+ either:
@@ -760,8 +800,9 @@ loc eth1 192.168.1.255,192.168.12.255
- A subnetwork in the form <subnet-address>/<mask
- width>
+ A subnetwork in the form
+ <subnet-address>/<mask
+ width>
@@ -769,8 +810,8 @@ loc eth1 192.168.1.255,192.168.12.255
only allowed when the interface names a bridge created by the
brctl addbr command. This port must not be
defined in /etc/shorewall/interfaces and
- may optionally followed by a colon (":") and a host or
- network IP. See the bridging
+ may optionally followed by a colon (":") and a host or network
+ IP. See the bridging
documentation for details.
@@ -832,7 +873,8 @@ loc eth1 192.168.1.255,192.168.12.255
This option causes incoming packets on this port to be
- checked against the blacklist.
+ checked against the blacklist.
@@ -878,12 +920,12 @@ loc eth1 192.168.1.255,192.168.12.255
- If you don't define any hosts for a zone, the hosts in the zone
+ If you don't define any hosts for a zone, the hosts in the zone
default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the
interfaces to the zone.
- You probably DON'T want to specify any hosts for your internet
+ You probably DON'T want to specify any hosts for your internet
zone since the hosts that you specify will be the only ones that you
will be able to access without adding additional rules.
@@ -960,10 +1002,10 @@ loc eth1:192.168.1.0/24,192.168.12.0/24
Policies defined in /etc/shorewall/policy describe
which zones are allowed to establish connections with other zones.
- Policies established in /etc/shorewall/policy can
- be viewed as default policies. If no rule in /etc/shorewall/rules applies
- to a particular connection request then the policy from
- /etc/shorewall/policy is applied.
+ Policies established in /etc/shorewall/policy
+ can be viewed as default policies. If no rule in
+ /etc/shorewall/rules applies to a particular connection request then the
+ policy from /etc/shorewall/policy is applied.Five policies are defined:
@@ -989,7 +1031,8 @@ loc eth1:192.168.1.0/24,192.168.12.0/24
The connection request is rejected with an RST (TCP) or an
- ICMP destination-unreachable packet being returned to the client.
+ ICMP destination-unreachable packet being returned to the
+ client.
@@ -1021,7 +1064,8 @@ loc eth1:192.168.1.0/24,192.168.12.0/24
that you want a message sent to your system log each time that the policy
is applied.
- Entries in /etc/shorewall/policy have four columns as follows:
+ Entries in /etc/shorewall/policy have four columns as
+ follows:
@@ -1072,16 +1116,18 @@ loc eth1:192.168.1.0/24,192.168.12.0/24
If left empty, TCP connection requests from the SOURCE zone to the DEST
- zone will not be rate-limited. Otherwise, this column specifies the
- maximum rate at which TCP connection requests will be accepted
- followed by a colon (:) followed by the maximum burst
- size that will be tolerated. Example: 10/sec:40
+ role="bold">SOURCE zone to the DEST zone will not be rate-limited.
+ Otherwise, this column specifies the maximum rate at which TCP
+ connection requests will be accepted followed by a colon
+ (:) followed by the maximum burst size that will be
+ tolerated. Example: 10/sec:40
specifies that the maximum rate of TCP connection requests allowed
will be 10 per second and a burst of 40 connections will be
tolerated. Connection requests in excess of these limits will be
- dropped. See the rules file documentation
- for an explaination of how rate limiting works.
+ dropped. See the rules file
+ documentation for an explaination of how rate limiting
+ works.
@@ -1116,12 +1162,12 @@ all all REJECT info
- The firewall script processes the /etc/shorewall/policy
- file from top to bottom and uses the first
- applicable policy that it finds. For example, in the
- following policy file, the policy for (loc, loc) connections would be
- ACCEPT as specified in the first entry even though the third entry in
- the file specifies REJECT.
+ The firewall script processes the
+ /etc/shorewall/policy file from top to bottom and
+ uses the first applicable policy that it
+ finds. For example, in the following policy file, the policy
+ for (loc, loc) connections would be ACCEPT as specified in the first
+ entry even though the third entry in the file specifies REJECT.#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc all ACCEPT
@@ -1140,7 +1186,8 @@ loc loc REJECT info
specify all in either the SOURCE or DEST column) and that
there are no rules concerning connections from that zone to itself. If
there is an explicit policy or if there are one or more rules, then
- traffic within the zone is handled just like traffic between zones is.
+ traffic within the zone is handled just like traffic between zones
+ is.
Any time that you have multiple interfaces associated with a
single zone, you should ask yourself if you really want traffic routed
@@ -1150,22 +1197,22 @@ loc loc REJECT info
Multiple net interfaces to different ISPs. You
- don't want to route traffic from one ISP to the other through
- your firewall.
+ don't want to route traffic from one ISP to the other through your
+ firewall.
- Multiple VPN clients. You don't necessarily want them to
- all be able to communicate between themselves using your
+ Multiple VPN clients. You don't necessarily want them to all
+ be able to communicate between themselves using your
gateway/router.Beginning with Shorewall 2.0.0, you can control the traffic from
- the firewall to itself. As with any zone, fw->fw traffic is enabled
+ the firewall to itself. As with any zone, fw->fw traffic is enabled
by default. It is not necessary to define the loopback interface (lo) in
/etc/shorewall/interfaces in order to
- define fw->fw rules or a fw->fw policy.
+ define fw->fw rules or a fw->fw policy.
So long as there are no intra-zone rules for a zone, all
@@ -1180,15 +1227,15 @@ loc loc REJECT info
The CONTINUE policy
- Where zones are nested or overlapping,
- the CONTINUE policy allows hosts that are within multiple zones to be
- managed under the rules of all of these zones. Let's look at an
- example:
+ Where zones are nested or
+ overlapping, the CONTINUE policy allows hosts that are within
+ multiple zones to be managed under the rules of all of these zones.
+ Let's look at an example:/etc/shorewall/zones:#ZONE DISPLAY COMMENTS
-sam Sam Sam's system at home
+sam Sam Sam's system at home
net Internet The Internet
loc Local Local Network
@@ -1205,11 +1252,13 @@ net eth0:0.0.0.0/0
sam eth0:206.191.149.197
- Sam's home system is a member of both the sam zone and the net
- zone and as described above , that means
- that sam must be listed before
- net in /etc/shorewall/zones.
+ Sam's home system is a member of both the sam zone and the net zone and as
+ described above , that means that sam must be listed before net in
+ /etc/shorewall/zones./etc/shorewall/policy:
@@ -1225,8 +1274,9 @@ all all REJECT info
zone is sam and if there is no match
then the connection request should be treated under rules where the
source zone is net. It is important
- that this policy be listed BEFORE the next policy (net
- to all).
+ that this policy be listed BEFORE the next policy (net to all).
Partial /etc/shorewall/rules:
@@ -1236,19 +1286,19 @@ DNAT sam loc:192.168.1.3 tcp ssh
DNAT net loc:192.168.1.5 tcp www
...
