extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

More 3.0 doc updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2629 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-03 23:03:06 +00:00
parent 87574c0fe3
commit 71c448e6c7
15 changed files with 288 additions and 1309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Shorewall-docs2/Documentation.xml
View File

@ -187,16 +187,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><link linkend="Ipsec">ipsec</link></term>
<listitem>
<para>a parameter file installed in <filename
class="directory">/etc/shorewall</filename> and used to describe
ipsec policies associated with zones.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><link linkend="Maclist">maclist</link></term> <term><link linkend="Maclist">maclist</link></term>
@ -423,16 +413,22 @@ NET_OPTIONS=blacklist,norfc1918</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>IPSEC</term> <term>TYPE</term>
<listitem> <listitem>
<simplelist> <simplelist>
<member>Yes - All traffic to/from this zone is encrypted.</member> <member><emphasis role="bold">ipsec</emphasis> - All traffic
to/from this zone is encrypted.</member>
<member>No - By default, traffic to/from some of the hosts in this <member><emphasis role="bold">plain</emphasis> - By default,
zone is not encrypted. Any encrypted hosts are designated using traffic to/from some of the hosts in this zone is not encrypted.
the <emphasis role="bold">ipsec</emphasis> option in <link Any encrypted hosts are designated using the <emphasis
role="bold">ipsec</emphasis> option in <link
linkend="Hosts">/etc/shorewall/hosts</link>.</member> linkend="Hosts">/etc/shorewall/hosts</link>.</member>
<member><emphasis role="bold">firewall</emphasis> - Designates the
firewall itself. You must have exactly one 'firewall' zone. No
options are permitted with a 'firewall' zone. </member>
</simplelist> </simplelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1337,10 +1333,11 @@ loc loc REJECT info</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTION
sam Sam Sam's system at home fw firewall
net Internet The Internet sam plain
loc Local Local Network</programlisting> net plain
loc plain</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>

221
Shorewall-docs2/GenericTunnels.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-08-09</pubdate> <pubdate>2003-09-03</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -24,6 +24,8 @@
<year>2003</year> <year>2003</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -33,13 +35,15 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>Shorewall includes built-in support for a wide range of VPN solutions. <para>Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support, you If you have need for a tunnel type that does not have explicit support, you
can generally describe the tunneling software using <quote>generic tunnels</quote>.</para> can generally describe the tunneling software using <quote>generic
tunnels</quote>.</para>
<section> <section>
<title>Bridging two Masqueraded Networks</title> <title>Bridging two Masqueraded Networks</title>
@ -50,7 +54,7 @@
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the accomplished through use of the /etc/shorwall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</para> included with Shorewall.</para>
@ -73,217 +77,44 @@
</orderedlist> </orderedlist>
<para>On each firewall, you will need to declare a zone to represent the <para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote> remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para> and declare it in /etc/shorewall/zones on both systems as follows.</para>
<informaltable> <programlisting>#ZONE TYPE OPTIONS
<tgroup cols="3"> vpn plain</programlisting>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<entry align="center">COMMENTS</entry> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
</row> vpn tun0 10.255.255.255</programlisting>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para> <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<informaltable> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<tgroup cols="4"> generic:tcp:1071 net 134.28.54.2
<thead> generic:47 net 134.28.54.2</programlisting>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>These entries in /etc/shorewall/tunnels, opens the firewall so that <para>These entries in /etc/shorewall/tunnels, opens the firewall so that
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
be accepted to/from the remote gateway.</para> be accepted to/from the remote gateway.</para>
<informaltable> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<tgroup cols="4"> vpn tun0 192.168.1.255</programlisting>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/tunnels on system B, we have:</para> <para>In /etc/shorewall/tunnels on system B, we have:</para>
<informaltable> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<tgroup cols="4"> generic:tcp:1071 net 206.191.148.9
<thead> generic:47 net 206.191.148.9</programlisting>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>You will need to allow traffic between the <quote>vpn</quote> zone <para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para> admit all traffic in both directions, you can use the policy file:</para>
<informaltable> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<tgroup cols="4"> loc vpn ACCEPT
<thead> vpn loc ACCEPT</programlisting>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>On both systems, restart Shorewall and start your VPN software on <para>On both systems, restart Shorewall and start your VPN software on
each system. The systems in the two masqueraded subnetworks can now talk each system. The systems in the two masqueraded subnetworks can now talk

