mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
More 3.0 doc updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2629 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
87574c0fe3
commit
71c448e6c7
@ -187,16 +187,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><link linkend="Ipsec">ipsec</link></term>
|
||||
|
||||
<listitem>
|
||||
<para>a parameter file installed in <filename
|
||||
class="directory">/etc/shorewall</filename> and used to describe
|
||||
ipsec policies associated with zones.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><link linkend="Maclist">maclist</link></term>
|
||||
|
||||
@ -423,16 +413,22 @@ NET_OPTIONS=blacklist,norfc1918</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IPSEC</term>
|
||||
<term>TYPE</term>
|
||||
|
||||
<listitem>
|
||||
<simplelist>
|
||||
<member>Yes - All traffic to/from this zone is encrypted.</member>
|
||||
<member><emphasis role="bold">ipsec</emphasis> - All traffic
|
||||
to/from this zone is encrypted.</member>
|
||||
|
||||
<member>No - By default, traffic to/from some of the hosts in this
|
||||
zone is not encrypted. Any encrypted hosts are designated using
|
||||
the <emphasis role="bold">ipsec</emphasis> option in <link
|
||||
<member><emphasis role="bold">plain</emphasis> - By default,
|
||||
traffic to/from some of the hosts in this zone is not encrypted.
|
||||
Any encrypted hosts are designated using the <emphasis
|
||||
role="bold">ipsec</emphasis> option in <link
|
||||
linkend="Hosts">/etc/shorewall/hosts</link>.</member>
|
||||
|
||||
<member><emphasis role="bold">firewall</emphasis> - Designates the
|
||||
firewall itself. You must have exactly one 'firewall' zone. No
|
||||
options are permitted with a 'firewall' zone. </member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1337,10 +1333,11 @@ loc loc REJECT info</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
sam Sam Sam's system at home
|
||||
net Internet The Internet
|
||||
loc Local Local Network</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTION
|
||||
fw firewall
|
||||
sam plain
|
||||
net plain
|
||||
loc plain</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-08-09</pubdate>
|
||||
<pubdate>2003-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -24,6 +24,8 @@
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -33,13 +35,15 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Shorewall includes built-in support for a wide range of VPN solutions.
|
||||
If you have need for a tunnel type that does not have explicit support, you
|
||||
can generally describe the tunneling software using <quote>generic tunnels</quote>.</para>
|
||||
can generally describe the tunneling software using <quote>generic
|
||||
tunnels</quote>.</para>
|
||||
|
||||
<section>
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
@ -50,7 +54,7 @@
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
accomplished through use of the /etc/shorwall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</para>
|
||||
|
||||
@ -73,217 +77,44 @@
|
||||
</orderedlist>
|
||||
|
||||
<para>On each firewall, you will need to declare a zone to represent the
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn plain</programlisting>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
|
||||
zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry>10.255.255.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 10.255.255.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>generic:tcp:1071</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>generic:47</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
generic:tcp:1071 net 134.28.54.2
|
||||
generic:47 net 134.28.54.2</programlisting>
|
||||
|
||||
<para>These entries in /etc/shorewall/tunnels, opens the firewall so that
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
|
||||
be accepted to/from the remote gateway.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 192.168.1.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>generic:tcp:1071</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.191.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>generic:47</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
generic:tcp:1071 net 206.191.148.9
|
||||
generic:47 net 206.191.148.9</programlisting>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||
admit all traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
|
||||
<para>On both systems, restart Shorewall and start your VPN software on
|
||||
each system. The systems in the two masqueraded subnetworks can now talk
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-22</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -26,6 +26,8 @@
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -35,7 +37,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -48,11 +51,11 @@
|
||||
masqueraded networks.</para>
|
||||
|
||||
<para>The simple scripts described in the <citetitle><ulink
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink></citetitle>
|
||||
work fine with Shorewall. Shorewall also includes a tunnel script for
|
||||
automating tunnel configuration. If you have installed the RPM, the tunnel
|
||||
script may be found in the Shorewall documentation directory (usually
|
||||
/usr/share/doc/shorewall-<version>/).</para>
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
|
||||
