extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 03:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sync with CVS

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@473 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-25 19:26:18 +00:00
parent 15607eeb96
commit 70b9971612
10 changed files with 4726 additions and 4431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1217
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

2177
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

568
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -12,125 +12,128 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b><b><img src="images/BD21298_3.gif" alt="" width="13"
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start height="13">
and /etc/shorewall/init -- if you don't have those files, siimply create &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
them.<br> /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
<br> files, siimply create them.<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <br>
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
file entries. That is because the packets being routed to the Squid server in the local zone, that zone must be defined ONLY by its interface -- no
still have their original destination IP addresses.<br> /etc/shorewall/hosts file entries. That is because the packets being routed
<br> to the Squid server still have their original destination IP addresses.<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <br>
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
on your firewall.<br> on your firewall.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br> server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
/etc/shorewall/conf file<br> /etc/shorewall/conf file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
<br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
Three different configurations are covered:<br> <br>
Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li> the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li> local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li> <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your own
http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
@ -141,75 +144,75 @@ local network</a></li>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local 192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br> zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
@ -220,152 +223,113 @@ zone to the internet.<br>
</table> </table>
<br> <br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br> <li>Alternativfely, you can have the following policy:<br>
<br> <br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
@ -386,7 +350,7 @@ and add the following entry in /etc/shorewall/tcrules:<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
@ -403,90 +367,130 @@ and add the following entry in /etc/shorewall/tcrules:<br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br> command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 1/23/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a <a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br> size="2">2003 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