232
Shorewall-docs2/IPIP.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-22</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -26,6 +26,8 @@
<year>2004</year> <year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -35,7 +37,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -48,11 +51,11 @@
masqueraded networks.</para> masqueraded networks.</para>
<para>The simple scripts described in the <citetitle><ulink <para>The simple scripts described in the <citetitle><ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink></citetitle> url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
work fine with Shorewall. Shorewall also includes a tunnel script for HOWTO</ulink></citetitle> work fine with Shorewall. Shorewall also includes
automating tunnel configuration. If you have installed the RPM, the tunnel a tunnel script for automating tunnel configuration. If you have installed
script may be found in the Shorewall documentation directory (usually the RPM, the tunnel script may be found in the Shorewall documentation
/usr/share/doc/shorewall-&#60;version&#62;/).</para> directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</para>
<section> <section>
<title>Bridging two Masqueraded Networks</title> <title>Bridging two Masqueraded Networks</title>
@ -71,10 +74,11 @@
by default -- If you install using the tarball, the script is included in by default -- If you install using the tarball, the script is included in
the tarball; if you install using the RPM, the file is in your Shorewall the tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally documentation directory (normally
/usr/share/doc/shorewall-&#60;version&#62;).</para> /usr/share/doc/shorewall-&lt;version&gt;).</para>
<para>In the /etc/shorewall/tunnel script, set the <quote>tunnel_type</quote> <para>In the /etc/shorewall/tunnel script, set the
parameter to the type of tunnel that you want to create.</para> <quote>tunnel_type</quote> parameter to the type of tunnel that you want
to create.</para>
<example> <example>
<title>/etc/shorewall/tunnel</title> <title>/etc/shorewall/tunnel</title>
@ -85,106 +89,31 @@
<warning> <warning>
<para>If you use the PPTP connection tracking modules from Netfilter <para>If you use the PPTP connection tracking modules from Netfilter
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp, Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels.</para> ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE
tunnels.</para>
</warning> </warning>
<para>On each firewall, you will need to declare a zone to represent the <para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote> remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para> and declare it in /etc/shorewall/zones on both systems as follows.</para>
<table> <programlisting>#ZONE TYPE OPTIONS
<title>/etc/shorewall/zones system A &#38; B</title> vpn plain</programlisting>
<tgroup cols="3"> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
<thead> role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tosysb 10.255.255.255</programlisting>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysb</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para> <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels system A</title> ipip net 134.28.54.2</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote gateway.</para> IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</para>
<para>In the tunnel script on system A:</para> <para>In the tunnel script on system A:</para>
@ -201,69 +130,16 @@ subnet=10.0.0.0/8
</example> </example>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para>
<table> <programlisting>#ZONE INTERFACE BROADCAST
<title>/etc/shorewall/interfaces system B</title> vpn tosysa 192.168.1.255</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysa</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we have:</para> <para>In /etc/shorewall/tunnels on system B, we have:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels system B</title> ipip net 206.191.148.9</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>And in the tunnel script on system B:</para> <para>And in the tunnel script on system B:</para>
@ -285,45 +161,9 @@ subnet=192.168.1.0/24</programlisting>
and the <quote>loc</quote> zone on both systems -- if you simply want to and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para> admit all traffic in both directions, you can use the policy file:</para>
<table> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<title>/etc/shorewall/policy system A &#38; B</title> loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On both systems, restart Shorewall and run the modified tunnel <para>On both systems, restart Shorewall and run the modified tunnel
script with the <quote>start</quote> argument on each system. The systems script with the <quote>start</quote> argument on each system. The systems