HOWTO</ulink></citetitle> work fine with Shorewall. Shorewall also includes
|
||||
a tunnel script for automating tunnel configuration. If you have installed
|
||||
the RPM, the tunnel script may be found in the Shorewall documentation
|
||||
directory (usually /usr/share/doc/shorewall-<version>/).</para>
|
||||
|
||||
<section>
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
@ -71,10 +74,11 @@
|
||||
by default -- If you install using the tarball, the script is included in
|
||||
the tarball; if you install using the RPM, the file is in your Shorewall
|
||||
documentation directory (normally
|
||||
/usr/share/doc/shorewall-<version>).</para>
|
||||
/usr/share/doc/shorewall-<version>).</para>
|
||||
|
||||
<para>In the /etc/shorewall/tunnel script, set the <quote>tunnel_type</quote>
|
||||
parameter to the type of tunnel that you want to create.</para>
|
||||
<para>In the /etc/shorewall/tunnel script, set the
|
||||
<quote>tunnel_type</quote> parameter to the type of tunnel that you want
|
||||
to create.</para>
|
||||
|
||||
<example>
|
||||
<title>/etc/shorewall/tunnel</title>
|
||||
@ -85,106 +89,31 @@
|
||||
<warning>
|
||||
<para>If you use the PPTP connection tracking modules from Netfilter
|
||||
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
|
||||
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels.</para>
|
||||
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE
|
||||
tunnels.</para>
|
||||
</warning>
|
||||
|
||||
<para>On each firewall, you will need to declare a zone to represent the
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system A & B</title>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn plain</programlisting>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
|
||||
zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tosysb</entry>
|
||||
|
||||
<entry>10.255.255.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tosysb 10.255.255.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipip</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipip net 134.28.54.2</programlisting>
|
||||
|
||||
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IP encapsulation protocol (4) will be accepted to/from the remote gateway.</para>
|
||||
IP encapsulation protocol (4) will be accepted to/from the remote
|
||||
gateway.</para>
|
||||
|
||||
<para>In the tunnel script on system A:</para>
|
||||
|
||||
@ -201,69 +130,16 @@ subnet=10.0.0.0/8
|
||||
</example>
|
||||
|
||||
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
|
||||
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
<emphasis role="bold">vpn</emphasis> zone. In
|
||||
/etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tosysa</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
vpn tosysa 192.168.1.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipip</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.191.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipip net 206.191.148.9</programlisting>
|
||||
|
||||
<para>And in the tunnel script on system B:</para>
|
||||
|
||||
@ -285,45 +161,9 @@ subnet=192.168.1.0/24</programlisting>
|
||||
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||
admit all traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A & B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
|
||||
<para>On both systems, restart Shorewall and run the modified tunnel
|
||||
script with the <quote>start</quote> argument on each system. The systems
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-06-02</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -62,8 +62,9 @@
|
||||
url="Accounting.html">/etc/shorewall/accounting</ulink></member>
|
||||
|
||||
<member><ulink
|
||||
url="Shorewall_and_Routing.html">/etc/shorewall/routes</ulink> (2.3.2
|
||||
and later)</member>
|
||||
url="Shorewall_and_Routing.html">/etc/shorewall/rules</ulink> (Recommend
|
||||
that you place the rules in the ESTABLISHED section of that
|
||||
file).</member>
|
||||
</simplelist>
|
||||
|
||||
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-08-30</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -210,19 +210,19 @@
|
||||
<para>Encrypted communication is used to/from all hosts in a
|
||||
zone.</para>
|
||||
|
||||
<para>The value <emphasis role="bold">Yes</emphasis> is placed in the
|
||||
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
|
||||
<para>The value <emphasis role="bold">ipsec</emphasis> is placed in
|
||||
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
|
||||
for the zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Encrypted communication is used to/from only part of the hosts
|
||||
in a zone.</para>
|
||||
<para>By default, encrypted communication is not used to communicate
|
||||
with the hosts in a zone.</para>
|
||||
|
||||
<para>The value <emphasis role="bold">No</emphasis> is placed in the
|
||||
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
|
||||
<para>The value <emphasis role="bold">plain</emphasis> is placed in
|
||||
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
|
||||
for the zone and the new <emphasis role="bold">ipsec</emphasis> option
|
||||
is specified in <filename>/etc/shorewall/hosts</filename> for those
|
||||
is specified in <filename>/etc/shorewall/hosts</filename> for any
|
||||
hosts requiring secure communication.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
@ -233,15 +233,15 @@