- Given these two rules, Sam can connect to the firewall's
- internet interface with ssh and the connection request will be forwarded
- to 192.168.1.3. Like all hosts in the net
- zone, Sam can connect to the firewall's internet interface on TCP
- port 80 and the connection request will be forwarded to 192.168.1.5. The
+ Given these two rules, Sam can connect to the firewall's internet
+ interface with ssh and the connection request will be forwarded to
+ 192.168.1.3. Like all hosts in the net
+ zone, Sam can connect to the firewall's internet interface on TCP port
+ 80 and the connection request will be forwarded to 192.168.1.5. The
order of the rules is not significant.Sometimes it is necessary to suppress port forwarding
for a sub-zone. For example, suppose that all hosts can SSH to the
firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects
- to the firewall's external IP, he should be connected to the
- firewall itself. Because of the way that Netfilter is constructed, this
- requires two rules as follows:
+ to the firewall's external IP, he should be connected to the firewall
+ itself. Because of the way that Netfilter is constructed, this requires
+ two rules as follows:#ACTION SOURCE DEST PROTO DEST PORT(S)
...
@@ -1270,12 +1320,12 @@ DNAT net loc:192.168.1.3 tcp ssh
/etc/shorewall/rulesThe /etc/shorewall/rules file defines
- exceptions to the policies established in the /etc/shorewall/policy
- file. There is one entry in /etc/shorewall/rules for each of these rules.
- Entries in this file only govern the establishment of new connections —
- packets that are part of an existing connection or that establish a
- connection that is related to an existing connection are automatically
- accepted.
+ exceptions to the policies established in the
+ /etc/shorewall/policy file. There is one entry in
+ /etc/shorewall/rules for each of these rules. Entries in this file only
+ govern the establishment of new connections — packets that are part of an
+ existing connection or that establish a connection that is related to an
+ existing connection are automatically accepted.
Rules for each pair of zones (source zone, destination zone) are
evaluated in the order that they appear in the file — the first match
@@ -1296,7 +1346,8 @@ DNAT net loc:192.168.1.3 tcp ssh
CONTINUE rules may cause the connection request to be
- reprocessed using a different (source zone, destination zone) pair.
+ reprocessed using a different (source zone, destination zone)
+ pair.
@@ -1332,7 +1383,8 @@ DNAT net loc:192.168.1.3 tcp ssh
Added in Shorewall 2.0.2 Beta 2. Exempts matching
- connections from DNAT and REDIRECT rules later in the file.
+ connections from DNAT and REDIRECT rules later in the
+ file.
@@ -1342,9 +1394,11 @@ DNAT net loc:192.168.1.3 tcp ssh
Causes the connection request to be forwarded to the
system specified in the DEST column (port forwarding).
- DNAT stands for Destination
- Network Address
- Translation
+ DNAT stands for Destination Network Address Translation
@@ -1352,7 +1406,8 @@ DNAT net loc:192.168.1.3 tcp ssh
DNAT-
- The above ACTION (DNAT) generates two iptables rules:
+ The above ACTION (DNAT) generates two iptables
+ rules:
@@ -1361,8 +1416,8 @@ DNAT net loc:192.168.1.3 tcp ssh
- an ACCEPT rule in the Netfilter filter
- table.
+ an ACCEPT rule in the Netfilter
+ filter table.
@@ -1394,8 +1449,8 @@ DNAT net loc:192.168.1.3 tcp ssh
- an ACCEPT rule in the Netfilter filter
- table.
+ an ACCEPT rule in the Netfilter
+ filter table.
@@ -1408,7 +1463,8 @@ DNAT net loc:192.168.1.3 tcp ssh
LOG
- Log the packet -- requires a syslog level (see below).
+ Log the packet -- requires a syslog level (see
+ below).
@@ -1423,20 +1479,22 @@ DNAT net loc:192.168.1.3 tcp ssh
When the protocol specified in the PROTO column is TCP
- (tcp, TCP or 6),
- Shorewall will only pass connection requests (SYN packets)
- to user space. This is for compatibility with ftwall.
+ (tcp, TCP or
+ 6), Shorewall will only pass connection
+ requests (SYN packets) to user space. This is for
+ compatibility with ftwall.
- <defined
- action>
+ <defined
+ action>(Shorewall 1.4.9 and later) - An action defined in the
- /etc/shorewall/actions
+ /etc/shorewall/actions
or /usr/share/shorewall/actions.std
files.
@@ -1451,25 +1509,26 @@ DNAT net loc:192.168.1.3 tcp ssh
syslog level. Beginning with Shorewall version 2.0.2 Beta 1, a
log tag may be specified. A log tag is a
string of alphanumeric characters and is specified by following the
- log level with ":" and the log tag. Example:ACCEPT:info:ftp net dmz tcp 21
+ log level with ":" and the log tag. Example:ACCEPT:info:ftp net dmz tcp 21
The log tag is appended to the log prefix generated by the
- LOGPREFIX variable in /etc/shorewall/conf.
- If "ACCEPT:info" generates the log prefix
- "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp"
- will generate "Shorewall:net2dmz:ACCEPT:ftp " (note the
- trailing blank). The maximum length of a log prefix supported by
- iptables is 29 characters; if a larger prefix is generated,
- Shorewall will issue a warning message and will truncate the prefix
- to 29 characters.
+ LOGPREFIX variable in /etc/shorewall/conf. If
+ "ACCEPT:info" generates the log prefix "Shorewall:net2dmz:ACCEPT:"
+ then "ACCEPT:info:ftp" will generate "Shorewall:net2dmz:ACCEPT:ftp "
+ (note the trailing blank). The maximum length of a log prefix
+ supported by iptables is 29 characters; if a larger prefix is
+ generated, Shorewall will issue a warning message and will truncate
+ the prefix to 29 characters.
- Specifying a log level for a <defined action>
- will log all invocations of the action. For example:
+ Specifying a log level for a <defined
+ action> will log all invocations of the action. For
+ example:AllowFTP:info net dmz
- will log all net->dmz traffic that has not been handled by
- earlier rules. That's probably not what you want. If you want to
- log the FTP connections that are actually accepted, you need to log
+ will log all net->dmz traffic that has not been handled by
+ earlier rules. That's probably not what you want. If you want to log
+ the FTP connections that are actually accepted, you need to log
within the action itself. One way to do that would be to copy
/usr/share/shorewall/action.AllowFTP to
/etc/shorewall and modify the
@@ -1499,7 +1558,8 @@ ACCEPT:info - - tc
If the source is not all then the source may be
further restricted by adding a colon (:) followed by
- a comma-separated list of qualifiers. Qualifiers are may include:
+ a comma-separated list of qualifiers. Qualifiers are may
+ include:
@@ -1510,7 +1570,8 @@ ACCEPT:info - - tc
specified interface (example loc:eth4). Beginning with
Shorwall 1.3.9, the interface name may optionally be followed
by a colon (:) and an IP address or subnet
- (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
+ (examples: loc:eth4:192.168.4.22,
+ net:eth0:192.0.2.0/24).
@@ -1528,7 +1589,8 @@ ACCEPT:info - - tc
MAC Address
- in Shorewall
+ in Shorewall
format.