7
Shorewall-docs2/IPP2P.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-06-02</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -62,8 +62,9 @@
url="Accounting.html">/etc/shorewall/accounting</ulink></member> url="Accounting.html">/etc/shorewall/accounting</ulink></member>
<member><ulink <member><ulink
url="Shorewall_and_Routing.html">/etc/shorewall/routes</ulink> (2.3.2 url="Shorewall_and_Routing.html">/etc/shorewall/rules</ulink> (Recommend
and later)</member> that you place the rules in the ESTABLISHED section of that
file).</member>
</simplelist> </simplelist>
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST <para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST

64
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-08-30</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -210,19 +210,19 @@
<para>Encrypted communication is used to/from all hosts in a <para>Encrypted communication is used to/from all hosts in a
zone.</para> zone.</para>
<para>The value <emphasis role="bold">Yes</emphasis> is placed in the <para>The value <emphasis role="bold">ipsec</emphasis> is placed in
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for the zone.</para> for the zone.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Encrypted communication is used to/from only part of the hosts <para>By default, encrypted communication is not used to communicate
in a zone.</para> with the hosts in a zone.</para>
<para>The value <emphasis role="bold">No</emphasis> is placed in the <para>The value <emphasis role="bold">plain</emphasis> is placed in
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for the zone and the new <emphasis role="bold">ipsec</emphasis> option for the zone and the new <emphasis role="bold">ipsec</emphasis> option
is specified in <filename>/etc/shorewall/hosts</filename> for those is specified in <filename>/etc/shorewall/hosts</filename> for any
hosts requiring secure communication.</para> hosts requiring secure communication.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -233,15 +233,15 @@
</note> </note>
<note> <note>
<para>It is redundent to have <emphasis role="bold">Yes</emphasis> in <para>It is redundent to have <emphasis role="bold">ipsec</emphasis> in
the IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for a zone and to also have the <emphasis role="bold">ipsec</emphasis> for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
option in <filename>/etc/shorewall/hosts</filename> entries for that option in <filename>/etc/shorewall/hosts</filename> entries for that
zone.</para> zone.</para>
</note> </note>
<para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in <para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set /etc/shorewall/zones can be used to match the zone to a particular (set
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
security policies that select which traffic to encrypt/decrypt.</para> security policies that select which traffic to encrypt/decrypt.</para>
@ -319,10 +319,10 @@ ipsec net 206.162.148.9
<para><filename>/etc/shorewall/zones</filename> — Systems A and <para><filename>/etc/shorewall/zones</filename> — Systems A and
B:</para> B:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
vpn No vpn plain
net No net plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
@ -472,9 +472,9 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
through an ESP tunnel then the following entry would be through an ESP tunnel then the following entry would be
appropriate:</para> appropriate:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting> sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename> <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
isn't effective with the 2.6 native IPSEC implementation because there isn't effective with the 2.6 native IPSEC implementation because there
@ -503,11 +503,11 @@ sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis
<blockquote> <blockquote>
<para>/etc/shorewall/zones — System A</para> <para>/etc/shorewall/zones — System A</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
vpn Yes vpn ipsec
net No net plain
loc No loc plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
@ -546,11 +546,11 @@ vpn eth0:0.0.0.0/0
<blockquote> <blockquote>
<para>/etc/shorewall/zones - System B:</para> <para>/etc/shorewall/zones - System B:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
vpn Yes vpn ipsec
net No net plain
loc No loc plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>/etc/shorewall/tunnels - System B:</para> <para>/etc/shorewall/tunnels - System B:</para>
@ -759,10 +759,10 @@ ipsec:noah net 192.168.20.0/24 loc</programlisting>
<para>/etc/shorewall/zones:</para> <para>/etc/shorewall/zones:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
loc Yes mode=transport loc ipsec mode=transport
net</programlisting> net plain</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para> <para><filename>/etc/shorewall/hosts</filename>:</para>