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>It is redundent to have <emphasis role="bold">Yes</emphasis> in
|
||||
the IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
|
||||
<para>It is redundent to have <emphasis role="bold">ipsec</emphasis> in
|
||||
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
|
||||
for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
|
||||
option in <filename>/etc/shorewall/hosts</filename> entries for that
|
||||
zone.</para>
|
||||
</note>
|
||||
|
||||
<para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
|
||||
/etc/shorewall/ipsec can be used to match the zone to a particular (set
|
||||
/etc/shorewall/zones can be used to match the zone to a particular (set
|
||||
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
|
||||
security policies that select which traffic to encrypt/decrypt.</para>
|
||||
|
||||
@ -319,10 +319,10 @@ ipsec net 206.162.148.9
|
||||
<para><filename>/etc/shorewall/zones</filename> — Systems A and
|
||||
B:</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn No
|
||||
net No
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn plain
|
||||
net plain
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -472,9 +472,9 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
|
||||
through an ESP tunnel then the following entry would be
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
||||
|
||||
<para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
|
||||
isn't effective with the 2.6 native IPSEC implementation because there
|
||||
@ -503,11 +503,11 @@ sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/zones — System A</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn Yes
|
||||
net No
|
||||
loc No
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn ipsec
|
||||
net plain
|
||||
loc plain
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -546,11 +546,11 @@ vpn eth0:0.0.0.0/0
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/zones - System B:</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn Yes
|
||||
net No
|
||||
loc No
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn ipsec
|
||||
net plain
|
||||
loc plain
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>/etc/shorewall/tunnels - System B:</para>
|
||||
@ -759,10 +759,10 @@ ipsec:noah net 192.168.20.0/24 loc</programlisting>
|
||||
|
||||
<para>/etc/shorewall/zones:</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
loc Yes mode=transport
|
||||
net</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
loc ipsec mode=transport
|
||||
net plain</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-08-20</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<important>
|
||||
<para>The information in this article is only applicable if you plan to
|
||||
have IPSEC end-points on the same system where Shorewall is used.</para>
|
||||
@ -67,13 +74,6 @@
|
||||
recommend that you consult that site for information about configuring
|
||||
FreeS/Wan.</para>
|
||||
|
||||
<warning>
|
||||
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
|
||||
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
|
||||
2.0.0 available from the <ulink url="errata.htm">Errata
|
||||
Page</ulink>.</para>
|
||||
</warning>
|
||||
|
||||
<important>
|
||||
<para>The documentation below assumes that you have disabled
|
||||
opportunistic encryption feature in FreeS/Wan 2.0 using the following
|
||||
@ -131,67 +131,13 @@ conn packetdefault
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels - System A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 134.28.54.2</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels - System B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.161.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.161.148.9</programlisting>
|
||||
|
||||
<note>
|
||||
<para>If either of the endpoints is behind a NAT gateway then the
|
||||
@ -206,72 +152,19 @@ conn packetdefault
|
||||
zone called <quote>vpn</quote> to represent the remote subnet. Note that
|
||||
you should define the vpn zone before the net zone.</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones - Systems A and B</title>
|
||||
<para>/etc/shorewall/zones (both systems):</para>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>Internet</entry>
|
||||
|
||||
<entry>The big bad internet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn plain
|
||||
net plain</programlisting>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel
|
||||
2.4:</emphasis><blockquote>
|
||||
<para>At both systems, ipsec0 would be included in
|
||||
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/interfaces - Systems A and B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn ipsec0</programlisting>
|
||||
</blockquote></para>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel
|
||||
@ -289,57 +182,15 @@ conn packetdefault
|
||||
<para>You must define the vpn zone using the /etc/shorewall/hosts
|
||||
file.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts - System A</title>
|
||||
<para>/etc/shorewall/hosts - System A</para>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>ZONE</entry>
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:10.0.0.0/8</programlisting>
|
||||
|
||||
<entry>HOSTS</entry>
|
||||
<para>/etc/shorewall/hots - System B</para>
|
||||
|
||||