@@ -1588,13 +1650,14 @@ ACCEPT:info - - tc
Unlike in the SOURCE column, a range of IP addresses may be
- specified in the DEST column as <first address>-<last
- address>. When the ACTION is DNAT or DNAT-,
- connections will be assigned to the addresses in the range in a
- round-robin fashion (load-balancing). This
- feature is available with DNAT rules only with Shorewall 1.4.6 and
- later versions; it is available with DNAT- rules in all versions
- that support DNAT-.
+ specified in the DEST column as <first
+ address>-<last address>.
+ When the ACTION is DNAT or DNAT-, connections will be assigned to
+ the addresses in the range in a round-robin fashion
+ (load-balancing). This feature is available
+ with DNAT rules only with Shorewall 1.4.6 and later versions; it is
+ available with DNAT- rules in all versions that support
+ DNAT-.
@@ -1612,11 +1675,11 @@ ACCEPT:info - - tc
DEST PORT(S)
- Port or port range (<low port>:<high port>)
- being connected to. May only be specified if the protocol is tcp,
- udp or icmp. For icmp, this column's contents are interpreted as
- an icmp type. If you don't want to specify DEST PORT(S) but need
- to include information in one of the columns to the right, enter
+ Port or port range (<low port>:<high port>) being
+ connected to. May only be specified if the protocol is tcp, udp or
+ icmp. For icmp, this column's contents are interpreted as an icmp
+ type. If you don't want to specify DEST PORT(S) but need to include
+ information in one of the columns to the right, enter
- in this column. You may give a list of ports and/or
port ranges separated by commas. Port numbers may be either integers
or service names from /etc/services.
@@ -1628,13 +1691,13 @@ ACCEPT:info - - tc
May be used to restrict the rule to a particular client port
- or port range (a port range is specified as <low port
- number>:<high port number>). If you don't want to
- restrict client ports but want to specify something in the next
- column, enter - in this column. If you wish to
- specify a list of port number or ranges, separate the list elements
- with commas (with no embedded white space). Port numbers may be
- either integers or service names from /etc/services.
+ or port range (a port range is specified as <low port
+ number>:<high port number>). If you don't want to restrict
+ client ports but want to specify something in the next column, enter
+ - in this column. If you wish to specify a list of
+ port number or ranges, separate the list elements with commas (with
+ no embedded white space). Port numbers may be either integers or
+ service names from /etc/services.
@@ -1707,19 +1770,20 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp
ACCEPT, DNAT[-], REDIRECT[-] or LOG rules with an entry in this
column. Entries have the form
- <rate>/<interval>[:<burst>]
+ <rate>/<interval>[:<burst>]
- where <rate> is the number of connections per
- <interval> (sec or min) and
- <burst> is the largest burst permitted. If no burst value is
+ where <rate> is the number of connections per
+ <interval> (sec or min) and
+ <burst> is the largest burst permitted. If no burst value is
given, a value of 5 is assumed.
- There may be no whitespace embedded in the specification.
+ There may be no whitespace embedded in the
+ specification.
- Let's take
+ Let's take
- ACCEPT<2/sec:4> net dmz tcp 80
+ ACCEPT<2/sec:4> net dmz tcp 80The first time this rule is reached, the packet will be
accepted; in fact, since the burst is 4, the first four packets
@@ -1761,7 +1825,7 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp
to 4/minute with a burst of 8 (Shorewall 1.4.7 and later only):
#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNAT<4/min:8> net loc:192.168.1.3 tcp ssh
+DNAT<4/min:8> net loc:192.168.1.3 tcp ssh
@@ -1795,15 +1859,19 @@ ACCEPT loc dmz:155.186.235.222 tcp www
server to be accessible from the internet in addition to the local
192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks.
- since the server is in the 192.168.2.0/24 subnetwork,
- we can assume that access to the server from that subnet will not
- involve the firewall (but see FAQ 2)unless
- you have more than one external IP address, you can leave the ORIGINAL
- DEST column blank in the first rule. You cannot leave it blank in the
- second rule though because then all ftp connections originating in the
- local subnet 192.168.1.0/24 would be sent to 192.168.2.2 regardless of
- the site that the user was trying to connect to. That is clearly not
- what you want.
+
+ since the server is in the 192.168.2.0/24 subnetwork, we can
+ assume that access to the server from that subnet will not involve
+ the firewall (but see FAQ
+ 2)
+
+ unless you have more than one external IP address, you can
+ leave the ORIGINAL DEST column blank in the first rule. You cannot
+ leave it blank in the second rule though because then all ftp
+ connections originating in the local subnet 192.168.1.0/24 would be
+ sent to 192.168.2.2 regardless of the site that the user was trying
+ to connect to. That is clearly not what you want.
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
@@ -1840,15 +1908,18 @@ ACCEPT loc:~02-00-08-E3-FA-55 dmz all#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT all dmz tcp 25
- When all is used as a source or
- destination, intra-zone traffic is not affected. In this example, if
- there were two DMZ interfaces then the above rule would NOT enable SMTP
- traffic between hosts on these interfaces.
+
+ When all is used as a source or destination,
+ intra-zone traffic is not affected. In this example, if there were
+ two DMZ interfaces then the above rule would NOT enable SMTP traffic
+ between hosts on these interfaces.
+
- Your firewall's external interface has several IP addresses
- but you only want to accept SSH connections on address 206.124.146.176.
+ Your firewall's external interface has several IP addresses but
+ you only want to accept SSH connections on address
+ 206.124.146.176.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net fw:206.124.146.176 tcp 22
@@ -1895,14 +1966,15 @@ REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www
The reason that NONAT is used in the above example rather than
- ACCEPT+ is that the example is assuming the usual ACCEPT loc->net
+ ACCEPT+ is that the example is assuming the usual ACCEPT loc->net
policy. Since traffic from the local zone to the internet zone is
accepted anyway, adding an additional ACCEPT rule is unnecessary and all
that is required is to avoid the REDIRECT rule for HTTP connection
requests from the two listed IP addresses.
- Look here for information on other services.
+ Look here for information on other
+ services.
@@ -1925,13 +1997,15 @@ ACCEPT fw net tcp www
optionally qualified by adding : and a subnet or host
IP. When this qualification is added, only packets addressed to that
host or subnet will be masqueraded. Beginning with Shorewall version
- 1.4.10, the interface name can be qualified with ":"
- followed by a comma separated list of hosts and/or subnets. If this
- list begins with ! (e.g., eth0:!192.0.2.8/29,192.0.2.32/29)
- then only packets addressed to destinations not
- listed will be masqueraded; otherwise (e.g., eth0:192.0.2.8/29,192.0.2.32/29),
- traffic will be masqueraded if it does
- match one of the listed addresses.
+ 1.4.10, the interface name can be qualified with ":" followed by a
+ comma separated list of hosts and/or subnets. If this list begins
+ with ! (e.g.,
+ eth0:!192.0.2.8/29,192.0.2.32/29) then only packets
+ addressed to destinations not
+ listed will be masqueraded; otherwise (e.g.,
+ eth0:192.0.2.8/29,192.0.2.32/29), traffic will be
+ masqueraded if it does match one of
+ the listed addresses.