852
Shorewall-docs2/IPSEC.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-08-20</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<important> <important>
<para>The information in this article is only applicable if you plan to <para>The information in this article is only applicable if you plan to
have IPSEC end-points on the same system where Shorewall is used.</para> have IPSEC end-points on the same system where Shorewall is used.</para>
@ -67,13 +74,6 @@
recommend that you consult that site for information about configuring recommend that you consult that site for information about configuring
FreeS/Wan.</para> FreeS/Wan.</para>
<warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata
Page</ulink>.</para>
</warning>
<important> <important>
<para>The documentation below assumes that you have disabled <para>The documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following opportunistic encryption feature in FreeS/Wan 2.0 using the following
@ -131,67 +131,13 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system A, we need the following</para> <para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels - System A</title> ipsec net 134.28.54.2</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we would have:</para> <para>In /etc/shorewall/tunnels on system B, we would have:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels - System B</title> ipsec net 206.161.148.9</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<note> <note>
<para>If either of the endpoints is behind a NAT gateway then the <para>If either of the endpoints is behind a NAT gateway then the
@ -206,72 +152,19 @@ conn packetdefault
zone called <quote>vpn</quote> to represent the remote subnet. Note that zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para> you should define the vpn zone before the net zone.</para>
<para><table> <para>/etc/shorewall/zones (both systems):</para>
<title>/etc/shorewall/zones - Systems A and B</title>
<tgroup cols="3"> <programlisting>#ZONE TYPE OPTIONS
<thead> vpn plain
<row> net plain</programlisting>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The big bad internet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><emphasis role="bold">If you are running kernel <para><emphasis role="bold">If you are running kernel
2.4:</emphasis><blockquote> 2.4:</emphasis><blockquote>
<para>At both systems, ipsec0 would be included in <para>At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para> /etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
<para><table> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<title>/etc/shorewall/interfaces - Systems A and B</title> vpn ipsec0</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
</blockquote></para> </blockquote></para>
<para><emphasis role="bold">If you are running kernel <para><emphasis role="bold">If you are running kernel
@ -289,57 +182,15 @@ conn packetdefault
<para>You must define the vpn zone using the /etc/shorewall/hosts <para>You must define the vpn zone using the /etc/shorewall/hosts
file.</para> file.</para>
<table> <para>/etc/shorewall/hosts - System A</para>
<title>/etc/shorewall/hosts - System A</title>
<tgroup cols="3"> <programlisting>#ZONE HOSTS OPTIONS
<thead> vpn eth0:10.0.0.0/8</programlisting>
<row>
<entry>ZONE</entry>
<entry>HOSTS</entry> <para>/etc/shorewall/hots - System B</para>
<entry>OPTIONS</entry> <programlisting>#ZONE HOSTS OPTIONS
</row> vpn eth0:192.168.1.0/24</programlisting>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:10.0.0.0/8</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts - System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<entry>HOSTS</entry>
<entry>OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:192.168.1.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In addition, <emphasis role="bold">if you are using Masquerading <para>In addition, <emphasis role="bold">if you are using Masquerading
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
@ -347,102 +198,26 @@ conn packetdefault
role="bold">replace</emphasis> your current masquerade/SNAT entries for role="bold">replace</emphasis> your current masquerade/SNAT entries for
the local networks.</para> the local networks.</para>
<table> <para>/etc/shorewall/masq - System A</para>
<title>/etc/shorewall/masq - System A</title>
<tgroup cols="3"> <programlisting>#INTERFACE SUBNET ADDRESS
<thead> eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
<row>
<entry>INTERFACE</entry>
<entry>SUBNET</entry> <para>/etc/shorewall/masq - System B</para>
<entry>ADDRESS</entry> <programlisting>#INTERFACE SUBNET ADDRESS
</row> eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