610
STABLE/documentation/errata.htm
View File

@ -22,14 +22,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -38,70 +38,71 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the
time and plan to use the .tgz and install.sh script, you can untar first time and plan to use the .tgz and install.sh script, you can
the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are running a Shorewall version earlier <p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall than 1.3.11, when the instructions say to install a corrected
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall /etc/shorewall/firewall or /var/lib/shorewall/firewall before
and /var/lib/shorewall/firewall are symbolic links that point you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
to the 'shorewall' file used by your system initialization scripts are symbolic links that point to the 'shorewall' file used by
to start Shorewall during boot. It is that file that must be your system initialization scripts to start Shorewall during
overwritten with the corrected script. Beginning with Shorewall boot. It is that file that must be overwritten with the corrected
1.3.11, you may rename the existing file before copying in the new file.</b></p> script. Beginning with Shorewall 1.3.11, you may rename the existing file
</li> before copying in the new file.</b></p>
<li> </li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a <li> <b><a
href="#V1.3">Problems in Version 1.3</a></b></li> href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and
iptables</a></b></li> RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -112,19 +113,24 @@ iptables</a></b></li>
<h3>Version 1.3.14</h3> <h3>Version 1.3.14</h3>
<ul> <ul>
<li>There is an <a <li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
</ul> </ul>
Both problems have been corrected in <a
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't support
the 'maclist' interface option.<br>
</li>
</ul>
These three problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
@ -132,110 +138,112 @@ iptables</a></b></li>
<h3>Version 1.3.13</h3> <h3>Version 1.3.13</h3>
<ul> <ul>
<li>The 'shorewall add' command produces an error message referring <li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li> to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li> <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion <li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br> too big".<br>
</li> </li>
</ul> </ul>
All three problems are corrected by <a All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
<ul> <ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br> support, post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12</h3> <h3>Version 1.3.12</h3>
<ul> <ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li> above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br> support, post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12 LRP</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- <li>The .lrp was missing the /etc/shorewall/routestopped file
a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this -- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects
problem.<br> this problem.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11a</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
</li> 82.0.0.0/8.<br>
</li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.11</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive <li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br> the following warnings:<br>
<br> <br>
     user teastep does not exist - using root<br>      user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>      group teastep does not exist - using root<br>
<br> <br>
These warnings are harmless and may be ignored. Users downloading These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li> as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column <li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br> Shorewall fails to start.<br>
<br> <br>
Install <a Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. corrected script</a> in /usr/lib/shorewall/firewall to correct this
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br> problem. Thanks go to Roger Aich who analyzed this problem and provided
<br> a fix.<br>
This problem is corrected in version 1.3.11a.<br> <br>
</li> This problem is corrected in version 1.3.11a.<br>
</li>
</ul> </ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server <li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your where installing this script in /usr/lib/shorewall/firewall solved
connection problems. Beginning with version 1.3.10, it is safe to save your connection problems. Beginning with version 1.3.10, it is safe
the old version of /usr/lib/shorewall/firewall before copying in the to save the old version of /usr/lib/shorewall/firewall before copying
new one since /usr/lib/shorewall/firewall is the real script now and not in the new one since /usr/lib/shorewall/firewall is the real script
just a symbolic link to the real script.<br> now and not just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.9a</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li> then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
@ -247,102 +255,102 @@ just a symbolic link to the real script.<br>
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br> as described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message <li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas "Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
script at <a firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS <li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li> columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 addresses but with different port numbers doesn't work (e.g., "DNAT
tcp 25 - 10.1.1.1")<br> loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these as described above corrects these
problems. problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this
problem.</p> problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this
problem.</p> problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall <li>If the firewall
is running a DHCP server, the client is running a DHCP server, the
won't be able to obtain an IP address client won't be able to obtain an IP address
lease from that server.</li> lease from that server.</li>
<li>With this order <li>With this order
of checking, the "dhcp" option cannot of checking, the "dhcp" option
be used as a noise-reduction measure cannot be used as a noise-reduction
where there are both dynamic and static measure where there are both dynamic and static
clients on a LAN segment.</li> clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be corrects the problem. It must be
installed in /var/lib/shorewall as installed in /var/lib/shorewall as
described above.</p> described above.</p>
@ -352,196 +360,196 @@ described above.</p>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to an error occurs when the firewall script attempts to
add an SNAT alias. </p> add an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. possible to  include a single host specification on each line.
This problem is corrected by <a This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in
as instructed above.</p> /var/lib/pub/shorewall/firewall as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file to not verify that the zones named in the /etc/shorewall/policy
have been previously defined in the /etc/shorewall/zones file. file have been previously defined in the /etc/shorewall/zones
The "shorewall check" command does perform this verification so file. The "shorewall check" command does perform this verification
it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in that specifies an interface that you didn't include
/etc/shorewall/interfaces. To correct this problem, you in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this and later versions produce a clearer error message in
case.</p> this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version file can be identified by its size (56284 bytes). The correct
has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface <li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li> prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it <li>"NAT_BEFORE_RULES=No" was broken;
behaved just like "NAT_BEFORE_RULES=Yes".</li> it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted <li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li> (i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain <li>An unnecessary jump to the policy
is sometimes generated for a CONTINUE policy.</li> chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than <li>When an option is given for more than
one interface in /etc/shorewall/interfaces then depending one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first on the option, Shorewall may ignore all but the first
appearence of the option. For example:<br> appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described <li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options: dhcp, in the prior bullet affects the following options:
dropunclean, logunclean, norfc1918, routefilter, multi, dhcp, dropunclean, logunclean, norfc1918, routefilter,
filterping and noping. An additional bug has been found multi, filterping and noping. An additional bug has been
that affects only the 'routestopped' option.<br> found that affects only the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script Users who downloaded the corrected script
prior to 1850 GMT today should download and install prior to 1850 GMT today should download and install
the corrected script again to ensure that this second the corrected script again to ensure that this second
problem is corrected.</li> problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the <li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0. The 2002 may have downloaded 1.2.13 rather than 1.3.0.
"shorewall version" command will tell you which version The "shorewall version" command will tell you which version
that you have installed.</li> that you have installed.</li>
<li>The documentation NAT.htm file uses <li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The non-existent wallpaper and bullet graphic files. The
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
@ -553,13 +561,13 @@ non-existent wallpaper and bullet graphic files. The
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably, RedHat
RedHat released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
@ -567,24 +575,24 @@ RedHat released this buggy iptables in RedHat 7.2.
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
@ -593,48 +601,48 @@ download from<font color="#ff6633"> <a
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem
installing <a by installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -644,60 +652,48 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/18/2003 - <p><font size="2"> Last updated 2/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