Beginning with Shorewall version 1.3.14, if you have set
ADD_SNAT_ALIASES=Yes in , you can cause
@@ -2027,8 +2101,9 @@ ACCEPT fw net tcp www
- A range of port numbers of the form <low
- port>:<high port>
+ A range of port numbers of the form <low
+ port>:<high
+ port>
@@ -2055,7 +2130,7 @@ ipsec0:10.1.0.0/16 192.168.9.0/24
You have a DSL line connected on eth0 and a local network
- (192.168.10.0/24) connected to eth1. You want all local->net
+ (192.168.10.0/24) connected to eth1. You want all local->net
connections to use source address 206.124.146.176.#INTERFACE SUBNET ADDRESS
@@ -2071,18 +2146,18 @@ eth0 192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176
- <emphasis role="bold">(Shorewall version >= 1.3.14):</emphasis>
- You have a second IP address (206.124.146.177) assigned to you and wish
- to use it for SNAT of the subnet 192.168.12.0/24. You want to give that
- address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <xref
- linkend="Conf" />.
+ <emphasis role="bold">(Shorewall version >=
+ 1.3.14):</emphasis> You have a second IP address (206.124.146.177)
+ assigned to you and wish to use it for SNAT of the subnet
+ 192.168.12.0/24. You want to give that address the name eth0:0. You must
+ have ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />.#INTERFACE SUBNET ADDRESS
eth0:0 192.168.12.0/24 206.124.146.177
- <emphasis role="bold">(Shorewall version >= 1.4.7):</emphasis>
+ <title><emphasis role="bold">(Shorewall version >= 1.4.7):</emphasis>
You want to use both 206.124.146.177 and 206.124.146.179 for SNAT of the
subnet 192.168.12.0/24. Each address will be used on alternate outbound
connections.
@@ -2092,11 +2167,11 @@ eth0 192.168.12.0/24 206.124.146.177,206.124.146.179
- <emphasis role="bold">(Shorewall version >= 2.0.2 Beta 1):</emphasis>
- You want all outgoing SMTP traffic entering the firewall on eth1 to be
- sent from eth0 with source IP address 206.124.146.177. You want all
- other outgoing traffic from eth1 to be sent from eth0 with source IP
- address 206.124.146.176.
+ <emphasis role="bold">(Shorewall version >= 2.0.2 Beta
+ 1):</emphasis> You want all outgoing SMTP traffic entering the firewall
+ on eth1 to be sent from eth0 with source IP address 206.124.146.177. You
+ want all other outgoing traffic from eth1 to be sent from eth0 with
+ source IP address 206.124.146.176.#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 eth1 206.124.146.177 tcp 25
@@ -2114,10 +2189,11 @@ eth0 eth1 206.124.146.176
that you look at the Proxy ARP Subnet
Mini HOWTO. If you decide to use the technique described in that
- HOWTO, you can set the proxy_arp flag for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp)
+ HOWTO, you can set the proxy_arp flag for an interface
+ (/proc/sys/net/ipv4/conf/<interface>/proxy_arp)
by including the proxyarp option in the
- interface's record in . When using Proxy
- ARP sub-netting, you do NOT include any
+ interface's record in . When using Proxy ARP
+ sub-netting, you do NOT include any
entries in /etc/shorewall/proxyarp.The /etc/shorewall/proxyarp file is used to
@@ -2168,33 +2244,33 @@ eth0 eth1 206.124.146.176
PERSISTENT
- If you specify "No" or "no" in the HAVEROUTE
- column, Shorewall will automatically add a route to the host in the
- ADDRESS column through the interface in the INTERFACE column. If you
- enter No or no in the PERSISTENT
- column or if you leave the column empty, that route will be deleted
- if you issue a shorewall stop or
- shorewall clear command. If you place
- Yes or yes in the PERSISTENT column,
- then those commands will not cause the route to be deleted.
+ If you specify "No" or "no" in the HAVEROUTE column, Shorewall
+ will automatically add a route to the host in the ADDRESS column
+ through the interface in the INTERFACE column. If you enter
+ No or no in the PERSISTENT column or
+ if you leave the column empty, that route will be deleted if you
+ issue a shorewall stop or shorewall
+ clear command. If you place Yes or
+ yes in the PERSISTENT column, then those commands
+ will not cause the route to be deleted.
- After you have made a change to the /etc/shorewall/proxyarp
- file, you may need to flush the ARP cache of all routers on
- the LAN segment connected to the interface specified in the EXTERNAL
- column of the change/added entry(s). If you are having problems
- communicating between an individual host (A) on that segment and a
- system whose entry has changed, you may need to flush the ARP cache on
- host A as well.
+ After you have made a change to the
+ /etc/shorewall/proxyarp file, you may need to flush
+ the ARP cache of all routers on the LAN segment connected to the
+ interface specified in the EXTERNAL column of the change/added entry(s).
+ If you are having problems communicating between an individual host (A)
+ on that segment and a system whose entry has changed, you may need to
+ flush the ARP cache on host A as well.ISPs typically have ARP configured with long TTL (hours!) so if
your ISPs router has a stale cache entry (as seen using tcpdump
- -nei <external interface> host <IP addr>), it
- may take a long while to time out. I personally have had to contact my
- ISP and ask them to delete a stale entry in order to restore a system to
+ -nei <external interface> host <IP addr>), it may
+ take a long while to time out. I personally have had to contact my ISP
+ and ask them to delete a stale entry in order to restore a system to
working order after changing my proxy ARP settings.
@@ -2208,18 +2284,21 @@ eth0 eth1 206.124.146.176
In your DMZ, you want to install a Web/FTP server with public
address 155.186.235.4. On the Web server, you subnet just like the
- firewall's eth0 and you configure 155.186.235.1 as the default
- gateway. In your /etc/shorewall/proxyarp file, you
- will have:
+ firewall's eth0 and you configure 155.186.235.1 as the default gateway.
+ In your /etc/shorewall/proxyarp file, you will
+ have:#ADDRESS INTERFACE EXTERNAL HAVEROUTE
155.186.235.4 eth2 eth0 NO
- You may want to configure the servers in your DMZ with
- a subnet that is smaller than the subnet of your internet interface. See
- the Proxy
- ARP Subnet Mini HOWTO for details. In this case you will want to
- place Yes in the HAVEROUTE column.
+
+ You may want to configure the servers in your DMZ with a
+ subnet that is smaller than the subnet of your internet interface.
+ See the Proxy ARP
+ Subnet Mini HOWTO for details. In this case you will want to
+ place Yes in the HAVEROUTE column.
+
@@ -2228,12 +2307,12 @@ eth0 eth1 206.124.146.176
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
the interface that you specify in the INTERFACE column of
- /etc/shorewall/proxyarp. I haven't had the time
- to debug this problem so I can't say if it is a bug in the Kernel or
- in FreeS/Wan.