</thead>
<tbody>
<row>
<entry>eth0:!10.0.0.0/8</entry>
<entry>192.168.1.0/24</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/masq System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<entry>SUBNET</entry>
<entry>ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0:!192.168.1.0/24</entry>
<entry>10.0.0.0/8</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
</blockquote> </blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone <para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all traffic and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para> in both directions, you can use the policy file:</para>
<para><table> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<title>/etc/shorewall/policy - Systems A and B</title> loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<tgroup cols="4"> <para></para>
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>Once you have these entries in place, restart Shorewall (type <para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink shorewall restart); you are now ready to configure the tunnel in <ulink
@ -487,77 +262,14 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system A, we need the following</para> <para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels system A</title> ipsec net 134.28.54.2
ipsec net 130.252.100.14</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>130.152.100.14</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para> <para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels system B &amp; C</title> ipsec net 206.161.148.9</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<note> <note>
<para>If either of the endpoints is behind a NAT gateway then the <para>If either of the endpoints is behind a NAT gateway then the
@ -570,170 +282,33 @@ conn packetdefault
<para>On each system, we will create a zone to represent the remote <para>On each system, we will create a zone to represent the remote
networks. On System A:</para> networks. On System A:</para>
<table> <programlisting>#ZONE TYPE OPTIONS
<title>/etc/shorewall/zones system A</title> vpn1 plain
vp2 plain</programlisting>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN1</entry>
<entry>Remote Subnet on system B</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN2</entry>
<entry>Remote Subnet on system C</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems B and C:</para> <para>On systems B and C:</para>
<table> <programlisting>#ZONE TYPE OPTIONS
<title>/etc/shorewall/zones system B &amp; C</title> vpn plain</programlisting>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet on system A</entry>
</row>
</tbody>
</tgroup>
</table>
<para>At system A, ipsec0 represents two zones so we have the following in <para>At system A, ipsec0 represents two zones so we have the following in
/etc/shorewall/interfaces:</para> /etc/shorewall/interfaces:</para>
<table> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<title>/etc/shorewall/interfaces system A</title> - ipsec0</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>The /etc/shorewall/hosts file on system A defines the two VPN <para>The /etc/shorewall/hosts file on system A defines the two VPN
zones:</para> zones:</para>
<table> <programlisting>#ZONE HOSTS OPTIONS
<title>/etc/shorewall/hosts system A</title> vpn1 ipsec0:10.0.0.0/16
vpn2 ipsec0:10.1.0.0/16</programlisting>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOSTS</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>ipsec0:10.0.0.0/16</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>ipsec0:10.1.0.0/16</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>At systems B and C, ipsec0 represents a single zone so we have the <para>At systems B and C, ipsec0 represents a single zone so we have the
following in /etc/shorewall/interfaces:</para> following in /etc/shorewall/interfaces:</para>
<table> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<title>/etc/shorewall/interfaces system B &amp; C</title> vpn ipsec0</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems A, you will need to allow traffic between the <para>On systems A, you will need to allow traffic between the
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as <quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
@ -741,110 +316,22 @@ conn packetdefault
simply want to admit all traffic in both directions, you can use the simply want to admit all traffic in both directions, you can use the
following policy file entries on all three gateways:</para> following policy file entries on all three gateways:</para>
