From 71c448e6c76cec6647a9cf14924a37e74f674476 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 3 Sep 2005 23:03:06 +0000 Subject: [PATCH] More 3.0 doc updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2629 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 35 +- Shorewall-docs2/GenericTunnels.xml | 221 +---- Shorewall-docs2/IPIP.xml | 232 +---- Shorewall-docs2/IPP2P.xml | 7 +- Shorewall-docs2/IPSEC-2.6.xml | 64 +- Shorewall-docs2/IPSEC.xml | 852 ++---------------- Shorewall-docs2/Introduction.xml | 1 + Shorewall-docs2/Multiple_Zones.xml | 33 +- Shorewall-docs2/OPENVPN.xml | 24 +- Shorewall-docs2/PPTP.xml | 7 +- .../Shorewall_and_Aliased_Interfaces.xml | 22 +- Shorewall-docs2/Shorewall_and_Kazaa.xml | 14 +- Shorewall-docs2/bridge.xml | 9 +- Shorewall-docs2/ipsets.xml | 4 +- Shorewall-docs2/shorewall_setup_guide.xml | 72 +- 15 files changed, 288 insertions(+), 1309 deletions(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 51f29a249..5925ab8b7 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -187,16 +187,6 @@ - - ipsec - - - a parameter file installed in /etc/shorewall and used to describe - ipsec policies associated with zones. - - - maclist @@ -423,16 +413,22 @@ NET_OPTIONS=blacklist,norfc1918 - IPSEC + TYPE - Yes - All traffic to/from this zone is encrypted. + ipsec - All traffic + to/from this zone is encrypted. - No - By default, traffic to/from some of the hosts in this - zone is not encrypted. Any encrypted hosts are designated using - the ipsec option in plain - By default, + traffic to/from some of the hosts in this zone is not encrypted. + Any encrypted hosts are designated using the ipsec option in /etc/shorewall/hosts. + + firewall - Designates the + firewall itself. You must have exactly one 'firewall' zone. No + options are permitted with a 'firewall' zone. @@ -1337,10 +1333,11 @@ loc loc REJECT info /etc/shorewall/zones: - #ZONE DISPLAY COMMENTS -sam Sam Sam's system at home -net Internet The Internet -loc Local Local Network + #ZONE TYPE OPTION +fw firewall +sam plain +net plain +loc plain /etc/shorewall/interfaces: diff --git a/Shorewall-docs2/GenericTunnels.xml b/Shorewall-docs2/GenericTunnels.xml index a89334e79..414df83f3 100644 --- a/Shorewall-docs2/GenericTunnels.xml +++ b/Shorewall-docs2/GenericTunnels.xml @@ -15,7 +15,7 @@ - 2003-08-09 + 2003-09-03 2001 @@ -24,6 +24,8 @@ 2003 + 2005 + Thomas M. Eastep @@ -33,13 +35,15 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you - can generally describe the tunneling software using generic tunnels. + can generally describe the tunneling software using generic + tunnels.
Bridging two Masqueraded Networks @@ -50,7 +54,7 @@ We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is - accomplished through use of the /etc/shorewall/tunnels file, the + accomplished through use of the /etc/shorwall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall. @@ -73,217 +77,44 @@ On each firewall, you will need to declare a zone to represent the - remote subnet. We'll assume that this zone is called vpn + remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows. - - - - - ZONE + #ZONE TYPE OPTIONS +vpn plain - DISPLAY + On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: - COMMENTS - - - - - - vpn - - VPN - - Remote Subnet - - - - - - On system A, the 10.0.0.0/8 will comprise the vpn - zone. In /etc/shorewall/interfaces: - - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - tun0 - - 10.255.255.255 - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +vpn tun0 10.255.255.255 In /etc/shorewall/tunnels on system A, we need the following: - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - generic:tcp:1071 - - net - - 134.28.54.2 - - - - - - generic:47 - - net - - 134.28.54.2 - - - - - - + #TYPE ZONE GATEWAY GATEWAY ZONE +generic:tcp:1071 net 134.28.54.2 +generic:47 net 134.28.54.2 These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway. - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - tun0 - - 192.168.1.255 - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +vpn tun0 192.168.1.255 In /etc/shorewall/tunnels on system B, we have: - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - generic:tcp:1071 - - net - - 206.191.148.9 - - - - - - generic:47 - - net - - 134.28.54.2 - - - - - - + #TYPE ZONE GATEWAY GATEWAY ZONE +generic:tcp:1071 net 206.191.148.9 +generic:47 net 206.191.148.9 You will need to allow traffic between the vpn zone and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file: - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - vpn - - ACCEPT - - - - - - vpn - - loc - - ACCEPT - - - - - - + #SOURCE DEST POLICY LOG LEVEL +loc vpn ACCEPT +vpn loc ACCEPT On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk diff --git a/Shorewall-docs2/IPIP.xml b/Shorewall-docs2/IPIP.xml index eac41f8f0..119154e96 100644 --- a/Shorewall-docs2/IPIP.xml +++ b/Shorewall-docs2/IPIP.xml @@ -15,7 +15,7 @@ - 2004-05-22 + 2005-09-03 2001 @@ -26,6 +26,8 @@ 2004 + 2005 + Thomas M. Eastep @@ -35,7 +37,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -48,11 +51,11 @@ masqueraded networks. The simple scripts described in the Linux Advanced Routing and Shaping HOWTO - work fine with Shorewall. Shorewall also includes a tunnel script for - automating tunnel configuration. If you have installed the RPM, the tunnel - script may be found in the Shorewall documentation directory (usually - /usr/share/doc/shorewall-<version>/). + url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping + HOWTO work fine with Shorewall. Shorewall also includes + a tunnel script for automating tunnel configuration. If you have installed + the RPM, the tunnel script may be found in the Shorewall documentation + directory (usually /usr/share/doc/shorewall-<version>/).
Bridging two Masqueraded Networks @@ -71,10 +74,11 @@ by default -- If you install using the tarball, the script is included in the tarball; if you install using the RPM, the file is in your Shorewall documentation directory (normally - /usr/share/doc/shorewall-<version>). + /usr/share/doc/shorewall-<version>). - In the /etc/shorewall/tunnel script, set the tunnel_type - parameter to the type of tunnel that you want to create. + In the /etc/shorewall/tunnel script, set the + tunnel_type parameter to the type of tunnel that you want + to create. /etc/shorewall/tunnel @@ -85,106 +89,31 @@ If you use the PPTP connection tracking modules from Netfilter Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp, - ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels. + ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE + tunnels. On each firewall, you will need to declare a zone to represent the - remote subnet. We'll assume that this zone is called vpn + remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows. - - /etc/shorewall/zones system A & B + #ZONE TYPE OPTIONS +vpn plain - - - - ZONE + On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: - DISPLAY - - COMMENTS - - - - - - vpn - - VPN - - Remote Subnet - - - -
- - On system A, the 10.0.0.0/8 will comprise the vpn - zone. In /etc/shorewall/interfaces: - - - /etc/shorewall/interfaces system A - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - tosysb - - 10.255.255.255 - - - - - -
+ #ZONE INTERFACE BROADCAST OPTIONS +vpn tosysb 10.255.255.255 In /etc/shorewall/tunnels on system A, we need the following: - - /etc/shorewall/tunnels system A - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipip - - net - - 134.28.54.2 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipip net 134.28.54.2 This entry in /etc/shorewall/tunnels, opens the firewall so that the - IP encapsulation protocol (4) will be accepted to/from the remote gateway. + IP encapsulation protocol (4) will be accepted to/from the remote + gateway. In the tunnel script on system A: @@ -201,69 +130,16 @@ subnet=10.0.0.0/8
Similarly, On system B the 192.168.1.0/24 subnet will comprise the - vpn zone. In /etc/shorewall/interfaces: + vpn zone. In + /etc/shorewall/interfaces: - - /etc/shorewall/interfaces system B - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - tosysa - - 192.168.1.255 - - - - - -
+ #ZONE INTERFACE BROADCAST +vpn tosysa 192.168.1.255 In /etc/shorewall/tunnels on system B, we have: - - /etc/shorewall/tunnels system B - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipip - - net - - 206.191.148.9 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipip net 206.191.148.9 And in the tunnel script on system B: @@ -285,45 +161,9 @@ subnet=192.168.1.0/24 and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file: - - /etc/shorewall/policy system A & B - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - vpn - - ACCEPT - - - - - - vpn - - loc - - ACCEPT - - - - - -
+ #SOURCE DEST POLICY LOG LEVEL +loc vpn ACCEPT +vpn loc ACCEPT On both systems, restart Shorewall and run the modified tunnel script with the start argument on each system. The systems diff --git a/Shorewall-docs2/IPP2P.xml b/Shorewall-docs2/IPP2P.xml index 68857c8ef..c4ab7af7c 100644 --- a/Shorewall-docs2/IPP2P.xml +++ b/Shorewall-docs2/IPP2P.xml @@ -15,7 +15,7 @@ - 2005-06-02 + 2005-09-03 2004 @@ -62,8 +62,9 @@ url="Accounting.html">/etc/shorewall/accounting /etc/shorewall/routes (2.3.2 - and later) + url="Shorewall_and_Routing.html">/etc/shorewall/rules (Recommend + that you place the rules in the ESTABLISHED section of that + file). When the PROTO or PROTOCOL column contains "ipp2p" then the DEST diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index 218dac3a7..d3fad836a 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2005-08-30 + 2005-09-03 2004 @@ -210,19 +210,19 @@ Encrypted communication is used to/from all hosts in a zone. - The value Yes is placed in the - IPSEC column of the /etc/shorewall/ipsec entry + The value ipsec is placed in + the TYPE column of the /etc/shorewall/zones entry for the zone. - Encrypted communication is used to/from only part of the hosts - in a zone. + By default, encrypted communication is not used to communicate + with the hosts in a zone. - The value No is placed in the - IPSEC column of the /etc/shorewall/ipsec entry + The value plain is placed in + the TYPE column of the /etc/shorewall/zones entry for the zone and the new ipsec option - is specified in /etc/shorewall/hosts for those + is specified in /etc/shorewall/hosts for any hosts requiring secure communication. @@ -233,15 +233,15 @@ - It is redundent to have Yes in - the IPSEC column of the /etc/shorewall/ipsec entry + It is redundent to have ipsec in + the TYPE column of the /etc/shorewall/zones entry for a zone and to also have the ipsec option in /etc/shorewall/hosts entries for that zone. Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in - /etc/shorewall/ipsec can be used to match the zone to a particular (set + /etc/shorewall/zones can be used to match the zone to a particular (set of) SA(s) used to encrypt and decrypt traffic to/from the zone and the security policies that select which traffic to encrypt/decrypt. @@ -319,10 +319,10 @@ ipsec net 206.162.148.9 /etc/shorewall/zones — Systems A and B: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -vpn No -net No + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +vpn plain +net plain #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE @@ -472,9 +472,9 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any through an ESP tunnel then the following entry would be appropriate: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -sec yes mode=tunnel mss=1400 + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +sec ipsec mode=tunnel mss=1400 Note that CLAMPMSS=Yes in shorewall.conf isn't effective with the 2.6 native IPSEC implementation because there @@ -503,11 +503,11 @@ sec yes mode=tunnel mss=1400 /etc/shorewall/zones — System A - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -vpn Yes -net No -loc No + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +vpn ipsec +net plain +loc plain #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE @@ -546,11 +546,11 @@ vpn eth0:0.0.0.0/0
/etc/shorewall/zones - System B: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -vpn Yes -net No -loc No + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +vpn ipsec +net plain +loc plain #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/tunnels - System B: @@ -759,10 +759,10 @@ ipsec:noah net 192.168.20.0/24 loc /etc/shorewall/zones: - #ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -loc Yes mode=transport -net + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +loc ipsec mode=transport +net plain /etc/shorewall/hosts: diff --git a/Shorewall-docs2/IPSEC.xml b/Shorewall-docs2/IPSEC.xml index 03984b47a..058f1eaba 100644 --- a/Shorewall-docs2/IPSEC.xml +++ b/Shorewall-docs2/IPSEC.xml @@ -15,7 +15,7 @@ - 2005-08-20 + 2005-09-03 2001-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + + The information in this article is only applicable if you plan to have IPSEC end-points on the same system where Shorewall is used. @@ -67,13 +74,6 @@ recommend that you consult that site for information about configuring FreeS/Wan. - - IPSEC and Proxy ARP do not work unless you are running Shorewall - 2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall - 2.0.0 available from the Errata - Page. - - The documentation below assumes that you have disabled opportunistic encryption feature in FreeS/Wan 2.0 using the following @@ -131,67 +131,13 @@ conn packetdefault In /etc/shorewall/tunnels on system A, we need the following - - /etc/shorewall/tunnels - System A - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 134.28.54.2 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 134.28.54.2 In /etc/shorewall/tunnels on system B, we would have: - - /etc/shorewall/tunnels - System B - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 206.161.148.9 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 206.161.148.9 If either of the endpoints is behind a NAT gateway then the @@ -206,72 +152,19 @@ conn packetdefault zone called vpn to represent the remote subnet. Note that you should define the vpn zone before the net zone. - - /etc/shorewall/zones - Systems A and B + /etc/shorewall/zones (both systems): - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - vpn - - VPN - - Remote Subnet - - - - net - - Internet - - The big bad internet - - - -
+ #ZONE TYPE OPTIONS +vpn plain +net plain If you are running kernel 2.4:
At both systems, ipsec0 would be included in /etc/shorewall/interfaces as a vpn interface: - - /etc/shorewall/interfaces - Systems A and B - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - ipsec0 - - - - - -
+ #ZONE INTERFACE BROADCAST OPTIONS +vpn ipsec0
If you are running kernel @@ -289,57 +182,15 @@ conn packetdefault You must define the vpn zone using the /etc/shorewall/hosts file. - - /etc/shorewall/hosts - System A + /etc/shorewall/hosts - System A - - - - ZONE + #ZONE HOSTS OPTIONS +vpn eth0:10.0.0.0/8 - HOSTS + /etc/shorewall/hots - System B - OPTIONS - - - - - - vpn - - eth0:10.0.0.0/8 - - - - - -
- - - /etc/shorewall/hosts - System B - - - - - ZONE - - HOSTS - - OPTIONS - - - - - - vpn - - eth0:192.168.1.0/24 - - - - - -
+ #ZONE HOSTS OPTIONS +vpn eth0:192.168.1.0/24 In addition, if you are using Masquerading or SNAT on your firewalls, you need to elmiinate the remote @@ -347,102 +198,26 @@ conn packetdefault role="bold">replace
your current masquerade/SNAT entries for the local networks.
- - /etc/shorewall/masq - System A + /etc/shorewall/masq - System A - - - - INTERFACE + #INTERFACE SUBNET ADDRESS +eth0:!10.0.0.0/8 192.168.1.0/24 - SUBNET + /etc/shorewall/masq - System B - ADDRESS - - - - - - eth0:!10.0.0.0/8 - - 192.168.1.0/24 - - ... - - - -
- - - /etc/shorewall/masq System B - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0:!192.168.1.0/24 - - 10.0.0.0/8 - - ... - - - -
+ #INTERFACE SUBNET ADDRESS +eth0:!192.168.1.0/24 10.0.0.0/8
You will need to allow traffic between the vpn zone and the loc zone -- if you simply want to admit all traffic in both directions, you can use the policy file: - - /etc/shorewall/policy - Systems A and B + #SOURCE DEST POLICY LOG LEVEL +loc vpn ACCEPT +vpn loc ACCEPT - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - vpn - - ACCEPT - - - - - - vpn - - loc - - ACCEPT - - - - - -
+ Once you have these entries in place, restart Shorewall (type shorewall restart); you are now ready to configure the tunnel in In /etc/shorewall/tunnels on system A, we need the following - - /etc/shorewall/tunnels system A - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 134.28.54.2 - - - - - - ipsec - - net - - 130.152.100.14 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 134.28.54.2 +ipsec net 130.252.100.14 In /etc/shorewall/tunnels on systems B and C, we would have: - - /etc/shorewall/tunnels system B & C - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 206.161.148.9 - - - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 206.161.148.9 If either of the endpoints is behind a NAT gateway then the @@ -570,170 +282,33 @@ conn packetdefault On each system, we will create a zone to represent the remote networks. On System A: - - /etc/shorewall/zones system A - - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - vpn1 - - VPN1 - - Remote Subnet on system B - - - - vpn2 - - VPN2 - - Remote Subnet on system C - - - -
+ #ZONE TYPE OPTIONS +vpn1 plain +vp2 plain On systems B and C: - - /etc/shorewall/zones system B & C - - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - vpn - - VPN - - Remote Subnet on system A - - - -
+ #ZONE TYPE OPTIONS +vpn plain At system A, ipsec0 represents two zones so we have the following in /etc/shorewall/interfaces: - - /etc/shorewall/interfaces system A - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - - - - ipsec0 - - - - - - - -
+ #ZONE INTERFACE BROADCAST OPTIONS +- ipsec0 The /etc/shorewall/hosts file on system A defines the two VPN zones: - - /etc/shorewall/hosts system A - - - - - ZONE - - HOSTS - - OPTIONS - - - - - - vpn1 - - ipsec0:10.0.0.0/16 - - - - - - vpn2 - - ipsec0:10.1.0.0/16 - - - - - -
+ #ZONE HOSTS OPTIONS +vpn1 ipsec0:10.0.0.0/16 +vpn2 ipsec0:10.1.0.0/16 At systems B and C, ipsec0 represents a single zone so we have the following in /etc/shorewall/interfaces: - - /etc/shorewall/interfaces system B & C - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - vpn - - ipsec0 - - - - - - - -
+ #ZONE INTERFACE BROADCAST OPTIONS +vpn ipsec0 On systems A, you will need to allow traffic between the vpn1 zone and the loc zone as well as @@ -741,110 +316,22 @@ conn packetdefault simply want to admit all traffic in both directions, you can use the following policy file entries on all three gateways: - - /etc/shorewall/policy system A - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - vpn1 - - ACCEPT - - - - - - vpn1 - - loc - - ACCEPT - - - - - - loc - - vpn2 - - ACCEPT - - - - - - vpn2 - - loc - - ACCEPT - - - - - -
+ #SOURCE DEST POLICY LOG LEVEL +loc vpn1 ACCEPT +vpn1 loc ACCEPT +loc vpn2 ACCEPT +vpn2 loc ACCEPT On systems B and C, you will need to allow traffic between the vpn zone and the loc zone -- if you simply want to admit all traffic in both directions, you can use the following policy file entries on all three gateways: - - /etc/shorewall/policy system B & C + /etc/shorewall/policy -- Systems B & C - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - vpn - - ACCEPT - - - - - - vpn - - loc - - ACCEPT - - - - - -
+ #SOURCE DEST POLICY LOG LEVEL +loc vpn ACCEPT +vpn loc ACCEPT Once you have the Shorewall entries added, restart Shorewall on each gateway (type shorewall restart); you are now ready to configure the @@ -856,45 +343,9 @@ conn packetdefault it is necessary to simply add two additional entries to the /etc/shorewall/policy file on system A. - - /etc/shorewall/policy system A - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - vpn1 - - vpn2 - - ACCEPT - - - - - - vpn2 - - vpn1 - - ACCEPT - - - - - -
+ #SOURCE DEST POLICY LOG LEVEL +vpn1 vpn2 ACCEPT +vpn2 vpn1 ACCEPT
@@ -920,65 +371,17 @@ conn packetdefault local zone. In this example, we'll assume that you have created a zone called vpn to represent the remote host.
- - /etc/shorewall/zones local + /etc/shorewall/zones - System A - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - vpn - - VPN - - Remote Subnet - - - -
+ #ZONE TYPE OPTIONS +vpn plain In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made: - - /etc/shorewall/tunnels system A - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 0.0.0.0/0 - - vpn - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 0.0.0.0/0 the GATEWAY ZONE column contains the name of the zone @@ -1004,79 +407,15 @@ conn packetdefault In /etc/shorewall/zones: - - /etc/shorewall/zones - - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - vpn1 - - VPN-1 - - First VPN Zone - - - - vpn2 - - VPN-2 - - Second VPN Zone - - - - vpn3 - - VPN-3 - - Third VPN Zone - - - -
+ #ZONE TYPE OPTIONS +vpn1 plain +vpn2 plain +vpn3 plain In /etc/shorewall/tunnels: - - /etc/shorewall/tunnels - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - ipsec - - net - - 0.0.0.0/0 - - vpn1,vpn2,vpn3 - - - -
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall will issue warnings to that effect. These warnings may be safely @@ -1101,49 +440,12 @@ conn packetdefault If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added hosts are not excluded from the rule. + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNAT z!dyn loc:192.168.1.3 tcp 80 + dyn=dynamic zone - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - CLIENT PORT(S) - - ORIGINAL DESTINATION - - - - - - DNAT - - z!dyn - - loc:192.168.1.3 - - tcp - - 80 - - - - - - - - - Dynamic changes to the zone dyn will have no effect on the above rule. diff --git a/Shorewall-docs2/Introduction.xml b/Shorewall-docs2/Introduction.xml index 3c3e31ae4..01c467f11 100644 --- a/Shorewall-docs2/Introduction.xml +++ b/Shorewall-docs2/Introduction.xml @@ -122,6 +122,7 @@ example, the following zone names are used: #NAME DESCRIPTION +fw The firewall itself net The Internet loc Your Local Network dmz Demilitarized Zone diff --git a/Shorewall-docs2/Multiple_Zones.xml b/Shorewall-docs2/Multiple_Zones.xml index c89968846..ceb478611 100644 --- a/Shorewall-docs2/Multiple_Zones.xml +++ b/Shorewall-docs2/Multiple_Zones.xml @@ -15,7 +15,7 @@ - 2005-05-15 + 2005-09-03 2003-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
Introduction @@ -205,9 +212,9 @@ /etc/shorewall/zones - #ZONE DISPLAY COMMENTS -loc1 Local1 Hosts accessed through internal router -loc Local All hosts accessed via eth1 + #ZONE TYPE OPTIONS +loc1 plain +loc plain the sub-zone (loc1) is defined first! @@ -244,9 +251,9 @@ loc1 loc NONE /etc/shorewall/zones - #ZONE DISPLAY COMMENTS -loc1 Local1 Hosts accessed Directly from Firewall -loc2 Local2 Hosts accessed via the internal Router + #ZONE TYPE OPTIONS +loc1 plain +loc2 plain Here it doesn't matter which zone is defined first. @@ -287,9 +294,9 @@ loc2 loc1 NONE /etc/shorewall/zones - #ZONE DISPLAY COMMENTS -loc1 Local1 192.168.1.8-192.168.1.15 -loc Local All hosts accessed via eth1 + #ZONE TYPE OPTIONS +loc1 plain +loc plain the sub-zone (loc1) is defined first! @@ -332,9 +339,9 @@ loc1 loc NONE /etc/shorewall/zones - #ZONE DISPLAY COMMENTS -loc Local Local Zone -net Internet The big bad Internet + #ZONE TYPE OPTIONS +loc1 plain +net plain the sub-zone (loc) is defined first! diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml index bded714e7..b4bb1eb0c 100644 --- a/Shorewall-docs2/OPENVPN.xml +++ b/Shorewall-docs2/OPENVPN.xml @@ -21,7 +21,7 @@ - 2005-08-27 + 2005-08-30 2003 @@ -46,6 +46,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + + OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the internet. OpenVPN is an Open @@ -97,8 +104,9 @@ /etc/shorewall/zones — Systems A & B - #ZONE DISPLAY COMMENTS -vpn VPN Remote subnet + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +vpn plain On system A, the 10.0.0.0/8 will comprise the
/etc/shorewall/zones — System A: - #ZONE DISPLAY COMMENTS -road Roadwarriors Remote clients + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +road plain
On system A, the remote clients will comprise the
/etc/shorewall/zones — System B: - #ZONE DISPLAY COMMENTS -home Home Home LAN + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +home plain
On system A, the hosts accessible through the tunnel will comprise diff --git a/Shorewall-docs2/PPTP.xml b/Shorewall-docs2/PPTP.xml index 691b12c49..22f8f75ef 100644 --- a/Shorewall-docs2/PPTP.xml +++ b/Shorewall-docs2/PPTP.xml @@ -5,7 +5,7 @@ - PPTP + PPTP - Unmaintained @@ -92,6 +92,11 @@ + + This document is no longer maintained. Any + volunteers? + +
Overview diff --git a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml index 41f87ed72..0c57c613a 100644 --- a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml +++ b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml @@ -15,7 +15,7 @@ - 2005-03-17 + 2005-09-03 2001-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
Background @@ -265,9 +272,8 @@ ACCEPT net loc:192.168.1.3 tcp 22 In /etc/shorewall/zones: - #ZONE DISPLAY DESCRIPTION -loc Local Local Zone - + #ZONE TYPE OPTIONS +loc plain In /etc/shorewall/interfaces: @@ -285,13 +291,11 @@ loc eth1 192.168.1.255,192.168.20.255 rout separate zones and control the access between them (the users of the systems do not have administrative privileges). - This example applies to Shorewall 1.4.2 and later. - In /etc/shorewall/zones: - #ZONE DISPLAY DESCRIPTION -loc Local Local Zone 1 -loc2 Local2 Local Zone 2 + #ZONE TYPE OPTIONS +loc plain +loc2 plain In /etc/shorewall/interfaces: diff --git a/Shorewall-docs2/Shorewall_and_Kazaa.xml b/Shorewall-docs2/Shorewall_and_Kazaa.xml index 13fcc9097..c4d1e509a 100644 --- a/Shorewall-docs2/Shorewall_and_Kazaa.xml +++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml @@ -15,7 +15,7 @@ - 2005-06-01 + 2005-09-03 2003-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + + Beginning with Shorewall version 1.4.8, Shorewall can interface to ftwall. ftwall is part of the p2pwall project and is a @@ -42,8 +49,9 @@ KazaaLite, iMash and Grokster. To filter traffic from your loc zone with ftwall, you - insert the following rules in /etc/shorewall/rules file after any DROP or - REJECT rules whose source is the loc zone. + insert the following rules in the ESTABLISHED section of + /etc/shorewall/rules file after any DROP or REJECT rules whose source is the + loc zone. #ACTION SOURCE DEST PROTO QUEUE loc net tcp diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index 66e4744b2..e72ae6088 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ - 2005-02-22 + 2005-09-03 2004 @@ -485,9 +485,10 @@ rc-update add bridge boot defined -- one for the internet and one for the local LAN so in /etc/shorewall/zones: - #ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local networks + #ZONE TYPE OPTIONS +fw firewall +net plain +loc plain #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE A conventional two-zone policy file is appropriate here — diff --git a/Shorewall-docs2/ipsets.xml b/Shorewall-docs2/ipsets.xml index 4f057033e..903e9c57c 100644 --- a/Shorewall-docs2/ipsets.xml +++ b/Shorewall-docs2/ipsets.xml @@ -196,8 +196,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP /etc/shorewall/zones: - #ZONE IPSEC OPTIONS IN OPTIONS OUT OPTIONS -dyn No + #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS +dyn plain /etc/shorewall/interfaces: diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index acbb1b9b1..26981946a 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2005-05-26 + 2005-09-03 2001-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
Introduction @@ -123,63 +130,28 @@ instructions and some contain default entries. Shorewall views the network where it is running as being composed of - a set of zones. In the default installation, the following zone names are - used: - - - Zones - - - - - Name - - Description - - - - net - - The Internet - - - - loc - - Your Local Network - - - - dmz - - Demilitarized Zone - - - -
+ a set of zones. Zones are defined in the file /etc/shorewall/zones. - Beginning with Shorewall 2.2.0, the - /etc/shorewall/zones file included in the release - is empty. You can create the above set of zones by copying and pasting - the following into the file: + The /etc/shorewall/zones file included in the + release is empty. You can create a standard set of zones by copying and + pasting the following into the file: - net Net Internet -loc Local Local networks -dmz DMZ Demilitarized zone + #ZONE TYPE OPTIONS +fw firewall +net plain +loc plain +dmz plain - Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw but that may be changed in the /etc/shorewall/shorewall.conf - file. In this guide, the default name (fw) will be used. With the exception of fw, Shorewall attaches absolutely no meaning to + Note that Shorewall recognizes the firewall system as its own zone - + The above example follows the usual convention of naming the Firewall zone + fw. In this guide, the name fw will be used. With the exception of the name + assigned to the firewall zone, Shorewall attaches absolutely no meaning to zone names. Zones are entirely what YOU make of them. That means that you should not expect Shorewall to do something special because this is the internet zone or because that is the