205
STABLE/documentation/mailing_list.htm
View File

@ -25,9 +25,9 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
@ -35,99 +35,103 @@
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A or MX
record in DNS.</li> record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam I think that blocking all HTML is a Draconian way to control
and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list list subscribers whose MTAs are bouncing all shorewall.net mail. As
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive one list subscriber wrote to me privately "These e-mail admin's need to
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". get a <i>(explitive deleted)</i> life instead of trying to rid the planet
Nevertheless, to allow subscribers to receive list posts as must as possible, of HTML based e-mail". Nevertheless, to allow subscribers to receive list
I have now configured the list server at shorewall.net to strip all HTML posts as must as possible, I have now configured the list server at shorewall.net
from outgoing posts. This means that HTML-only posts will be bounced by to strip all HTML from outgoing posts. This means that HTML-only posts
the list server.<br> will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail If you find that you are missing an occasional list post, your
admin may be blocking mail whose <i>Received:</i> headers contain the e-mail admin may be blocking mail whose <i>Received:</i> headers contain
names of certain ISPs. Again, I believe that such policies hurt more than the names of certain ISPs. Again, I believe that such policies hurt more
they help but I'm not prepared to go so far as to start stripping <i>Received:</i> than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -140,13 +144,13 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -156,47 +160,47 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's mailing lists or you can use secure access (SSL) and accept the server's
certificate when prompted by your browser.<br> certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also posted
to this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -208,45 +212,45 @@ to this list.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -259,33 +263,33 @@ may be found at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted to from Mailman-managed lists although Mailman 2.1 has attempted
make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
reminder, or change your subscription options enter your subscription password reminder, or change your subscription options enter
email address:". Enter your email address in the box and your subscription email address:". Enter your email address
click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -294,12 +298,13 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/18/2003 - <a <p align="left"><font size="2">Last updated 2/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