<table> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<title>/etc/shorewall/policy system A</title> loc vpn1 ACCEPT
vpn1 loc ACCEPT
<tgroup cols="4"> loc vpn2 ACCEPT
<thead> vpn2 loc ACCEPT</programlisting>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn1</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>loc</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems B and C, you will need to allow traffic between the <para>On systems B and C, you will need to allow traffic between the
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply <quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
want to admit all traffic in both directions, you can use the following want to admit all traffic in both directions, you can use the following
policy file entries on all three gateways:</para> policy file entries on all three gateways:</para>
<table> <para>/etc/shorewall/policy -- Systems B &amp; C</para>
<title>/etc/shorewall/policy system B &amp; C</title>
<tgroup cols="4"> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<thead> loc vpn ACCEPT
<row> vpn loc ACCEPT</programlisting>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Once you have the Shorewall entries added, restart Shorewall on each <para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the gateway (type shorewall restart); you are now ready to configure the
@ -856,45 +343,9 @@ conn packetdefault
it is necessary to simply add two additional entries to the it is necessary to simply add two additional entries to the
/etc/shorewall/policy file on system A.</para> /etc/shorewall/policy file on system A.</para>
<table> <programlisting>#SOURCE DEST POLICY LOG LEVEL
<title>/etc/shorewall/policy system A</title> vpn1 vpn2 ACCEPT
vpn2 vpn1 ACCEPT</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</note> </note>
<note> <note>
@ -920,65 +371,17 @@ conn packetdefault
local zone. In this example, we'll assume that you have created a zone local zone. In this example, we'll assume that you have created a zone
called <quote>vpn</quote> to represent the remote host.</para> called <quote>vpn</quote> to represent the remote host.</para>
<para><table> <para>/etc/shorewall/zones - System A</para>
<title>/etc/shorewall/zones local</title>
<tgroup cols="3"> <programlisting>#ZONE TYPE OPTIONS
<thead> vpn plain</programlisting>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2 <para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para> file on system A, the following entry should be made:</para>
<para><table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels system A</title> ipsec net 0.0.0.0/0</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><note> <para><note>
<para>the GATEWAY ZONE column contains the name of the zone <para>the GATEWAY ZONE column contains the name of the zone
@ -1004,79 +407,15 @@ conn packetdefault
<para>In /etc/shorewall/zones:</para> <para>In /etc/shorewall/zones:</para>
<table> <programlisting>#ZONE TYPE OPTIONS
<title>/etc/shorewall/zones</title> vpn1 plain
vpn2 plain
<tgroup cols="3"> vpn3 plain</programlisting>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN-1</entry>
<entry>First VPN Zone</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN-2</entry>
<entry>Second VPN Zone</entry>
</row>
<row>
<entry>vpn3</entry>
<entry>VPN-3</entry>
<entry>Third VPN Zone</entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels:</para> <para>In /etc/shorewall/tunnels:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels</title> ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn1,vpn2,vpn3</entry>
</row>
</tbody>
</tgroup>
</table>
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and <para>When Shorewall is started, the zones vpn[1-3] will all be empty and
Shorewall will issue warnings to that effect. These warnings may be safely Shorewall will issue warnings to that effect. These warnings may be safely
@ -1101,49 +440,12 @@ conn packetdefault
<para>If you include a dynamic zone in the exclude list of a DNAT rule, <para>If you include a dynamic zone in the exclude list of a DNAT rule,
the dynamically-added hosts are not excluded from the rule.</para> the dynamically-added hosts are not excluded from the rule.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT z!dyn loc:192.168.1.3 tcp 80</programlisting>
<example> <example>
<title>dyn=dynamic zone</title> <title>dyn=dynamic zone</title>
<para><informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>z!dyn</entry>
<entry>loc:192.168.1.3</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis> <para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para> will have no effect on the above rule.</para>
</example> </example>