+ /etc/shorewall/proxyarp. I haven't had the time to
+ debug this problem so I can't say if it is a bug in the Kernel or in
+ FreeS/Wan.
You might be able to work around
- this problem using the following (I haven't tried it):
+ this problem using the following (I haven't tried it):
In /etc/shorewall/init, include:
@@ -2256,10 +2335,11 @@ eth0 eth1 206.124.146.176
If all you want to do is forward ports to servers behind your
firewall, you do NOT want to use one-to-one NAT. Port forwarding can be
- accomplished with simple entries in the rules file.
- Also, in most cases Proxy ARP provides a
- superior solution to one-to-one NAT because the internal systems are
- accessed using the same IP address internally and externally.
+ accomplished with simple entries in the rules
+ file. Also, in most cases Proxy
+ ARP provides a superior solution to one-to-one NAT because the
+ internal systems are accessed using the same IP address internally and
+ externally.
Columns in an entry are:
@@ -2319,15 +2399,15 @@ eth0 eth1 206.124.146.176
If Yes or yes, NAT will be effective from the firewall system.
Note that with Shorewall 2.0.1 and earlier versions, this column was
- ignored if the ALL INTERFACES column did not contain "Yes"
- or "yes". Beginning with Shorewall 2.0.2 Beta 1, this
- column's contents are independent of the value in ALL
- INTERFACES.
+ ignored if the ALL INTERFACES column did not contain "Yes" or "yes".
+ Beginning with Shorewall 2.0.2 Beta 1, this column's contents are
+ independent of the value in ALL INTERFACES.
For this to work, you must be running kernel 2.4.19 or later
and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.
+ role="bold">CONFIG_IP_NF_NAT_LOCAL in your
+ kernel.
@@ -2353,13 +2433,13 @@ eth0 eth1 206.124.146.176
compilation errors.
- Instructions for setting up IPSEC tunnels
- may be found here, instructions for IPIP and GRE
- tunnels are here, instructions for OpenVPN
- tunnels are here, instructions for PPTP
- tunnels are here, instructions for 6to4
- tunnels are here, and instructions for integrating Shorewall with other types of
+ Instructions for setting up IPSEC
+ tunnels may be found here, instructions for IPIP and GRE tunnels are here, instructions for
+ OpenVPN tunnels are here, instructions
+ for PPTP tunnels are here, instructions for
+ 6to4 tunnels are here, and instructions for
+ integrating Shorewall with other types of
tunnels are here.
@@ -2385,15 +2465,14 @@ eth0 eth1 206.124.146.176
(Added at version 2.0.2) - Specifies where configuration files
other than shorewall.conf may be found.
CONFIG_PATH is specifies as a list of directory names separated by
- colons (":"). When looking for a configuration file other
- than shorewall.conf:
+ colons (":"). When looking for a configuration file other than
+ shorewall.conf:
- If the command is "try" or if "-c
- <configuration directory>" was specified in the
- command then the directory given in the command is searched
- first.
+ If the command is "try" or if "-c <configuration
+ directory>" was specified in the command then the directory
+ given in the command is searched first.
@@ -2403,13 +2482,16 @@ eth0 eth1 206.124.146.176
If CONFIG_PATH is not given or if it is set to the empty value
- then the contents of /usr/share/shorewall/configpath
- are used. As released from shorewall.net, that file sets the
- CONFIG_PATH to /etc/shorewall:/usr/share/shorewall
- but your particular distribution may set it differently.
+ then the contents of
+ /usr/share/shorewall/configpath are used. As
+ released from shorewall.net, that file sets the CONFIG_PATH to
+ /etc/shorewall:/usr/share/shorewall
+ but your particular distribution may set it
+ differently.
- Note that the setting in /usr/share/shorewall/configpath
- is always used to locate shorewall.conf.
+ Note that the setting in
+ /usr/share/shorewall/configpath is always used
+ to locate shorewall.conf.
@@ -2446,10 +2528,10 @@ eth0 eth1 206.124.146.176
RESTOREFILE
- (Added at version 2.0.3 Beta 1) - The simple name of a file in
- /var/lib/shorewall to be used as the default restore
- script in the shorewall save, shorewall restore, shorewall forget
- and shorewall -f start commands. See the (Added at version 2.0.3 Beta 1) - The simple name of a file
+ in /var/lib/shorewall to be used as the default
+ restore script in the shorewall save, shorewall restore, shorewall
+ forget and shorewall -f start commands. See the Saved Configuration
documentation for details.
@@ -2470,9 +2552,10 @@ eth0 eth1 206.124.146.176
(Added at version 2.0.0) - Specifies the logging level for
smurf packets (see the nosmurfs
- option in /etc/shorewall/interfaces).
- If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs
- are not logged.
+ option in /etc/shorewall/interfaces). If set to
+ the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+ logged.
@@ -2482,8 +2565,8 @@ eth0 eth1 206.124.146.176
(Added at version 1.4.9) - The value of this variable
determines the possible file extensions of kernel modules. The
- default value is "o gz ko and o.gz". See for more details.
+ default value is "o gz ko and o.gz". See
+ for more details.
@@ -2492,7 +2575,7 @@ eth0 eth1 206.124.146.176
(Added at version 1.4.7) - The value of this variable affects
- Shorewall's stopped
+ Shorewall's stopped
state. When ADMINISABSENTMINDES=No, only traffic to/from
those addresses listed in /etc/shorewall/routestopped is accepted
when Shorewall is stopped.When ADMINISABSENTMINDED=Yes, in addition
@@ -2526,24 +2609,24 @@ eth0 eth1 206.124.146.176
disposition). To use LOGFORMAT with fireparse, set it as:
- LOGFORMAT="fp=%s:%d a=%s "
+ LOGFORMAT="fp=%s:%d a=%s "
- If the LOGFORMAT value contains the substring %d
- then the logging rule number is calculated and formatted in that
- position; if that substring is not included then the rule number is
- not included. If not supplied or supplied as empty
- (LOGFORMAT="") then Shorewall:%s:%s: is
+ If the LOGFORMAT value contains the substring
+ %d then the logging rule number is calculated and
+ formatted in that position; if that substring is not included then
+ the rule number is not included. If not supplied or supplied as
+ empty (LOGFORMAT="") then Shorewall:%s:%s: is
assumed./sbin/shorewall uses the leading part of
the LOGFORMAT string (up to but not including the first
- %) to find log messages in the show log,
- status and hits commands. This part
- should not be omitted (the LOGFORMAT should not begin with
- %) and the leading part should be sufficiently
- unique for /sbin/shorewall to identify
- Shorewall messages.
+ %) to find log messages in the show
+ log, status and hits
+ commands. This part should not be omitted (the LOGFORMAT should
+ not begin with %) and the leading part should be
+ sufficiently unique for /sbin/shorewall to
+ identify Shorewall messages.
@@ -2553,15 +2636,16 @@ eth0 eth1 206.124.146.176
(Added at version 1.3.13) - If this option is set to
- No then Shorewall won't clear the current traffic
+ No then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by
people that prefer to configure traffic shaping when the network
interfaces come up rather than when the firewall is started. If that
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
not supply an /etc/shorewall/tcstart file. That
- way, your traffic shaping rules can still use the fwmark
- classifier based on packet marking defined in
- /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
+ way, your traffic shaping rules can still use the
+ fwmark classifier based on packet marking defined in
+ /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is
+ assumed.