<entry>OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>eth0:10.0.0.0/8</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts - System B</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>ZONE</entry>
|
||||
|
||||
<entry>HOSTS</entry>
|
||||
|
||||
<entry>OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>eth0:192.168.1.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:192.168.1.0/24</programlisting>
|
||||
|
||||
<para>In addition, <emphasis role="bold">if you are using Masquerading
|
||||
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
|
||||
@ -347,102 +198,26 @@ conn packetdefault
|
||||
role="bold">replace</emphasis> your current masquerade/SNAT entries for
|
||||
the local networks.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq - System A</title>
|
||||
<para>/etc/shorewall/masq - System A</para>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>INTERFACE</entry>
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
|
||||
|
||||
<entry>SUBNET</entry>
|
||||
<para>/etc/shorewall/masq - System B</para>
|
||||
|
||||
<entry>ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:!10.0.0.0/8</entry>
|
||||
|
||||
<entry>192.168.1.0/24</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq System B</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>INTERFACE</entry>
|
||||
|
||||
<entry>SUBNET</entry>
|
||||
|
||||
<entry>ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:!192.168.1.0/24</entry>
|
||||
|
||||
<entry>10.0.0.0/8</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/policy - Systems A and B</title>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<para></para>
|
||||
|
||||
<para>Once you have these entries in place, restart Shorewall (type
|
||||
shorewall restart); you are now ready to configure the tunnel in <ulink
|
||||
@ -487,77 +262,14 @@ conn packetdefault
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>130.152.100.14</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 134.28.54.2
|
||||
ipsec net 130.252.100.14</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.161.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.161.148.9</programlisting>
|
||||
|
||||
<note>
|
||||
<para>If either of the endpoints is behind a NAT gateway then the
|
||||
@ -570,170 +282,33 @@ conn packetdefault
|
||||
<para>On each system, we will create a zone to represent the remote
|
||||
networks. On System A:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system A</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>VPN1</entry>
|
||||
|
||||
<entry>Remote Subnet on system B</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>VPN2</entry>
|
||||
|
||||
<entry>Remote Subnet on system C</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn1 plain
|
||||
vp2 plain</programlisting>
|
||||
|
||||
<para>On systems B and C:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet on system A</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn plain</programlisting>
|
||||
|
||||
<para>At system A, ipsec0 represents two zones so we have the following in
|
||||
/etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- ipsec0</programlisting>
|
||||
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN
|
||||
zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts system A</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ipsec0:10.0.0.0/16</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ipsec0:10.1.0.0/16</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn1 ipsec0:10.0.0.0/16
|
||||
vpn2 ipsec0:10.1.0.0/16</programlisting>
|
||||
|
||||
<para>At systems B and C, ipsec0 represents a single zone so we have the
|
||||
following in /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn ipsec0</programlisting>
|
||||
|
||||
<para>On systems A, you will need to allow traffic between the
|
||||
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
|
||||
@ -741,110 +316,22 @@ conn packetdefault
|
||||
simply want to admit all traffic in both directions, you can use the
|
||||
following policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
loc vpn1 ACCEPT
|
||||
vpn1 loc ACCEPT
|
||||
loc vpn2 ACCEPT
|
||||
vpn2 loc ACCEPT</programlisting>
|
||||
|
||||
<para>On systems B and C, you will need to allow traffic between the
|
||||
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
|
||||
want to admit all traffic in both directions, you can use the following
|
||||
policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
<para>/etc/shorewall/policy -- Systems B & C</para>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
|
||||
<para>Once you have the Shorewall entries added, restart Shorewall on each
|
||||
gateway (type shorewall restart); you are now ready to configure the
|
||||
@ -856,45 +343,9 @@ conn packetdefault
|
||||
it is necessary to simply add two additional entries to the
|
||||
/etc/shorewall/policy file on system A.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
vpn1 vpn2 ACCEPT
|
||||
vpn2 vpn1 ACCEPT</programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -920,65 +371,17 @@ conn packetdefault
|
||||
local zone. In this example, we'll assume that you have created a zone
|
||||
called <quote>vpn</quote> to represent the remote host.</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones local</title>
|
||||
<para>/etc/shorewall/zones - System A</para>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn plain</programlisting>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the /etc/shorewall/tunnels