365
STABLE/documentation/seattlefirewall_index.htm
View File

@ -15,7 +15,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -26,11 +26,12 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90">
<td width="100%" height="90">
@ -45,9 +46,9 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1> made easy"</i></font></font></h1>
@ -62,13 +63,13 @@
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
@ -89,11 +90,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -116,10 +117,12 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
firewall that can be used on a dedicated firewall system, a multi-function <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
gateway/router/server or on a standalone GNU/Linux system.</p> that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -132,27 +135,28 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of it under the terms of
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
the GNU General Public License</a> as published by the Free Software the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in This program is distributed
the hope that it will be useful, but WITHOUT in the hope that it will be useful, but
ANY WARRANTY; without even the implied warranty WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for PURPOSE. See the GNU General Public License
more details.<br> for more details.<br>
<br> <br>
You should have received a copy
of the GNU General Public License
along with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
You should have received a copy
of the GNU General Public License along
with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
@ -176,31 +180,32 @@ MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric </a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway on a floppy, Wolzak have a LEAF (router/firewall/gateway on
CD or compact flash) distribution called <i>Bering</i> a floppy, CD or compact flash) distribution called
that features Shorewall-1.3.10 and Kernel-2.4.18. <i>Bering</i> that features Shorewall-1.3.14
You can find their work at: <a and Kernel-2.4.20. You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of Bering
Bering 1.0 Final!!! </b><br> 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -236,59 +241,126 @@ Bering 1.0 Final!!! </b><br>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b><b><img <p><b>2/21/2003 - Shorewall 1.4.0 Beta 1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>  </b><b> </b></p>
Shorewall 1.4 represents the
next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall
over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate an error
at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely reorganized
into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the common
chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.
</li>
</ol>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p> <p>New features include</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br> http://www.shorewall.net/ping.html).<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
and policies just like any other connection request. The FORWARDPING=Yes and policies just like any other connection request. The FORWARDPING=Yes
option in shorewall.conf and the 'noping' and 'filterping' options in option in shorewall.conf and the 'noping' and 'filterping' options
/etc/shorewall/interfaces will all generate an error.<br> in /etc/shorewall/interfaces will all generate an error.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a "label" <li>It is now possible to direct Shorewall to create a "label"
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
of just the interface name:<br> of just the interface name:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>  </li>
<li>Support for OpenVPN Tunnels.<br> <li>Support for OpenVPN Tunnels.<br>
<br> <br>
</li> </li>
<li>Support for VLAN devices with names of the form $DEV.$VID <li>Support for VLAN devices with names of the form $DEV.$VID
(e.g., eth0.0)<br> (e.g., eth0.0)<br>
<br> <br>
</li> </li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally followed <li>In /etc/shorewall/tcrules, the MARK value may be optionally
by ":" and either 'F' or 'P' to designate that the marking will occur in followed by ":" and either 'F' or 'P' to designate that the marking will
the FORWARD or PREROUTING chains respectively. If this additional specification occur in the FORWARD or PREROUTING chains respectively. If this additional
is omitted, the chain used to mark packets will be determined by the setting specification is omitted, the chain used to mark packets will be determined
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> by the setting of the MARK_IN_FORWARD_CHAIN option in <a
<br> href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</li> <br>
<li>When an interface name is entered in the SUBNET column of </li>
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic <li>When an interface name is entered in the SUBNET column
from only the first subnet defined on that interface. It did not masquerade of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
traffic from:<br> from only the first subnet defined on that interface. It did not masquerade
 <br> traffic from:<br>
   a) The subnets associated with other addresses on the interface.<br>  <br>
   b) Subnets accessed through local routers.<br>    a) The subnets associated with other addresses on the interface.<br>
 <br>    b) Subnets accessed through local routers.<br>
Beginning with Shorewall 1.3.14, if you enter an interface name  <br>
in the SUBNET column, shorewall will use the firewall's routing table Beginning with Shorewall 1.3.14, if you enter an interface name
to construct the masquerading/SNAT rules.<br> in the SUBNET column, shorewall will use the firewall's routing table
 <br> to construct the masquerading/SNAT rules.<br>
Example 1 -- This is how it works in 1.3.14.<br>  <br>
   <br> Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -298,53 +370,52 @@ to construct the masquerading/SNAT rules.<br>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>  <br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets When upgrading to Shorewall 1.3.14, if you have multiple local
connected to an interface that is specified in the SUBNET column of an subnets connected to an interface that is specified in the SUBNET column
/etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will
In most cases, you will simply be able to remove redundant entries. In some need changing. In most cases, you will simply be able to remove redundant
cases though, you might want to change from using the interface name to entries. In some cases though, you might want to change from using the
listing specific subnetworks if the change described above will cause masquerading interface name to listing specific subnetworks if the change described
to occur on subnetworks that you don't wish to masquerade.<br> above will cause masquerading to occur on subnetworks that you don't wish
 <br> to masquerade.<br>
Example 2 -- Suppose that your current config is as follows:<br>  <br>
   <br> Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, the second entry in /etc/shorewall/masq is no longer    In this case, the second entry in /etc/shorewall/masq is no
required.<br> longer required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like this?<br>
 <br>  <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
<br> <br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0 <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b><b><img border="0" src="images/new10.gif" width="28" </b></p>
height="12" alt="(New)"> Webmin version 1.060 now has Shorewall support included as standard.
</b></p> See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
Webmin version 1.060 now has Shorewall support included as standard. </b>
See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<p><b></b></p> <p><b></b></p>
@ -376,16 +447,17 @@ listing specific subnetworks if the change described above will cause masquerad
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" <td width="88"
valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -396,9 +468,9 @@ listing specific subnetworks if the change described above will cause masquerad
</table> </table>
</center> </center>
</div> </div>
@ -407,11 +479,12 @@ listing specific subnetworks if the change described above will cause masquerad
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%"
style="margin-top: 1px;">
@ -425,7 +498,7 @@ listing specific subnetworks if the change described above will cause masquerad
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
@ -437,15 +510,15 @@ listing specific subnetworks if the change described above will cause masquerad
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -458,9 +531,13 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <p><font size="2">Updated 2/21/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<br>
</p>
<br>
<br>
<br>
</body> </body>
</html> </html>