@@ -2580,7 +2664,7 @@ eth0 eth1 206.124.146.176
show mangle command; if a FORWARD chain is
displayed then your kernel will support this option. If this option
is not specified or if it is given the empty value (e.g.,
- MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
+ MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
assumed.
@@ -2590,8 +2674,9 @@ eth0 eth1 206.124.146.176
(Added at version 1.3.12) - This parameter determines the
- level at which packets logged under the norfc1918
- mechanism are logged. The value must be a valid norfc1918 mechanism are
+ logged. The value must be a valid syslog level and if no level is
given, then info is assumed. Prior to Shorewall version 1.3.12,
these packets are always logged at the info level.
@@ -2603,8 +2688,9 @@ eth0 eth1 206.124.146.176
(Added at version 2.0.1) - This parameter determines the level
- at which packets logged under the nobogons
- mechanism are logged. The value must be a valid nobogons mechanism are
+ logged. The value must be a valid syslog level and if no level is
given, then info is assumed.
@@ -2619,8 +2705,8 @@ eth0 eth1 206.124.146.176
linkend="Interfaces">tcpflags interface option and must have
a value of ACCEPT (accept the packet), REJECT (send an RST response)
or DROP (ignore the packet). If not set or if set to the empty value
- (e.g., TCP_FLAGS_DISPOSITION="") then
- TCP_FLAGS_DISPOSITION=DROP is assumed.
+ (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is
+ assumed.
@@ -2632,9 +2718,9 @@ eth0 eth1 206.124.146.176
url="shorewall_logging.html">syslog level for logging
packets that fail the checks enabled by the tcpflags interface option.The value must
- be a valid syslogd log level. If you don't want to log these
+ be a valid syslogd log level. If you don't want to log these
packets, set to the empty value (e.g.,
- TCP_FLAGS_LOG_LEVEL="").
+ TCP_FLAGS_LOG_LEVEL="").
@@ -2647,7 +2733,7 @@ eth0 eth1 206.124.146.176
Verification and must have the value ACCEPT (accept the
connection request anyway), REJECT (reject the connection request)
or DROP (ignore the connection request). If not set or if set to the
- empty value (e.g., MACLIST_DISPOSITION="") then
+ empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.
@@ -2660,8 +2746,8 @@ eth0 eth1 206.124.146.176
url="shorewall_logging.html">syslog level for logging
connection requests that fail MAC
Verification. The value must be a valid syslogd log level.
- If you don't want to log these connection requests, set to the
- empty value (e.g., MACLIST_LOG_LEVEL="").
+ If you don't want to log these connection requests, set to the empty
+ value (e.g., MACLIST_LOG_LEVEL="").
@@ -2690,7 +2776,8 @@ eth0 eth1 206.124.146.176
Shorewall drops non-SYN TCP packets that are not part of an existing
connection. If you would like to log these packets, set LOGNEWNOTSYN
to the syslog level at
- which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
+ which you want the packets logged. Example:
+ LOGNEWNOTSYN=ULOG|
Packets logged under this option are usually the result of
@@ -2710,8 +2797,8 @@ eth0 eth1 206.124.146.176
DNAT rules as the original destination IP address. If set to
No or no, Shorewall will not detect
this address and any destination IP address will match the DNAT
- rule. If not specified or empty, DETECT_DNAT_ADDRS=Yes
- is assumed.
+ rule. If not specified or empty,
+ DETECT_DNAT_ADDRS=Yes is assumed.
@@ -2745,8 +2832,8 @@ eth0 eth1 206.124.146.176
This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall to work with
- your distribution's initscripts. For RedHat, this should be set
- to /var/lock/subsys/shorewall. For Debian, the value is
+ your distribution's initscripts. For RedHat, this should be set to
+ /var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall. Example:
SUBSYSLOCK=/var/lock/subsys/shorewall.
@@ -2757,8 +2844,8 @@ eth0 eth1 206.124.146.176
This parameter specifies the name of a directory where
- Shorewall stores state information. If the directory doesn't
- exist when Shorewall starts, it will create the directory. Example:
+ Shorewall stores state information. If the directory doesn't exist
+ when Shorewall starts, it will create the directory. Example:
STATEDIR=/tmp/shorewall.
@@ -2775,7 +2862,7 @@ eth0 eth1 206.124.146.176
This parameter specifies the directory where your kernel
netfilter modules may be found. If you leave the variable empty,
- Shorewall will supply the value "/lib/modules/`uname
+ Shorewall will supply the value "/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter.
@@ -2803,7 +2890,8 @@ LOGBURST=5
be logged from the rule, regardless of how many packets reach it.
Also, every 6 seconds which passes without matching a packet, one
of the bursts will be regained; if no packets hit the rule for 30
- seconds, the burst will be fully recharged; back where we started.
+ seconds, the burst will be fully recharged; back where we
+ started.
@@ -2814,9 +2902,9 @@ LOGBURST=5
This parameter tells the /sbin/shorewall program where to look
for Shorewall messages when processing the show log,
- monitor, status and hits
- commands. If not assigned or if assigned an empty value,
- /var/log/messages is assumed.
+ monitor, status and
+ hits commands. If not assigned or if assigned an
+ empty value, /var/log/messages is assumed.
@@ -2856,7 +2944,7 @@ LOGBURST=5
If this variable is not set or is given an empty value
- (IP_FORWARD="") then IP_FORWARD=On is assumed.
+ (IP_FORWARD="") then IP_FORWARD=On is assumed.
@@ -2865,14 +2953,15 @@ LOGBURST=5
This parameter determines whether Shorewall automatically adds
- the external address(es) in .
- If the variable is set to Yes or yes
- then Shorewall automatically adds these aliases. If it is set to
- No or no, you must add these aliases
- yourself using your distribution's network configuration tools.
+ the external address(es) in . If the variable is set to Yes or
+ yes then Shorewall automatically adds these aliases.
+ If it is set to No or no, you must add
+ these aliases yourself using your distribution's network
+ configuration tools.
If this variable is not set or is given an empty value
- (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
+ (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
@@ -2885,10 +2974,11 @@ LOGBURST=5
the variable is set to Yes or yes then
Shorewall automatically adds these addresses. If it is set to
No or no, you must add these addresses
- yourself using your distribution's network configuration tools.
+ yourself using your distribution's network configuration
+ tools.
If this variable is not set or is given an empty value
- (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
+ (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
@@ -2899,10 +2989,10 @@ LOGBURST=5
This parameter determines the logging level of mangled/invalid
packets controlled by the dropunclean and logunclean
interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then packets
- selected by dropclean are dropped silently (logunclean
- packets are logged under the info log level).
- Otherwise, these packets are logged at the specified level (Example:
- LOGUNCLEAN=debug).