|
||||
file on system A, the following entry should be made:</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 0.0.0.0/0</programlisting>
|
||||
|
||||
<para><note>
|
||||
<para>the GATEWAY ZONE column contains the name of the zone
|
||||
@ -1004,79 +407,15 @@ conn packetdefault
|
||||
|
||||
<para>In /etc/shorewall/zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>VPN-1</entry>
|
||||
|
||||
<entry>First VPN Zone</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>VPN-2</entry>
|
||||
|
||||
<entry>Second VPN Zone</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn3</entry>
|
||||
|
||||
<entry>VPN-3</entry>
|
||||
|
||||
<entry>Third VPN Zone</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
vpn1 plain
|
||||
vpn2 plain
|
||||
vpn3 plain</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>vpn1,vpn2,vpn3</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
|
||||
|
||||
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and
|
||||
Shorewall will issue warnings to that effect. These warnings may be safely
|
||||
@ -1101,49 +440,12 @@ conn packetdefault
|
||||
<para>If you include a dynamic zone in the exclude list of a DNAT rule,
|
||||
the dynamically-added hosts are not excluded from the rule.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT z!dyn loc:192.168.1.3 tcp 80</programlisting>
|
||||
|
||||
<example>
|
||||
<title>dyn=dynamic zone</title>
|
||||
|
||||
<para><informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>z!dyn</entry>
|
||||
|
||||
<entry>loc:192.168.1.3</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>80</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable></para>
|
||||
|
||||
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
|
||||
will have no effect on the above rule.</para>
|
||||
</example>
|
||||
|
@ -122,6 +122,7 @@
|
||||
example, the following zone names are used:</para>
|
||||
|
||||
<programlisting>#NAME DESCRIPTION
|
||||
fw The firewall itself
|
||||
net The Internet
|
||||
loc Your Local Network
|
||||
dmz Demilitarized Zone</programlisting>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-15</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2005</year>
|
||||
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<title>Introduction</title>
|
||||
|
||||
@ -205,9 +212,9 @@
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 Hosts accessed through internal router
|
||||
loc Local All hosts accessed via eth1</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc1 plain
|
||||
loc plain</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
@ -244,9 +251,9 @@ loc1 loc NONE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 Hosts accessed Directly from Firewall
|
||||
loc2 Local2 Hosts accessed via the internal Router</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc1 plain
|
||||
loc2 plain</programlisting>
|
||||
|
||||
<note>
|
||||
<para>Here it doesn't matter which zone is defined first.</para>
|
||||
@ -287,9 +294,9 @@ loc2 loc1 NONE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 192.168.1.8-192.168.1.15
|
||||
loc Local All hosts accessed via eth1</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc1 plain
|
||||
loc plain</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
@ -332,9 +339,9 @@ loc1 loc NONE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc Local Local Zone
|
||||
net Internet The big bad Internet</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc1 plain
|
||||
net plain</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc) is defined first!</para>
|
||||
|
@ -21,7 +21,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-08-27</pubdate>
|
||||
<pubdate>2005-08-30</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -46,6 +46,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||
Network) daemon which can be used to securely link two or more private
|
||||
networks using an encrypted tunnel over the internet. OpenVPN is an Open
|
||||
@ -97,8 +104,9 @@
|
||||
<para><filename>/etc/shorewall/zones</filename> — Systems A &
|
||||
B</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
vpn VPN Remote subnet</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn plain</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
@ -231,8 +239,9 @@ vpn loc ACCEPT</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
road Roadwarriors Remote clients</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
road plain</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>On system A, the remote clients will comprise the <emphasis
|
||||
@ -314,8 +323,9 @@ verb 3</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System B:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
home Home Home LAN</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
home plain</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>On system A, the hosts accessible through the tunnel will comprise
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>PPTP</title>
|
||||
<title>PPTP - Unmaintained</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -92,6 +92,11 @@
|
||||
</abstract>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">This document is no longer maintained. Any
|
||||
volunteers?</emphasis></para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<title>Overview</title>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-17</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<title>Background</title>