347
STABLE/documentation/sourceforge_index.htm
View File

@ -15,7 +15,8 @@
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
@ -26,12 +27,12 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90">
<td width="100%"
height="90">
@ -46,7 +47,7 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.3 - <font color="#ffffff">Shorewall 1.3 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1> href="http://www.sf.net"> </a></h1>
@ -60,11 +61,12 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font <div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div> color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td> </td>
</tr> </tr>
@ -83,11 +85,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -112,10 +115,10 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux a multi-function gateway/router/server or on a standalone GNU/Linux
system.</p> system.</p>
@ -129,27 +132,27 @@ system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS FOR A
PURPOSE. See the GNU General Public License PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received a You should have received
copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to the along with this program; if not, write to
Free Software Foundation, Inc., 675 Mass Ave, the Free Software Foundation, Inc., 675 Mass
Cambridge, MA 02139, USA</p> Ave, Cambridge, MA 02139, USA</p>
@ -178,15 +181,15 @@ for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and </a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 <i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.18. You can find their work at: and Kernel-2.4.20. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques <b>Congratulations to Jacques
and Eric on the recent release of Bering 1.0 Final!!! <br> and Eric on the recent release of Bering 1.1!!! <br>
</b> </b>
@ -206,106 +209,179 @@ for more details.<br>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b><b><img <p><b>2/21/2003 - Shorewall 1.4.0 Beta 1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>  </b><b> </b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall
over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate an error
at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely reorganized
into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the common
chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.
</li>
</ol>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p> <p>New features include</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br> http://www.shorewall.net/ping.html).<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
and policies just like any other connection request. The FORWARDPING=Yes and policies just like any other connection request. The FORWARDPING=Yes
option in shorewall.conf and the 'noping' and 'filterping' options in option in shorewall.conf and the 'noping' and 'filterping' options in
/etc/shorewall/interfaces will all generate an error.<br> /etc/shorewall/interfaces will all generate an error.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a "label" <li>It is now possible to direct Shorewall to create a "label"
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
just the interface name:<br> of just the interface name:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>  </li>
<li>Support for OpenVPN Tunnels.<br> <li>Support for OpenVPN Tunnels.<br>
<br> <br>
</li> </li>
<li>Support for VLAN devices with names of the form $DEV.$VID <li>Support for VLAN devices with names of the form $DEV.$VID
(e.g., eth0.0)<br> (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally
followed by ":" and either 'F' or 'P' to designate that the marking will
occur in the FORWARD or PREROUTING chains respectively. If this additional
specification is omitted, the chain used to mark packets will be determined
by the setting of the MARK_IN_FORWARD_CHAIN option in <a
href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
</li> </li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally followed <li>When an interface name is entered in the SUBNET column
by ":" and either 'F' or 'P' to designate that the marking will occur in of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
the FORWARD or PREROUTING chains respectively. If this additional specification from only the first subnet defined on that interface. It did not masquerade
is omitted, the chain used to mark packets will be determined by the setting traffic from:<br>
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>  <br>
<br>    a) The subnets associated with other addresses on the interface.<br>
</li>    b) Subnets accessed through local routers.<br>
<li>When an interface name is entered in the SUBNET column of  <br>
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic Beginning with Shorewall 1.3.14, if you enter an interface name
from only the first subnet defined on that interface. It did not masquerade in the SUBNET column, shorewall will use the firewall's routing table
traffic from:<br> to construct the masquerading/SNAT rules.<br>
 <br>  <br>
   a) The subnets associated with other addresses on the interface.<br> Example 1 -- This is how it works in 1.3.14.<br>
   b) Subnets accessed through local routers.<br>    <br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface name in
the SUBNET column, shorewall will use the firewall's routing table to
construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre> <pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>  <br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets When upgrading to Shorewall 1.3.14, if you have multiple local
connected to an interface that is specified in the SUBNET column of an subnets connected to an interface that is specified in the SUBNET column
/etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will need
In most cases, you will simply be able to remove redundant entries. In changing. In most cases, you will simply be able to remove redundant entries.
some cases though, you might want to change from using the interface name In some cases though, you might want to change from using the interface
to listing specific subnetworks if the change described above will cause name to listing specific subnetworks if the change described above will cause
masquerading to occur on subnetworks that you don't wish to masquerade.<br> masquerading to occur on subnetworks that you don't wish to masquerade.<br>
 <br>  <br>
Example 2 -- Suppose that your current config is as follows:<br> Example 2 -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, the second entry in /etc/shorewall/masq is no longer    In this case, the second entry in /etc/shorewall/masq is no
required.<br> longer required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like this?<br>
 <br>  <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0 <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b><b><img border="0" src="images/new10.gif" width="28" </b></p>
height="12" alt="(New)"> Webmin version 1.060 now has Shorewall support included as standard.
</b></p> See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
Webmin version 1.060 now has Shorewall support included as standard. </b>
See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</b>
<p><b></b></p> <p><b></b></p>
@ -357,7 +433,7 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -382,13 +458,13 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
@ -399,9 +475,9 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
</table> </table>
</center> </center>
</div> </div>
@ -410,11 +486,11 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -425,11 +501,12 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -441,15 +518,16 @@ masquerading to occur on subnetworks that you don't wish to masquerade.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td> <p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</tr> </td>
</tr>
@ -463,9 +541,12 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