+ selected by dropclean are dropped silently
+ (logunclean packets are logged under the
+ info log level). Otherwise, these packets are logged
+ at the specified level (Example: LOGUNCLEAN=debug).
@@ -2924,10 +3014,10 @@ LOGBURST=5
This paremter determines if packets from blacklisted hosts are
logged and it determines the syslog level that they are to be logged
- at. Its value is a syslog level
- (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a value or
- if you assign an empty value then packets from blacklisted hosts are
- not logged.
+ at. Its value is a syslog
+ level (Example: BLACKLIST_LOGLEVEL=debug). If you do not
+ assign a value or if you assign an empty value then packets from
+ blacklisted hosts are not logged.
@@ -2939,7 +3029,8 @@ LOGBURST=5
Netfilter and is usually required when your internet connection is
through PPPoE or PPTP. If set to Yes or
yes, the feature is enabled. If left blank or set to
- No or no, the feature is not enabled.
+ No or no, the feature is not
+ enabled.
This option requires CONFIG_IP_NF_TARGET_TCPMSS
parameter exists (see above).The file that is released with Shorewall calls the Shorewall
- function loadmodule for the set of modules that I load.
+ function loadmodule for the set of modules that I
+ load.
- The loadmodule function is called as follows:
+ The loadmodule function is called as
+ follows:
- loadmodule <modulename> [ <module parameters> ]
+ loadmodule <modulename> [ <module parameters> ]where
- <modulename>
+ <modulename>is the name of the modules without the trailing
@@ -2990,7 +3083,7 @@ LOGBURST=5
- <module parameters>
+ <module parameters>Optional parameters to the insmod utility.
@@ -2998,31 +3091,31 @@ LOGBURST=5
- The function determines if the module named by <modulename>
- is already loaded and if not then the function determines if the
- .o file corresponding to the module exists in the
- <moduledirectory>; if so, then the following
- command is executed:
+ The function determines if the module named by
+ <modulename> is already loaded and if not then
+ the function determines if the .o file corresponding to the
+ module exists in the <moduledirectory>; if so,
+ then the following command is executed:
- insmod <moduledirectory>/<modulename>.o <module parameters>
+ insmod <moduledirectory>/<modulename>.o <module parameters>
- If the file doesn't exist, the function determines of the
+ If the file doesn't exist, the function determines of the
.o.gz file corresponding to the module exists in the
moduledirectory. If it does, the function assumes
that the running configuration supports compressed modules and execute the
following command:
- insmod <moduledirectory>/<modulename>.o.gz <module parameters>
+ insmod <moduledirectory>/<modulename>.o.gz <module parameters>Beginning with the 1.4.9 Shorewall release, the value of the
MODULE_SUFFIX option in determines which files the loadmodule function
- looks for if the named module doesn't exist. For each file
- <extension> listed in MODULE_SUFFIX (default
- "o gz ko o.gz"), the function will append a period (".")
- and the extension and if the resulting file exists then the following
- command will be executed:
+ looks for if the named module doesn't exist. For each file
+ <extension> listed in MODULE_SUFFIX (default "o
+ gz ko o.gz"), the function will append a period (".") and the extension
+ and if the resulting file exists then the following command will be
+ executed:
- insmod moduledirectory/<modulename>.<extension> <module parameters>
+ insmod moduledirectory/<modulename>.<extension> <module parameters>
@@ -3031,7 +3124,8 @@ LOGBURST=5
The /etc/shorewall/tos file allows you to set
the Type of Service field in packet headers based on packet source, packet
destination, protocol, source port and destination port. In order for this
- file to be processed by Shorewall, you must have mangle support enabled.
+ file to be processed by Shorewall, you must have mangle support
+ enabled.
Entries in the file have the following columns:
@@ -3042,11 +3136,11 @@ LOGBURST=5
The source zone. May be qualified by following the zone name
with a colon (:) and either an IP address, an IP
- subnet, a MAC address in
- Shorewall Format or the name of an interface. This column
- may also contain the name of the firewall zone to indicate packets
- originating on the firewall itself or all to indicate
- any source.
+ subnet, a MAC address in Shorewall Format
+ or the name of an interface. This column may also contain the name
+ of the firewall zone to indicate packets originating on the firewall
+ itself or all to indicate any source.
@@ -3066,8 +3160,8 @@ LOGBURST=5
PROTOCOL
- The name of a protocol in /etc/protocols or
- the protocol's number.
+ The name of a protocol in /etc/protocols
+ or the protocol's number.
@@ -3143,12 +3237,13 @@ all all tcp ftp-data - 8Packets from hosts listed in the
blacklist file will be disposed of according to the value assigned to the
- BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
- variables in /etc/shorewall/shorewall.conf. Only packets arriving on
- interfaces that have the blacklist
- option in /etc/shorewall/interfaces are checked
- against the blacklist. The black list is designed to prevent listed
- hosts/subnets from accessing services on your
+ BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
+ /etc/shorewall/shorewall.conf. Only packets arriving on interfaces that
+ have the blacklist option
+ in /etc/shorewall/interfaces are checked against the
+ blacklist. The black list is designed to prevent listed hosts/subnets from
+ accessing services on your
network.
Beginning with Shorewall 1.3.8, the blacklist file has three
@@ -3181,7 +3276,8 @@ all all tcp ftp-data - 8iptables -h icmp).
+ of ICMP type numbers or names (see iptables -h
+ icmp).
@@ -3190,10 +3286,11 @@ all all tcp ftp-data - 8.
- The Shorewall blacklist file is NOT
- designed to police your users' web browsing -- to do that, I suggest
- that you install and configure Squid
- with SquidGuard.
+ The Shorewall blacklist file is NOT designed to police your users' web browsing
+ -- to do that, I suggest that you install and configure Squid with SquidGuard.
@@ -3225,7 +3322,8 @@ all all tcp ftp-data - 8RETURN
- Process the packet normally thru the rules and policies.
+ Process the packet normally thru the rules and
+ policies.
@@ -3241,8 +3339,9 @@ all all tcp ftp-data - 8logdrop
- Log then drop the packet -- see the RFC1918_LOG_LEVEL
- parameter above.
+ Log then drop the packet -- see the RFC1918_LOG_LEVEL parameter
+ above.
@@ -3250,9 +3349,9 @@ all all tcp ftp-data - 8
- If you want to modify this file, DO NOT MODIFY /usr/share/shorewall/rfc1918.
- Rather copy that file to /etc/shorewall/rfc1918 and
- modify the copy.
+ If you want to modify this file, DO NOT MODIFY
+ /usr/share/shorewall/rfc1918. Rather copy that file
+ to /etc/shorewall/rfc1918 and modify the copy.
@@ -3260,7 +3359,8 @@ all all tcp ftp-data - 8This file lists the subnets affected by the nobogons interface option and nobogons hosts option. Columns in the file are:
+ linkend="Hosts">nobogons hosts option. Columns in the file
+ are:
@@ -3282,7 +3382,8 @@ all all tcp ftp-data - 8RETURN
- Process the packet normally thru the rules and policies.
+ Process the packet normally thru the rules and
+ policies.