|
||||
|
||||
@ -265,9 +272,8 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY DESCRIPTION
|
||||
loc Local Local Zone
|
||||
</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc plain</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
@ -285,13 +291,11 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
|
||||
separate zones and control the access between them (the users of the
|
||||
systems do not have administrative privileges).</title>
|
||||
|
||||
<para>This example applies to Shorewall 1.4.2 and later.</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY DESCRIPTION
|
||||
loc Local Local Zone 1
|
||||
loc2 Local2 Local Zone 2</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
loc plain
|
||||
loc2 plain</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-06-01</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2005</year>
|
||||
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
|
||||
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
|
||||
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
|
||||
@ -42,8 +49,9 @@
|
||||
KazaaLite, iMash and Grokster.</para>
|
||||
|
||||
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
|
||||
insert the following rules in /etc/shorewall/rules file after any DROP or
|
||||
REJECT rules whose source is the <quote>loc</quote> zone.</para>
|
||||
insert the following rules in the ESTABLISHED section of
|
||||
/etc/shorewall/rules file after any DROP or REJECT rules whose source is the
|
||||
<quote>loc</quote> zone.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO
|
||||
QUEUE loc net tcp
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-02-22</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -485,9 +485,10 @@ rc-update add bridge boot
|
||||
defined -- one for the internet and one for the local LAN so in
|
||||
<filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
fw firewall
|
||||
net plain
|
||||
loc plain
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>A conventional two-zone policy file is appropriate here —
|
||||
|
@ -196,8 +196,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
|
||||
|
||||
<para>/etc/shorewall/zones:</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OPTIONS OUT OPTIONS
|
||||
dyn No</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
|
||||
dyn plain</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-26</pubdate>
|
||||
<pubdate>2005-09-03</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section id="Introduction">
|
||||
<title>Introduction</title>
|
||||
|
||||
@ -123,63 +130,28 @@
|
||||
instructions and some contain default entries.</para>
|
||||
|
||||
<para>Shorewall views the network where it is running as being composed of
|
||||
a set of zones. In the default installation, the following zone names are
|
||||
used:</para>
|
||||
|
||||
<table>
|
||||
<title>Zones</title>
|
||||
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry align="left"><emphasis role="bold">Name</emphasis></entry>
|
||||
|
||||
<entry align="left" role="underline"><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>The Internet</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>Your Local Network</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>dmz</entry>
|
||||
|
||||
<entry>Demilitarized Zone</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
a set of zones. </para>
|
||||
|
||||
<para>Zones are defined in the file <filename><ulink
|
||||
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink></filename>.</para>
|
||||
|
||||
<important>
|
||||
<para>Beginning with Shorewall 2.2.0, the
|
||||
<filename>/etc/shorewall/zones</filename> file included in the release
|
||||
is empty. You can create the above set of zones by copying and pasting
|
||||
the following into the file:</para>
|
||||
<para>The <filename>/etc/shorewall/zones</filename> file included in the
|
||||
release is empty. You can create a standard set of zones by copying and
|
||||
pasting the following into the file:</para>
|
||||
|
||||
<programlisting>net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
fw firewall
|
||||
net plain
|
||||
loc plain
|
||||
dmz plain</programlisting>
|
||||
</important>
|
||||
|
||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||
default, the firewall itself is known as <emphasis
|
||||
role="bold">fw</emphasis> but that may be changed in the <ulink
|
||||
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>
|
||||
file. In this guide, the default name (<emphasis
|
||||
role="bold">fw</emphasis>) will be used. With the exception of <emphasis
|
||||
role="bold">fw</emphasis>, Shorewall attaches absolutely no meaning to
|
||||
<para>Note that Shorewall recognizes the firewall system as its own zone -
|
||||
The above example follows the usual convention of naming the Firewall zone
|
||||
<emphasis role="bold">fw</emphasis>. In this guide, the name <emphasis
|
||||
role="bold">fw</emphasis> will be used. With the exception of the name
|
||||
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
|
||||
zone names. Zones are entirely what YOU make of them. That means that you
|
||||
should not expect Shorewall to do something special <quote>because this is
|
||||
the internet zone</quote> or <quote>because that is the
|
||||
|
Loading…
Reference in New Issue
Block a user