41
STABLE/documentation/spam_filters.htm
View File

@ -17,46 +17,53 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">SPAM Filters</font></h1> <h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1 align="center"><br> <h1 align="center"><br>
<a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img <a href="http://ordb.org"> </a><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100" src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
height="38"> height="38">
</a><img border="0" src="images/but3.png" hspace="3" width="88" </a><img border="0" src="images/but3.png" hspace="3" width="88"
height="31"> height="31">
</a></h1> </h1>
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited <p>Like all of you, I'm concerned about the increasing volume of Unsolicited
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
you who are installing SPAM filters on your mail servers. A couple of recent you who are installing SPAM filters on your mail servers. A couple of recent
incidents involving mis-configured filters have prompted me to establish incidents involving mis-configured filters have prompted me to establish this
this page to spell out what I will do when these filters bounce list postings.</p> page to spell out what I will do when these filters bounce list postings.</p>
<p>When your SPAM filter bounces/rejects list mail, I will:</p> <p>When your SPAM filter bounces/rejects list mail <b>and I can identify
who you are</b>, I will:</p>
<ol> <ol>
<li>immediately turn off delivery to you from all Shorewall lists to which <li>immediately turn off delivery to you from all Shorewall lists to
you subscribe.</li> which you subscribe.</li>
<li><u>try</u> to send you an email from a source other than shorewall.net</li> <li><u>try</u> to send you an email from a source other than shorewall.net</li>
</ol> </ol>
<p>When you have corrected the problem, please let me know and I will re-enable <p>When you have corrected the problem, please let me know and I will re-enable
delivery (or you can reenable delivery yourself).</p> delivery (or you can reenable delivery yourself).<br>
</p>
<p>Note that many brain-dead spam filters inform the sender that a post was
rejected as spam but fail to provide any clue about the original addressee!!!
If I don't know who you are, I can't tell you about the problem...<br>
</p>
<p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p> <p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
</body> </body>
</html> </html>