@@ -3298,8 +3399,8 @@ all all tcp ftp-data - 8logdrop
- Log then drop the packet -- see the BOGONS_LOG_LEVEL
- parameter above.
+ Log then drop the packet -- see the BOGONS_LOG_LEVEL parameter above.
@@ -3307,16 +3408,17 @@ all all tcp ftp-data - 8
- If you want to modify this file, DO NOT MODIFY /usr/share/shorewall/bogons.
- Rather copy that file to /etc/shorewall/bogons and
- modify the copy.
+ If you want to modify this file, DO NOT MODIFY
+ /usr/share/shorewall/bogons. Rather copy that file to
+ /etc/shorewall/bogons and modify the copy./etc/shorewall/netmap (Added in Version 2.0.1)
- Network mapping is defined using the /etc/shorewall/netmap
- file. Columns in this file are:
+ Network mapping is defined using the
+ /etc/shorewall/netmap file. Columns in this file
+ are:
@@ -3326,12 +3428,12 @@ all all tcp ftp-data - 8Must be DNAT or SNAT.
If DNAT, traffic entering INTERFACE and addressed to NET1 has
- it's destination address rewritten to the corresponding address
- in NET2.
+ it's destination address rewritten to the corresponding address in
+ NET2.
If SNAT, traffic leaving INTERFACE with a source address in
- NET1 has it's source address rewritten to the corresponding
- address in NET2.
+ NET1 has it's source address rewritten to the corresponding address
+ in NET2.
@@ -3339,7 +3441,8 @@ all all tcp ftp-data - 8NET1
- Must be expressed in CIDR format (e.g., 192.168.1.0/24).
+ Must be expressed in CIDR format (e.g.,
+ 192.168.1.0/24).
@@ -3348,7 +3451,8 @@ all all tcp ftp-data - 8
A firewall interface. This interface must have been defined in
- /etc/shorewall/interfaces.
+ /etc/shorewall/interfaces.
@@ -3423,19 +3527,206 @@ eth1 -
Accounting Documentation.
+
+ /etc/shorewall/ipsec (Added in Version 2.1.6)
+
+ This file is used to identify the Security Associations used to
+ encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a
+ zone. Columns are:
+
+
+
+ ZONE
+
+
+ The name of a zone defined in /etc/shorewall/zones.
+
+
+
+
+ IPSEC
+
+
+
+ Yes - All traffic to/from this zone is encrypted.
+
+ No - Only traffic to/from some of the hosts in this zone
+ is encrypted. Those encrypted hosts are designated using the
+ ipsec option in /etc/shorewall/hosts.
+
+
+
+
+
+ OPTIONS, IN OPTIONS, OUT OPTIONS
+
+
+ Optional parameters that identify the security policy and
+ security associations used in communication with hosts in this zone.
+ A comma-separated list of the following:
+
+
+ proto=ah|esp|ipcomp
+
+ mode=transport|tunnel
+
+ reqid=<number> —
+ A number assiged to a security policy using the
+ unique:<number> as the SPD level. See setkey(8).
+
+ tunnel-src=<address>[/<mask>]
+ — Tunnel Source; may only be included with mode=tunnel. Since
+ tunnel source and destination are dependent on the direction of
+ the traffic, this option and the following one should only be
+ included in the IN OPTIONS and OUT OPTIONS columns.
+
+ tunnel-dst=<address>[/<mask>]
+ — Tunnel Destination; may only be included with
+ mode=tunnel.
+
+ spi=<number> —
+ The security parameter index of the Security Association. Since a
+ different SA is used for incoming and outgoing traffic, this
+ option should only be listed in the IN OPTIONS and OUT OPTIONS
+ columns.
+
+ strict — Must be
+ specified when SPD rules are used (e.g., esp encapsulated with
+ ah).
+
+ next — Separates rules
+ when strict is used.
+
+
+
+
+
+ See the IPSEC with 2.6 Kernel
+ documentation for further information.
+
+
Revision History
- 1.172004-04-05TEUpdate
- for Shorewall 2.0.21.162004-03-17TEClarified
- LOGBURST and LOGLIMIT.1.152004-02-16TEMove
- the rfc1918 file to /usr/share/shorewall.1.142004-02-13TEAdd
- a note about the order of rules.1.132004-02-03TEUpdate
- for Shorewall 2.0.1.122004-01-21TEAdd
- masquerade destination list.1.122004-01-18TECorrect
- typo.1.112004-01-05TEStandards
- Compliance1.102004-01-05TEImproved
- formatting of DNAT- and REDIRECT- for clarity1.92003-12-25MNInitial
- Docbook Conversion Complete
+
+
+ 1.18
+
+ 2004-08-22
+
+ TE
+
+ Add /etc/shorewall/ipsec documentation.
+
+
+
+ 1.17
+
+ 2004-04-05
+
+ TE
+
+ Update for Shorewall 2.0.2
+
+
+
+ 1.16
+
+ 2004-03-17
+
+ TE
+
+ Clarified LOGBURST and LOGLIMIT.
+
+
+
+ 1.15
+
+ 2004-02-16
+
+ TE
+
+ Move the rfc1918 file to
+ /usr/share/shorewall.
+
+
+
+ 1.14
+
+ 2004-02-13
+
+ TE
+
+ Add a note about the order of rules.
+
+
+
+ 1.13
+
+ 2004-02-03
+
+ TE
+
+ Update for Shorewall 2.0.
+
+
+
+ 1.12
+
+ 2004-01-21
+
+ TE
+
+ Add masquerade destination list.
+
+
+
+ 1.12
+
+ 2004-01-18
+
+ TE
+
+ Correct typo.
+
+
+
+ 1.11
+
+ 2004-01-05
+
+ TE
+
+ Standards Compliance
+
+
+
+ 1.10
+
+ 2004-01-05
+
+ TE
+
+ Improved formatting of DNAT- and REDIRECT- for
+ clarity
+
+
+
+ 1.9
+
+ 2003-12-25
+
+ MN
+
+ Initial Docbook Conversion Complete
+
+
\ No newline at end of file
diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index cbf7496fc..e686ed47d 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -49,6 +49,10 @@
Shorewall 2.1 and Kernel 2.6 IPSEC
+ This is not a HOWTO for Kernel 2.6
+ IPSEC -- for that, please see http://www.ipsec-howto.org/.
+
The 2.6 Linux Kernel introduces new facilities for defining
encrypted communication between hosts in a network. The network
administrator defines a set of Security Policies which are stored in the
@@ -109,9 +113,10 @@
- A new /etc/shorewall/ipsec file allows you
- to associate zones with traffic that will be encrypted or that has
- been decrypted.
+ A new /etc/shorewall/ipsec
+ file allows you to associate zones with traffic that will be encrypted
+ or that has been decrypted.
@@ -128,7 +133,7 @@
The value Yes is placed in the
IPSEC column of the /etc/shorewall/ipsec entry
- for the zone.
+ for the zone.
@@ -150,7 +155,8 @@
Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set
- of) SA(s) used to encrypt and decrypt traffic to/from the zone.
+ of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
+ security policies that select which traffic to encrypt/decrypt.