1
Shorewall-docs2/Introduction.xml
View File

@ -122,6 +122,7 @@
example, the following zone names are used:</para> example, the following zone names are used:</para>
<programlisting>#NAME DESCRIPTION <programlisting>#NAME DESCRIPTION
fw The firewall itself
net The Internet net The Internet
loc Your Local Network loc Your Local Network
dmz Demilitarized Zone</programlisting> dmz Demilitarized Zone</programlisting>

33
Shorewall-docs2/Multiple_Zones.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-05-15</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2003-2005</year> <year>2003-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section> <section>
<title>Introduction</title> <title>Introduction</title>
@ -205,9 +212,9 @@
<para><filename>/etc/shorewall/zones</filename></para> <para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS
loc1 Local1 Hosts accessed through internal router loc1 plain
loc Local All hosts accessed via eth1</programlisting> loc plain</programlisting>
<note> <note>
<para>the sub-zone (loc1) is defined first!</para> <para>the sub-zone (loc1) is defined first!</para>
@ -244,9 +251,9 @@ loc1 loc NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para> <para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS
loc1 Local1 Hosts accessed Directly from Firewall loc1 plain
loc2 Local2 Hosts accessed via the internal Router</programlisting> loc2 plain</programlisting>
<note> <note>
<para>Here it doesn't matter which zone is defined first.</para> <para>Here it doesn't matter which zone is defined first.</para>
@ -287,9 +294,9 @@ loc2 loc1 NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para> <para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS
loc1 Local1 192.168.1.8-192.168.1.15 loc1 plain
loc Local All hosts accessed via eth1</programlisting> loc plain</programlisting>
<note> <note>
<para>the sub-zone (loc1) is defined first!</para> <para>the sub-zone (loc1) is defined first!</para>
@ -332,9 +339,9 @@ loc1 loc NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para> <para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS
loc Local Local Zone loc1 plain
net Internet The big bad Internet</programlisting> net plain</programlisting>
<note> <note>
<para>the sub-zone (loc) is defined first!</para> <para>the sub-zone (loc) is defined first!</para>

24
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-08-27</pubdate> <pubdate>2005-08-30</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -46,6 +46,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private <para>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open networks using an encrypted tunnel over the internet. OpenVPN is an Open
@ -97,8 +104,9 @@
<para><filename>/etc/shorewall/zones</filename> — Systems A &amp; <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para> B</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS IN OUT
vpn VPN Remote subnet</programlisting> # OPTIONS OPTIONS
vpn plain</programlisting>
</blockquote> </blockquote>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
@ -231,8 +239,9 @@ vpn loc ACCEPT</programlisting>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A:</para> <para><filename>/etc/shorewall/zones</filename> — System A:</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS IN OUT
road Roadwarriors Remote clients</programlisting> # OPTIONS OPTIONS
road plain</programlisting>
</blockquote> </blockquote>
<para>On system A, the remote clients will comprise the <emphasis <para>On system A, the remote clients will comprise the <emphasis
@ -314,8 +323,9 @@ verb 3</programlisting>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/zones</filename> — System B:</para> <para><filename>/etc/shorewall/zones</filename> — System B:</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS IN OUT
home Home Home LAN</programlisting> # OPTIONS OPTIONS
home plain</programlisting>
</blockquote> </blockquote>
<para>On system A, the hosts accessible through the tunnel will comprise <para>On system A, the hosts accessible through the tunnel will comprise

7
Shorewall-docs2/PPTP.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>PPTP</title> <title>PPTP - Unmaintained</title>
<authorgroup> <authorgroup>
<author> <author>
@ -92,6 +92,11 @@
</abstract> </abstract>
</articleinfo> </articleinfo>
<warning>
<para><emphasis role="bold">This document is no longer maintained. Any
volunteers?</emphasis></para>
</warning>
<section> <section>
<title>Overview</title> <title>Overview</title>

22
Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-03-17</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section> <section>
<title>Background</title> <title>Background</title>
@ -265,9 +272,8 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
<para>In <filename>/etc/shorewall/zones</filename>:</para> <para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION <programlisting>#ZONE TYPE OPTIONS
loc Local Local Zone loc plain</programlisting>
</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
@ -285,13 +291,11 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
separate zones and control the access between them (the users of the separate zones and control the access between them (the users of the
systems do not have administrative privileges).</title> systems do not have administrative privileges).</title>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para> <para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION <programlisting>#ZONE TYPE OPTIONS
loc Local Local Zone 1 loc plain
loc2 Local2 Local Zone 2</programlisting> loc2 plain</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

14
Shorewall-docs2/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-06-01</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2003-2005</year> <year>2003-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to <para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
@ -42,8 +49,9 @@
KazaaLite, iMash and Grokster.</para> KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you <para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules in /etc/shorewall/rules file after any DROP or insert the following rules in the ESTABLISHED section of
REJECT rules whose source is the <quote>loc</quote> zone.</para> /etc/shorewall/rules file after any DROP or REJECT rules whose source is the
<quote>loc</quote> zone.</para>
<programlisting> #ACTION SOURCE DEST PROTO <programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp QUEUE loc net tcp

9
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-02-22</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -485,9 +485,10 @@ rc-update add bridge boot
defined -- one for the internet and one for the local LAN so in defined -- one for the internet and one for the local LAN so in
<filename>/etc/shorewall/zones</filename>:</para> <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE TYPE OPTIONS
net Net Internet fw firewall
loc Local Local networks net plain
loc plain
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>A conventional two-zone policy file is appropriate here — <para>A conventional two-zone policy file is appropriate here —

4
Shorewall-docs2/ipsets.xml
View File

@ -196,8 +196,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
<para>/etc/shorewall/zones:</para> <para>/etc/shorewall/zones:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OPTIONS OUT OPTIONS <programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
dyn No</programlisting> dyn plain</programlisting>
<para>/etc/shorewall/interfaces:</para> <para>/etc/shorewall/interfaces:</para>

72
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-05-26</pubdate> <pubdate>2005-09-03</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section id="Introduction"> <section id="Introduction">
<title>Introduction</title> <title>Introduction</title>
@ -123,63 +130,28 @@
instructions and some contain default entries.</para> instructions and some contain default entries.</para>
<para>Shorewall views the network where it is running as being composed of <para>Shorewall views the network where it is running as being composed of
a set of zones. In the default installation, the following zone names are a set of zones. </para>
used:</para>
<table>
<title>Zones</title>
<tgroup cols="2">
<tbody>
<row>
<entry align="left"><emphasis role="bold">Name</emphasis></entry>
<entry align="left" role="underline"><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>net</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Your Local Network</entry>
</row>
<row>
<entry>dmz</entry>
<entry>Demilitarized Zone</entry>
</row>
</tbody>
</tgroup>
</table>
<para>Zones are defined in the file <filename><ulink <para>Zones are defined in the file <filename><ulink
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink></filename>.</para> url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink></filename>.</para>
<important> <important>
<para>Beginning with Shorewall 2.2.0, the <para>The <filename>/etc/shorewall/zones</filename> file included in the
<filename>/etc/shorewall/zones</filename> file included in the release release is empty. You can create a standard set of zones by copying and
is empty. You can create the above set of zones by copying and pasting pasting the following into the file:</para>
the following into the file:</para>
<programlisting>net Net Internet <programlisting>#ZONE TYPE OPTIONS
loc Local Local networks fw firewall
dmz DMZ Demilitarized zone</programlisting> net plain
loc plain
dmz plain</programlisting>
</important> </important>
<para>Shorewall also recognizes the firewall system as its own zone - by <para>Note that Shorewall recognizes the firewall system as its own zone -
default, the firewall itself is known as <emphasis The above example follows the usual convention of naming the Firewall zone
role="bold">fw</emphasis> but that may be changed in the <ulink <emphasis role="bold">fw</emphasis>. In this guide, the name <emphasis
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink> role="bold">fw</emphasis> will be used. With the exception of the name
file. In this guide, the default name (<emphasis assigned to the firewall zone, Shorewall attaches absolutely no meaning to
role="bold">fw</emphasis>) will be used. With the exception of <emphasis
role="bold">fw</emphasis>, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is should not expect Shorewall to do something special <quote>because this is
the internet zone</quote> or <quote>because that is the the internet zone</quote> or <quote>because that is the