286
STABLE/documentation/support.htm
View File

@ -23,26 +23,28 @@
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span on the Shorewall Users Mailing List.</font></big><span
@ -51,14 +53,14 @@
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1> <h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot more <i>"Well at least you tried to read the documentation, which is a lot more
than some people on this list appear to do.</i>"<br> than some people on this list appear to do.</i>"<br>
<br> <br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br> <div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div> </div>
<br> <br>
There are a number of sources for There are a number of sources for
problem solution information. Please try these before you post. problem solution information. Please try these before you post.
<h3> </h3> <h3> </h3>
@ -66,20 +68,20 @@ than some people on this list appear to do.</i>"<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> <br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a> <li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li> has solutions to more than 20 common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li> a number of tips to help you solve common problems. </li>
@ -88,16 +90,16 @@ than some people on this list appear to do.</i>"<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The Mailing List <li> The Mailing List
Archives search facility can locate posts about similar Archives search facility can locate posts about similar
problems: </li> problems: </li>
@ -117,13 +119,13 @@ problems: </li>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -133,138 +135,140 @@ problems: </li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" </font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2>Problem Reporting Guidelines </h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world <i>"Let me see if I can translate your message into a real-world
example. It would be like saying that you have three rooms at home, example. It would be like saying that you have three rooms at home,
and when you walk into one of the rooms, you detect this strange smell. and when you walk into one of the rooms, you detect this strange smell.
Can anyone tell you what that strange smell is?<br> Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the Now, all of us could do some wonderful guessing as to the
smell and even what's causing it. You would be absolutely amazed at smell and even what's causing it. You would be absolutely amazed
the range and variety of smells we could come up with. Even more amazing at the range and variety of smells we could come up with. Even more
is that all of the explanations for the smells would be completely plausible."<br> amazing is that all of the explanations for the smells would be completely
</i><br> plausible."<br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div> </div>
<br> <br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>Please remember we only know what is posted in your message. <li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when who were sure that some part of their configuration was correct when it
it actually contained a small error. We tend to be skeptics where detail actually contained a small error. We tend to be skeptics where detail
is lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <strong>free</strong> <li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good, courteous obligation. Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of error messages, we need if you expect good answers. <em>Exact quoting </em> of error messages,
log entries, command output, and other output is better than a paraphrase log entries, command output, and other output is better than a paraphrase
or summary.<br> or summary.<br>
<br> <br>
</li> </li>
<li> Please don't describe <li> Please don't describe
your environment and then ask us to send you custom your environment and then ask us to send you custom
configuration files. We're here to answer your questions but configuration files. We're here to answer your questions but we
we can't do your job for you.<br> can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> include <li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li> this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact output from<br> <li>If your kernel is modularized, the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, <li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br> installation of Shorewall, please say so.</b><br>
<br> <br>
</li> </li>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead, <b>if you are having color="#009900">iptables -L</font></b>". Instead,<font
connection problems of any kind</b>, post the exact output of<br> color="#ff0000"><u><i><big> <b>if you are having connection problems of
<br> any kind then:</b></big></i></u></font><br>
<b><font color="#009900">/sbin/shorewall status<br> <br>
<br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
</font></b>Since that command generates a lot of output, we <br>
suggest that you redirect the output to a file and attach the file to 2. Try the connection that is failing.<br>
your post<br> <br>
<br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br> <br>
<br> 4. Post the /tmp/status.txt file as an attachment.<br>
</li> <br>
<li>As a general matter, please <strong>do not edit the diagnostic </li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask, information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive them
@ -285,18 +289,18 @@ your post<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> Do you see any <li> Do you see any
"Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show
log</font></b>") when you exercise the function that is giving log</font></b>") when you exercise the function that is giving
you problems? If so, include the message(s) in your post along with a you problems? If so, include the message(s) in your post along with a
copy of your /etc/shorewall/interfaces file.<br> copy of your /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified (especially the /etc/shorewall/hosts file if you have modified
that file) that you think are relevant. If you include /etc/shorewall/rules, that file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless please include /etc/shorewall/policy as well (rules are meaningless unless
unless one also knows the policies). </li> one also knows the policies). </li>
</ul> </ul>
@ -309,8 +313,8 @@ unless one also knows the policies). </li>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> If an error occurs <li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>", when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li> section for instructions). </li>
@ -319,53 +323,53 @@ when you try to "<font color="#009900"><b>shorewall start</b></font>",
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of <h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3> post will be rejected.</b></h3>
</li> </li>
</ul> </ul>
The author gratefully acknowleges that the above list was heavily The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
<blockquote> </blockquote> <blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist
"for continuous abuse" because it has been my policy to allow HTML in shorewall.net "for continuous abuse" because it has been my policy to
list posts!!<br> allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list subscribers whose MTAs are bouncing all shorewall.net mail. As
list subscriber wrote to me privately "These e-mail admin's need to get one list subscriber wrote to me privately "These e-mail admin's need
a <i>(expletive deleted)</i> life instead of trying to rid the planet to get a <i>(expletive deleted)</i> life instead of trying to rid the
of HTML based e-mail". Nevertheless, to allow subscribers to receive list planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
posts as must as possible, I have now configured the list server at shorewall.net list posts as must as possible, I have now configured the list server
to strip all HTML from outgoing posts.<br> at shorewall.net to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4> mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall <b>If you run Shorewall under MandrakeSoft Multi Network
(MNF) and you have not purchased an MNF license from MandrakeSoft then Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
you can post non MNF-specific Shorewall questions to the </b><a then you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br> list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p> list.</a></p>
</blockquote> </blockquote>
@ -375,14 +379,16 @@ to strip all HTML from outgoing posts.<br>
.</p> .</p>
<p align="left"><font size="2">Last Updated 2/9/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

17
STABLE/firewall
View File

@ -1577,10 +1577,10 @@ setup_mac_lists() {
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
case $interface in case $interface in
eth*) eth*|wlan*)
;; ;;
*) *)
fatal_error "Error: MAC verification is only supported on ethernet devices: $interface" fatal_error "Error: MAC verification is only supported on ethernet and 802.11b devices: $interface"
;; ;;
esac esac
@ -3084,12 +3084,11 @@ setup_intrazone() # $1 = zone
{ {
eval hosts=\$${1}_hosts eval hosts=\$${1}_hosts
if [ "$hosts" != "${hosts% *}" ] || \ if have_interfaces_in_zone_with_option $1 multi; then
have_interfaces_in_zone_with_option $1 multi
then
ensurechain ${1}2${1} ensurechain ${1}2${1}
fi fi
} }
# #
# Add a record to the blacklst chain # Add a record to the blacklst chain
# #
@ -3521,10 +3520,10 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:" logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi
@ -3553,10 +3552,10 @@ add_common_rules() {
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:" logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi