extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shoreall 1.4.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@555 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-18 18:38:34 +00:00
parent 64064bce9a
commit 72bb7e0a83
42 changed files with 18162 additions and 18273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
STABLE/changelog.txt
View File

@ -1,15 +1,11 @@
Changes since 1.4.1 Changes since 1.4.2
1. Re-order steps in the 'check' command so that the policy file is 1. The 'add' and 'delete' commands no longer leave behind a temporary
checked before the rules file. directory in /tmp.
2. Create an intermediate chain for input from zones defined in terms 2. Added support for 6to4 tunnels.
of specific hosts or networks.
3. Fixed common.def to use 'reject' rather than 'REJECT'. 3. Added $LOGMARKER for fireparse support
4. Added support for INCLUDE directive in all files. 4. Return more appropriate ICMP responses if the systems supports them.
5. Made traceroute -I work.
6. Add 'routeback' interface and host attribute.

141
STABLE/documentation/6to4.htm Executable file
View File

@ -0,0 +1,141 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>6to4 Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security
measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
<h2>Connecting two IPv6 Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
width="745" height="427" alt="">
</p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All that
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6
encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
<p>Use the following commands to setup system A:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>And use the following commands to setup system B:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration commands
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

2543
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

799
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

132
STABLE/documentation/IPSEC.htm
View File

@ -27,18 +27,19 @@
<h2><font color="#660066">Configuring FreeS/Wan</font></h2> <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a>
that you consult that site for information about confuring FreeS/Wan.  . I highly recommend that you consult that site for information about confuring
FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and <p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences. FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I /etc/shorewall/proxyarp. I haven't had the time to debug this problem so
can't say if it is a bug in the Kernel or in FreeS/Wan. </p> I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following <p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p> (I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p> <p>In /etc/shorewall/init, include:</p>
@ -57,7 +58,7 @@ rather than to the interface that you specify in the INTERFACE column of
</font></p> </font></p>
</font> </font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able <p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p> to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p> <p align="left">To make this work, we need to do two things:</p>
@ -67,7 +68,7 @@ to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">b) Allow traffic through the tunnel.</p> <p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished <p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p> by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p> <p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
@ -114,13 +115,14 @@ by adding an entry to the /etc/shorewall/tunnels file.</p>
</blockquote> </blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br> address should specify the external address of the NAT gateway.<br>
</p> </p>
<p align="left">You need to define a zone for the remote subnet or include <p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created it in your local zone. In this example, we'll assume that you have
a zone called "vpn" to represent the remote subnet.</p> created a zone called "vpn" to represent the remote subnet.</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -141,7 +143,7 @@ a zone called "vpn" to represent the remote subnet.</p>
</blockquote> </blockquote>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces <p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p> as a "vpn" interface:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -198,7 +200,7 @@ shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p> href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road <h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
Warrior)</font></h2> Warrior)</font></h2>
<p>Suppose that you have a laptop system (B) that you take with you when you <p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your travel and you want to be able to establish a secure connection back to your
@ -210,7 +212,7 @@ local network.</p>
<p align="left">You need to define a zone for the laptop or include it in <p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p> a zone called "vpn" to represent the remote host.</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -231,8 +233,8 @@ a zone called "vpn" to represent the remote host.</p>
</blockquote> </blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2 <p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file but that cannot be determined in advance. In the /etc/shorewall/tunnels
on system A, the following entry should be made:</p> file on system A, the following entry should be made:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -255,8 +257,9 @@ on system A, the following entry should be made:</p>
</blockquote> </blockquote>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding <p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p> the peer subnetwork; in other words, the remote gateway is a standalone
system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish <p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br> your "through the tunnel" policy as shown under the first example above.<br>
@ -264,8 +267,8 @@ the peer subnetwork; in other words, the remote gateway is a standalone system.<
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2> <h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br> /etc/shorewall/zones:<br>
<br> <br>
<blockquote> <blockquote>
@ -340,27 +343,78 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
<br> <br>
</blockquote> </blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored. will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other with the choice of connection being based on X-509 certificates or some
means. Each of these connectioins will utilize a different updown script that other means. Each of these connectioins will utilize a different updown
adds the remote station to the appropriate zone when the connection comes script that adds the remote station to the appropriate zone when the connection
up and that deletes the remote station when the connection comes down. For comes up and that deletes the remote station when the connection comes down.
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of
script will issue the command":<br> the script will issue the command":<br>
<br> <br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br> <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote> </blockquote>
and the 'down' part will:<br> and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote> <blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>ACTION<br>
</b></u></td>
<td valign="top"><u><b>SOURCE<br>
</b></u></td>
<td valign="top"><u><b>DESTINATION<br>
</b></u></td>
<td valign="top"><u><b>PROTOCOL<br>
</b></u></td>
<td valign="top"><u><b>PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>CLIENT<br>
PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br>
</b></u></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above rule.
<p><font size="2">Last updated 10/23/2002 - </font><font size="2"> <p><font size="2">Last updated 5/3//2003 - </font><font size="2"> <a
<a href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

98
STABLE/documentation/Install.htm
View File

@ -18,7 +18,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
@ -31,10 +30,10 @@
href="upgrade_issues.htm">Upgrade Issues<br> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p> </a></b></p>
<div align="left"><b><br> <div align="left"><b>Before attempting installation, I strongly urge you
Before attempting installation, I strongly urge you to read and print a to read and print a copy of the <a
copy of the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
Guide</a> for the configuration that most closely matches your own.</b><br> for the configuration that most closely matches your own.</b><br>
</div> </div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
@ -72,16 +71,16 @@ diagnostic:<br>
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a>
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION <u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND.
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall
RESTORE NETWORK CONNECTIVITY.</b></font></li> clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -104,11 +103,11 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your
installs init scripts and type "./install.sh &lt;init script distribution installs init scripts and type "./install.sh
directory&gt;</li> &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a>
match your configuration.</li> to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to <li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a be started automatically at boot, see <a
@ -118,34 +117,34 @@ be started automatically at boot, see <a
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface
Guide</a> for information about further steps required.</p> QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
or and you have entries in the /etc/shorewall/hosts file then please check and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p> details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
@ -160,16 +159,16 @@ iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
are upgrading to a new version using the tarball:</p> and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
you have entries in the /etc/shorewall/hosts file then please check your and you have entries in the /etc/shorewall/hosts file then please check
/etc/shorewall/interfaces file to be sure that it contains an entry for your /etc/shorewall/interfaces file to be sure that it contains an entry
each interface mentioned in the hosts file.  Also, there are certain 1.2 for each interface mentioned in the hosts file.  Also, there are certain
rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
details. </p> for details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -186,9 +185,9 @@ details. </p>
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your
installs init scripts and type "./install.sh &lt;init script distribution installs init scripts and type "./install.sh
directory&gt;</li> &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
@ -202,8 +201,8 @@ details. </p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match <p>You will need to edit some or all of the configuration files to match your
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p> QuickStart Guides</a> contain all of the information you need.</p>
<ul> <ul>
@ -214,14 +213,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

2307
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

98
STABLE/documentation/PPTP.htm
View File

@ -27,23 +27,41 @@
</tbody> </tbody>
</table> </table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
Linux kernel's and pppd. I recommend that you refer to the following URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer
running PoPToP but rather I use the PPTP Server included with XP Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p> <p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul> <ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li> <li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your <li> <a href="#ServerBehind">PPTP Server running behind your Firewall.</a></li>
Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your <li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li> Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li> <li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul> </ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2> <h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall <p>I will try to give you an idea of how to set up a PPTP server on your
system. This isn't a detailed HOWTO but rather an example of how I have set firewall system. This isn't a detailed HOWTO but rather an example of how
up a working PPTP server on my own firewall.</p> I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p> <p>The steps involved are:</p>
@ -95,8 +113,8 @@ to use encryption:</p>
</ul> </ul>
<p>You will need to install the resulting binary on your firewall system. <p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the To do that, I NFS mount my source filesystem and use "make install" from
ppp-2.4.1 directory.</p> the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3> <h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
@ -128,8 +146,8 @@ ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3> <h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is <p>You will need a WINS server (Samba configured to run as a WINS server
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p> is:</p>
<blockquote> <blockquote>
@ -305,7 +323,7 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>net</td> <td>net</td>
<td>eth0</td> <td>eth0</td>
<td>206.124.146.255</td> <td>206.124.146.255</td>
<td>noping,norfc1918</td> <td>norfc1918</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -337,7 +355,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
<tr> <tr>
<td>loc</td> <td>loc</td>
<td>eth2:192.168.1.0/24</td> <td>eth2:192.168.1.0/24</td>
<td>routestopped</td> <td><br>
</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -421,9 +440,10 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 <p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
and later)<br> later)<br>
</b></p> </b></p>
<blockquote> <blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;"> <table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -447,11 +467,13 @@ and later)<br>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><br> <p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p> ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4> <h4>/etc/shorewall/interfaces:</h4>
@ -469,7 +491,7 @@ ppp interface, you probably want:</p>
<td>net</td> <td>net</td>
<td>eth0</td> <td>eth0</td>
<td>206.124.146.255</td> <td>206.124.146.255</td>
<td>noping,norfc1918</td> <td>norfc1918</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -493,8 +515,8 @@ ppp interface, you probably want:</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2> your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules <p>If you have a single external IP address, add the following to your
file:</p> /etc/shorewall/rules file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -589,15 +611,16 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p> loadmodule ip_nat_pptp </p>
</blockquote> </blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2> <h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a <p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.    href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a> my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client /etc/ppp/options file is mostly unchanged from what came with the client (see
(see below).</p> below).</p>
<p>The key elements of this setup are as follows: </p> <p>The key elements of this setup are as follows: </p>
@ -715,7 +738,8 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
</blockquote> </blockquote>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br> <p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p> </b></p>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="2" border="1" <table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
@ -740,19 +764,22 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this technique <p>I use the combination of interface and hosts file to define the 'cpq'
allows me to distinguish clients of my own PPTP server from arbitrary hosts zone because I also run a PPTP server on my firewall (see above). Using this
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq technique allows me to distinguish clients of my own PPTP server from arbitrary
doesn't use that RFC1918 Class C subnet. </p> hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that <p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN I disable ECN when connecting is that the Compaq tunnel servers don't do
yet and reject the initial TCP connection request if I enable ECN :-( </p> ECN yet and reject the initial TCP connection request if I enable ECN :-(
</p>
<blockquote> <blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br> <p><font face="Courier" size="2">#!/bin/sh<br>
@ -889,10 +916,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
and corresponding ip-up.local </a>from <a and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p> href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 5/15/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> <p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br> <br>
</body> </body>

89
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -25,28 +25,28 @@
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i>
is used to configure network devices. ifconfig introduced the concept of which is used to configure network devices. ifconfig introduced the concept
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and
treats them more or less like real interfaces.<br> ifconfig treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats
addresses on an interface as objects. The ip utility does provide for interaction additional addresses on an interface as objects. The ip utility does provide
with ifconfig in that it allows addresses to be <i>labeled </i>and labels for interaction with ifconfig in that it allows addresses to be <i>labeled
may take the form of ipconfig virtual interfaces.<br> </i>and labels may take the form of ipconfig virtual interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0" Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
is a label for a particular address rather than a device name.<br> "eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
@ -56,12 +56,12 @@ is a label for a particular address rather than a device name.<br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces. The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br> the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
@ -110,8 +110,8 @@ the IP address.<br>
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br> file:<br>
<br> <br>
<blockquote> <blockquote>
@ -184,12 +184,12 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set Shorewall can create the alias (additional address) for you if you
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
1.3.14, Shorewall can actually create the "label" (virtual interface) so Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
that you can see the created address using ifconfig. In addition to setting so that you can see the created address using ifconfig. In addition to
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
column as follows:<br> the INTERFACE column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -253,12 +253,12 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set Shorewall can create the alias (additional address) for you if you
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
1.3.14, Shorewall can actually create the "label" (virtual interface) so Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
that you can see the created address using ifconfig. In addition to setting so that you can see the created address using ifconfig. In addition to
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
column as follows:<br> the INTERFACE column as follows:<br>
<br> <br>
<blockquote> <blockquote>
@ -293,11 +293,11 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you In either case, to create rules that pertain only to this NAT pair,
simply qualify the local zone with the internal IP address.<br> you simply qualify the local zone with the internal IP address.<br>
<br> <br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br> 192.168.1.3.<br>
<br> <br>
<blockquote> <blockquote>
@ -350,10 +350,10 @@ their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
is 192.168.20.254. You want to simply route all requests between the two eth1:0 is 192.168.20.254. You want to simply route all requests between
subnetworks.<br> the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
@ -402,7 +402,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1:192.168.1.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -410,7 +410,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">eth1:192.168.20.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -421,7 +421,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<br> <br>
</blockquote> </blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br> 1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br> <h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4> </h4>
@ -457,7 +457,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<br> <br>
</blockquote> </blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br> specify the <b>multi</b> option.<br>
<br> <br>
In /etc/shorewall/policy:<br> In /etc/shorewall/policy:<br>
<br> <br>
@ -567,7 +567,7 @@ privileges).<br>
<br> <br>
</blockquote> </blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br> specify the <b>multi</b> option.<br>
<br> <br>
In /etc/shorewall/hosts:<br> In /etc/shorewall/hosts:<br>
@ -585,7 +585,7 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1:192.168.1.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -593,7 +593,7 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top">loc2<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">eth1:192.168.20.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -604,10 +604,10 @@ specify the <b>multi</b> option.<br>
<br> <br>
</blockquote> </blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br> that you want to permit.<br>
<br> <br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a <p align="left"><font size="2">Last Updated 5/8/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -618,5 +618,6 @@ that you want to permit.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

101
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -2,23 +2,17 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base target="main">
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -28,20 +22,14 @@
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
@ -49,7 +37,8 @@
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a
href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
@ -67,19 +56,21 @@
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a
href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a
help or Answers to Questions</a><br> href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall
<li> <a href="shorewall_mirrors.htm">Mirrors</a> 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
@ -92,72 +83,40 @@ help or Answers to Questions</a><br>
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
target="_top">Washington State, USA</a><br> <li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a
Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a
from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a
the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><br>
href="http://www.shorewall.net" target="_top"> </a></p> </p>
</body> </body>
</html> </html>

105
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -2,23 +2,17 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -28,28 +22,23 @@
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="sourceforge_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a
href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
@ -70,15 +59,17 @@
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a
Help or Answers to Questions</a></li> href="support.htm">Getting help or Answers to Questions</a>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
@ -91,77 +82,43 @@ Help or Answers to Questions</a></li>
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
target="_top">Washington State, USA</a><br> <li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><a
</p> href="http://www.shorewall.net" target="_top"> </a></p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

144
STABLE/documentation/configuration_file_basics.htm
View File

@ -20,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
@ -29,8 +27,8 @@
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
configuration files on a system running Microsoft Windows, you <u>must</u> files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
@ -48,8 +46,8 @@ several firewall parameters.</li>
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall
high-level policy.</li> high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the
on the firewall system.</li> interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones <li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li> in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall <li>/etc/shorewall/masq - directs the firewall
@ -58,8 +56,8 @@ where to use many-to-one (dynamic) Network Address Translation
(SNAT).</li> (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall <li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are <li>/etc/shorewall/rules - defines rules that
exceptions to the overall policies established in /etc/shorewall/policy.</li> are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
@ -90,9 +88,9 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments character a pound sign ("#"). You may also place comments at
at the end of any line, again by delimiting the comment from the end of any line, again by delimiting the comment from the
the rest of the line with a pound sign.</p> rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -109,6 +107,76 @@ the rest of the line with a pound sign.</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p> <p align="left"> </p>
@ -146,8 +214,8 @@ no effect on the firewall's ruleset. </p>
<li>If your startup scripts try to start your firewall <li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br> before starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router <li>Factors totally outside your control (your ISP's
is down for example), can prevent your firewall from starting.</li> router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to <li>You must bring up your network interfaces prior to
starting your firewall.<br> starting your firewall.<br>
</li> </li>
@ -188,10 +256,10 @@ for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can precede
precede the item with "!" to specify the complement of the item. For the item with "!" to specify the complement of the item. For example,
example, !192.168.1.4 means "any host but 192.168.1.4". There must be !192.168.1.4 means "any host but 192.168.1.4". There must be no white space
no white space following the "!".</p> following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -212,8 +280,8 @@ no white space following the "!".</p>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use either
either an integer or a service name from /etc/services. </p> an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
@ -230,7 +298,7 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
@ -239,7 +307,6 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
@ -247,39 +314,32 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
unique MAC address.<br> MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as In GNU/Linux, MAC addresses are usually written
a series of 6 hex numbers separated by colons. Example:<br> as a series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -313,8 +373,8 @@ the MAC address in the example above would be written "~02-00-08-E3-
and restart</a> commands allow you to specify an alternate configuration and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not in directory need not contain a complete configuration; those files not
the alternate directory will be read from /etc/shorewall.</p> in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
@ -325,19 +385,14 @@ from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
/etc/testconfig restart</b></i> ).</li> restart</b></i> )</li>
</ol> </ol>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
@ -347,5 +402,6 @@ from /etc/shorewall to a separate directory;</li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

52
STABLE/documentation/download.htm
View File

@ -35,7 +35,8 @@
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
@ -50,22 +51,22 @@ packages below.</p>
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file <li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a (you might also want to download the .tgz so you will have a
copy of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module <li>Otherwise, download the <i>shorewall</i>
(.tgz)</li> module (.tgz)</li>
</ul> </ul>
@ -79,24 +80,9 @@ Branch</a>.</li>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
release of a new version of Shorewall, the links below may to see if there are updates that apply to the version
point to a newer or an older version than is shown below.</p> that you have downloaded.</p>
<ul>
<li>RPM - "rpm -qip shorewall-<i>version</i>.noarch.rpm"</li>
<li>TARBALL - "tar -ztf shorewall-<i>version</i>.tgz"
(the directory name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
@ -163,6 +149,18 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
@ -195,5 +193,7 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

72
STABLE/documentation/errata.htm
View File

@ -22,6 +22,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
@ -47,21 +48,22 @@ the archive, replace the 'firewall' script in the untarred directory
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you
rename the existing file before copying in the new file.</b></p> may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are
1.3.7c.</font></b><br> running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
@ -91,25 +93,44 @@ iptables</a></b></li>
<h3></h3> <h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable <li>When an 'add' or 'delete' command is executed, a temporary directory
response rather than the more appropriate TCP RST response. This problem created in /tmp is not being removed. This problem may be corrected by installing
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br> <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST response.
This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" produces <li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br> the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>      /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br> as described above.<br>
</li> </li>
</ul> </ul>
@ -143,8 +164,8 @@ RedHat released this buggy iptables in RedHat 7.2.
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I
also built an <a have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
@ -199,28 +220,28 @@ option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i3
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;= <p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p> option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and <h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3> MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p> running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf; or
</li> </li>
<li>if you are running <li>if you are
Shorewall 1.3.6 you may install running Shorewall 1.3.6 you may
<a install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
@ -230,7 +251,7 @@ running Shorewall 1.3.7a or later or:</p>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will /etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -242,15 +263,12 @@ result in Shorewall being unable to start:<br>
disabled it. The 2.4.19 kernel contains corrected support under a disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 5/11/2003 - <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

BIN
STABLE/documentation/images/TwoIPv6Nets1.png Normal file
View File

Binary file not shown.

86
STABLE/documentation/mailing_list.htm
View File

@ -21,8 +21,8 @@
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle"
align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -36,12 +36,13 @@
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/postfix-white.gif" align="right" border="0" width="124"
height="45" alt="(Postfix Logo)"> height="66" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
@ -52,7 +53,7 @@
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br>    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
@ -61,24 +62,23 @@
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep <p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Please note that the mail server at shorewall.net
about list traffic that bounces.</a> Also please note that the mail server checks incoming mail:<br>
at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
@ -86,38 +86,38 @@ at hotmail dot com.</p>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A
record in DNS.</li> or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO
is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist
"for continuous abuse" because it has been my policy to allow HTML in shorewall.net "for continuous abuse" because it has been my policy to
list posts!!<br> allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list list subscribers whose MTAs are bouncing all shorewall.net mail. As
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive one list subscriber wrote to me privately "These e-mail admin's need to
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". get a <i>(explitive deleted)</i> life instead of trying to rid the planet
Nevertheless, to allow subscribers to receive list posts as must as possible, of HTML based e-mail". Nevertheless, to allow subscribers to receive list
I have now configured the list server at shorewall.net to strip all HTML posts as must as possible, I have now configured the list server at shorewall.net
from outgoing posts. This means that HTML-only posts will be bounced by to strip all HTML from outgoing posts. This means that HTML-only posts
the list server.<br> will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your If you find that you are missing an occasional list post,
e-mail admin may be blocking mail whose <i>Received:</i> headers contain your e-mail admin may be blocking mail whose <i>Received:</i> headers
the names of certain ISPs. Again, I believe that such policies hurt more contain the names of certain ISPs. Again, I believe that such policies
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i> hurt more than they help but I'm not prepared to go so far as to start
headers to circumvent those policies.<br> stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -147,8 +147,8 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the
@ -157,9 +157,9 @@ won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by
Firewall (such as the one used on my web site), you may <a Shoreline Firewall (such as the one used on my web site), you
href="Shorewall_CA_html.html">download and install my CA certificate</a> may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's mailing lists or you can use secure access (SSL) and accept the server's
@ -249,7 +249,7 @@ may be found at <a
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
@ -258,10 +258,10 @@ to make this less confusing. To unsubscribe:</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
reminder, or change your subscription options enter your subscription password reminder, or change your subscription options enter
email address:". Enter your email address in the box and your subscription email address:". Enter your email address
click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
@ -285,7 +285,5 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

60
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

25
STABLE/documentation/ping.html
View File

@ -27,6 +27,9 @@
coming in Shorewall version 1.4.0. <br> coming in Shorewall version 1.4.0. <br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br> form:<br>
@ -63,11 +66,12 @@ form:<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2> <h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
a rule in /etc/shoreall/rules of the form:<br> need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -119,8 +123,8 @@ a rule in /etc/shoreall/rules of the form:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
and simple routing.</li> simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
@ -132,8 +136,8 @@ and simple routing.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the <li>If <b>noping</b> is specified for the interface that receives
ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
@ -168,12 +172,12 @@ destination is applied.<br>
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the
is either rejected or simply ignored.</li> request is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
@ -183,5 +187,6 @@ to with an ICMP echo-reply.</li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

55
STABLE/documentation/ports.htm
View File

@ -52,11 +52,11 @@
<p>DNS</p> <p>DNS</p>
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably <p>UDP Port 53. If you are configuring a DNS client, you will probably want
want to open TCP Port 53 as well.<br> to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p> the latter case, be sure that your server is properly configured.</p>
</blockquote> </blockquote>
<p>ICQ   </p> <p>ICQ   </p>
@ -87,6 +87,12 @@ the latter case, be sure that your server is properly configured.</p>
<p> TCP Port 25.</p> <p> TCP Port 25.</p>
</blockquote> </blockquote>
<p>RealPlayer<br>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
<p>POP3</p> <p>POP3</p>
<blockquote> <blockquote>
@ -144,8 +150,8 @@ the latter case, be sure that your server is properly configured.</p>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p> have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before <p>If there is a possibility that these modules might be loaded before Shorewall
Shorewall starts, then you should include the port list in /etc/modules.conf:<br> starts, then you should include the port list in /etc/modules.conf:<br>
</p> </p>
<blockquote> <blockquote>
@ -153,8 +159,25 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
options ip_nat_ftp ports=21,49<br> options ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot<br>
</li>
</ol>
<p> </p>
</blockquote> </blockquote>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p> <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote> <blockquote> </blockquote>
@ -177,7 +200,7 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
<blockquote> <blockquote>
<p>I personally use the following rules for opening access from zone z1 <p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br> to a server with IP address a.b.c.d in zone z2:<br>
</p> </p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre> <pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
@ -185,17 +208,24 @@ to a server with IP address a.b.c.d in zone z2:<br>
<blockquote> <blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There <p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote> </blockquote>
<p>Didn't find what you are looking for -- have you looked in your own <p>VNC<br>
/etc/services file? </p> </p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a <p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a <p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -203,5 +233,8 @@ is lots of additional information at
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

326
STABLE/documentation/seattlefirewall_index.htm
View File

@ -2,9 +2,11 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -14,8 +16,10 @@
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
@ -28,21 +32,27 @@
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br> href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a </font></a><br>
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1> </h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p> <p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -52,165 +62,202 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version under the terms of <a
2 of the GNU General Public License</a> as published by the Free href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
Software Foundation.<br> General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program is This
distributed in the hope that it will be useful, program is distributed in the hope that
but WITHOUT ANY WARRANTY; without even the it will be useful, but WITHOUT ANY WARRANTY;
implied warranty of MERCHANTABILITY or FITNESS without even the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General or FITNESS FOR A PARTICULAR PURPOSE.
Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You should have You
received a copy of the GNU General Public should have received a copy of the GNU
License along with this program; if General Public License along with
not, write to the Free Software Foundation, this program; if not, write to the Free Software
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
If you want to use the documentation that you find here, it is best if you
uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2>News</h2> <h2>News</h2>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>
<p><b>    Problems Corrected:</b></p> </b>
<blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the <b>common</b> chain <li>There were several cases where Shorewall would fail to remove
are now properly rejected with TCP RST; previously, some of these requests a temporary directory from /tmp. These cases have been corrected.</li>
were rejected with an ICMP port-unreachable response.</li> <li>The rules for allowing all traffic via the loopback interface
<li>'traceroute -I' from behind the firewall previously timed out have been moved to before the rule that drops status=INVALID packets. This
on the first hop (e.g., to the firewall). This has been worked around.</li> insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now supported
in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in
HTML format but was generated from Microsoft PowerPoint and is best viewed
using Internet Explorer (although Konqueror also seems to work reasonably
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to
view the presentation.<br>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><b></b></p> <p><b></b></p>
<blockquote>
<ol>
</ol>
</blockquote>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br> <td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font color="#ffffff"><b>Note:
</b></font></strong><font color="#ffffff">Search is unavailable
Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font> <font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
@ -221,25 +268,32 @@ Issues</a>' for information about how this new option may affect your configurat
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<br> <br>
</p> </p>
<br> <br>

77
STABLE/documentation/shoreline.htm
View File

@ -6,7 +6,6 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -40,28 +39,28 @@
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a
State University</a> 1967</li> href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers,
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 Incorporated</a> (now part of the <a href="http://www.hp.com">The
- present</li> New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation operating
operating system from the NonStop Enterprise Division of HP. </p> system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as ipchains and developed the scripts which are now collectively known
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
on what I learned from Seattle Firewall, I then designed and Expanding on what I learned from Seattle Firewall, I then designed
wrote Shorewall. </p> and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
@ -71,27 +70,30 @@ I live with my wife Tarry.
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows
Serves as a PPTP server for Road Warrior access. Dual boots <a system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a NIC - My personal Linux System which runs Samba configured
WINS server. This system also has <a as a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
DNS server (Bind 9).</li> (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0  3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
and a DHCP server.</li> 1.4.2  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
- My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li> work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br>
</li>
</ul> </ul>
@ -114,11 +116,16 @@ main work system.</li>
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg"
width="125" height="40" hspace="4"> alt="Protected by Shorewall" width="125" height="40" hspace="4">
</font></p> <a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a <p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
@ -126,5 +133,11 @@ main work system.</li>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

11
STABLE/documentation/shorewall_mirrors.htm
View File

@ -47,6 +47,9 @@ is updated at the same time as the rsync site.</b></p>
(Martinez (Zona Norte - GBA), Argentina)</li> (Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br> (Washington State, USA)<br>
</li> </li>
@ -59,8 +62,9 @@ is updated at the same time as the rsync site.</b></p>
<li><a target="_blank" <li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" <li> <a
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li> href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank" <li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
@ -75,7 +79,7 @@ is updated at the same time as the rsync site.</b></p>
Search results and the mailing list archives are always fetched from the Search results and the mailing list archives are always fetched from the
site in Washington State.<br> site in Washington State.<br>
<p align="left"><font size="2">Last Updated 3/7/2003 - <a <p align="left"><font size="2">Last Updated 5/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -84,5 +88,6 @@ site in Washington State.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

271
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -2,22 +2,16 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -29,19 +23,17 @@
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
@ -53,102 +45,27 @@ we must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux <li><a href="standalone.htm">Standalone</a>
System (<a href="standalone_fr.html">Version Française</a>)</li> Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> <li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local
(<a href="two-interface_fr.html">Version Française</a>)</li> network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
the steps necessary to set up a firewall where <b>there are multiple Index Below) outlines the steps necessary to set up a firewall
public IP addresses involved or if you want to learn more about where <b>there are multiple public IP addresses involved or
Shorewall than is explained in the single-address guides above.</b></p> if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p>
<ul> <ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul> </ul>
@ -157,33 +74,32 @@ DNS</a></li>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p> trying to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common <li><a
configuration file features</a> href="configuration_file_basics.htm">Common configuration file
features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li>
<li><a <li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
@ -197,20 +113,18 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations
a test configuration)</a></li> (making a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File <li><a href="Documentation.htm">Configuration
Reference Manual</a> File Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
@ -230,65 +144,133 @@ a test configuration)</a></li>
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a
<li><a href="Documentation.htm#TOS">tos</a> </li> href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#TOS">tos</a>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> </li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host
or subnet</a><br>
</li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
to extend Shorewall without modifying Shorewall code through the use of (How to extend Shorewall without modifying Shorewall code through the
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li> etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall <li><a
Structure</a></li> href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel <li><font color="#000099"><a
Configuration</a></font></li> href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="MAC_Validation.html">MAC Verification</a><br> <li><a href="MAC_Validation.html">MAC Verification</a><br>
</li> </li>
<li><a href="myfiles.htm">My Shorewall Configuration <li><a href="myfiles.htm">My Shorewall
(How I personally use Shorewall)</a><br> Configuration (How I personally use Shorewall)</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration
change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static <li><font color="#000099"><a
NAT</a></font></li> href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br> Proxy with Shorewall</a><br>
</li> </li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
@ -297,25 +279,30 @@ Proxy with Shorewall</a><br>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system <li><a href="6to4.htm">6t04</a><br>
behind your firewall to a remote network.</li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a
List Creation</a></li> href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 5/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

394
STABLE/documentation/shorewall_setup_guide.htm
View File

@ -27,7 +27,7 @@
<p><a href="#Addresses">4.1 IP Addresses</a><br> <p><a href="#Addresses">4.1 IP Addresses</a><br>
<a href="#Subnets">4.2 Subnets</a><br> <a href="#Subnets">4.2 Subnets</a><br>
<a href="#Routing">4.3 Routing</a><br> <a href="#Routing">4.3 Routing</a><br>
<a href="#ARP">4.4 Address Resolution Protocol</a><br> <a href="#ARP">4.4 Address Resolution Protocol (ARP)</a><br>
<a href="#RFC1918">4.5 RFC 1918</a></p> <a href="#RFC1918">4.5 RFC 1918</a></p>
</blockquote> </blockquote>
@ -57,8 +57,8 @@
where a set of public IP addresses must be managed or who want to know where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you the range of possible applications is so broad, the Guide will give
general guidelines and will point you to other resources as necessary.</p> you general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT     If you run LEAF Bering, your Shorewall configuration is NOT
@ -67,7 +67,7 @@ what I release -- I suggest that you consider installing a stock Shorewall
<p>Shorewall requires that the iproute/iproute2 package be installed (on <p>Shorewall requires that the iproute/iproute2 package be installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for firewall system. As root, you can use the 'which' command to check for
this program:</p> this program:</p>
@ -81,9 +81,9 @@ this program:</p>
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system,
must save them as Unix files if your editor supports that option or you you must save them as Unix files if your editor supports that option
must run them through dos2unix before trying to use them with Shorewall. or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p> it with Shorewall.</p>
@ -93,16 +93,16 @@ it with Shorewall.</p>
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2> <h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory <p>The configuration files for Shorewall are contained in the directory /etc/shorewall
/etc/shorewall -- for most setups, you will only need to deal with a few -- for most setups, you will only need to deal with a few of these as described
of these as described in this guide. Skeleton files are created during the in this guide. Skeleton files are created during the <a
<a href="Install.htm">Shorewall Installation Process</a>.</p> href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
@ -144,9 +144,9 @@ the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p> file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means that to zone names. Zones are entirely what YOU make of them. That means
you should not expect Shorewall to do something special "because this that you should not expect Shorewall to do something special "because
is the internet zone" or "because that is the DMZ".</p> this is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>     Edit the /etc/shorewall/zones file and make any changes necessary.</p>
@ -175,21 +175,21 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<li> Identify the source zone.</li> <li> Identify the source zone.</li>
<li> Identify the destination zone.</li> <li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's <li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do zone is what you want for this client/server pair, you need do nothing
nothing further.</li> further.</li>
<li> If the POLICY is not what you want, then you must <li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li> and the server's zone.</li>
</ol> </ol>
<p> Just because connections of a particular type are allowed from zone A <p> Just because connections of a particular type are allowed from zone
to the firewall and are also allowed from the firewall to zone B <font A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from zone have a proxy running on the firewall that accepts a connection from
A and then establishes its own separate connection from the firewall to zone A and then establishes its own separate connection from the firewall
zone B.</p> to zone B.</p>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that file
@ -241,8 +241,8 @@ zone B.</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network to
the internet</li> the internet</li>
<li>drop (ignore) all connection requests from the internet to <li>drop (ignore) all connection requests from the internet
your firewall or local network and log a message at the <i>info</i> to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li> levels).</li>
<li>reject all other connection requests and log a message at <li>reject all other connection requests and log a message at
@ -265,12 +265,12 @@ to illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p> <p align="left">In this diagram:</p>
<ul> <ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ
used to isolate your internet-accessible servers from your local systems is used to isolate your internet-accessible servers from your local
so that if one of those servers is compromised, you still have the firewall systems so that if one of those servers is compromised, you still have
between the compromised system and your local systems. </li> the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local <li>The Local Zone consists of systems Local 1, Local 2 and
3. </li> Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone. <li>All systems from the ISP outward comprise the Internet Zone.
</li> </li>
@ -308,17 +308,17 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
a <i>cross-over </i> cable).</p> a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
computers will be connected to the same switch (note: If you have only DMZ computers will be connected to the same switch (note: If you have
a single DMZ system, you can connect the firewall directly to the computer only a single DMZ system, you can connect the firewall directly to the
using a <i>cross-over </i> cable).</p> computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same hub </b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect or switch (even for testing). It won't work the way that you expect it
it to and you will end up confused and believing that Linux networking to and you will end up confused and believing that Linux networking doesn't
doesn't work at all.</p> work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p> <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -456,17 +456,17 @@ many times as necessary.</p>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i> <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to IP addresses. You will configure your firewall's external interface to
use one of those addresses permanently and you will then have to decide use one of those addresses permanently and you will then have to decide
how you are going to use the rest of your addresses. Before we tackle that how you are going to use the rest of your addresses. Before we tackle
question though, some background is in order.</p> that question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing, <p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p> you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of addressing <p align="left">The following discussion barely scratches the surface of
and routing. If you are interested in learning more about this subject, addressing and routing. If you are interested in learning more about this
I highly recommend <i>"IP Fundamentals: What Everyone Needs to Know about subject, I highly recommend <i>"IP Fundamentals: What Everyone Needs to
Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
0-13-975483-0.</p> 1999, ISBN 0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3> <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
@ -504,17 +504,17 @@ Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
of the high order byte of its address so you could look at an IP address of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask and immediately determine the associated <i>netmask</i>. The netmask
is a number that when logically ANDed with an address isolates the <i>network is a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. For number</i>; the remainder of the address is the <i>host number</i>.
example, in the Class C address 192.0.2.14, the network number is hex For example, in the Class C address 192.0.2.14, the network number is
C00002 and the host number is hex 0E.</p> hex C00002 and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross <p align="left">As the internet grew, it became clear that such a gross partitioning
partitioning of the 32-bit address space was going to be very limiting (early of the 32-bit address space was going to be very limiting (early on, large
on, large corporations and universities were assigned their own class A corporations and universities were assigned their own class A network!).
network!). After some false starts, the current technique of <i>subnetting</i> After some false starts, the current technique of <i>subnetting</i> these
these networks into smaller <i>subnetworks</i> evolved; that technique is networks into smaller <i>subnetworks</i> evolved; that technique is referred
referred to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
that you are likely to work with will understand CIDR and Class-based networking you are likely to work with will understand CIDR and Class-based networking
is largely a thing of the past.</p> is largely a thing of the past.</p>
<p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is <p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
@ -637,8 +637,8 @@ are used for the subnet address and subnet broadcast address respectively.
<p align="left">You will notice that the above table also contains a column <p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we can Mask</i> for a network of size <b>n</b>. From the above table, we
derive the following one which is a little easier to use.</p> can derive the following one which is a little easier to use.</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -820,9 +820,9 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b> <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is utility also uses this syntax). This simply means that the interface
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds is configured with ip address <b>a.b.c.d</b> and with the netmask that
to VLSM <b>/v</b>.</p> corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p> <p align="left">Example: 192.0.2.65/29</p>
@ -847,17 +847,16 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
how to get to a single host. In the 'netstat' output this can be seen how to get to a single host. In the 'netstat' output this can be seen
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default how to route packets to a subnetwork. The last route is the <i>default route</i>
route</i> and the gateway mentioned in that route is called the <i>default and the gateway mentioned in that route is called the <i>default gateway</i>.</p>
gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>, <p align="left">When the kernel is trying to send a packet to IP address
it starts at the top of the routing table and:</p> <b>A</b>, it starts at the top of the routing table and:</p>
<ul> <ul>
<li> <li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
the table entry.</p> in the table entry.</p>
</li> </li>
<li> <li>
<p align="left">The result is compared with the 'Destination' value in <p align="left">The result is compared with the 'Destination' value in
@ -869,12 +868,10 @@ the table entry.</p>
<ul> <ul>
<li> <li>
<p align="left">If the 'Gateway' column is non-zero, the packet is <p align="left">If the 'Gateway' column is non-zero, the packet is
sent to the gateway over the interface named in the 'Iface' column.</p> sent to the gateway over the interface named in the 'Iface' column.</p>
</li> </li>
<li> <li>
<p align="left">Otherwise, the packet is sent directly to <b>A </b>over <p align="left">Otherwise, the packet is sent directly to <b>A </b>over
the interface named in the 'iface' column.</p> the interface named in the 'iface' column.</p>
</li> </li>
@ -888,10 +885,10 @@ the table entry.</p>
</ul> </ul>
<p align="left">Since the default route matches any IP address (<b>A</b> land <p align="left">Since the default route matches any IP address (<b>A</b>
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
entries are sent to the <i>default gateway</i> which is usually a router table entries are sent to the <i>default gateway</i> which is usually a
at your ISP.</p> router at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet <p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes to 192.168.1.5. That address clearly doesn't match any of the host routes
@ -903,19 +900,20 @@ at your ISP.</p>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre> <pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote> </blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p> <p>So to route a packet to 192.168.1.5, the packet is sent directly over
eth2.</p>
</div> </div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet <p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think that case. There seems to be a common mis-conception whereby people think
request packets are like salmon and contain a genetic code that is magically that request packets are like salmon and contain a genetic code that
transferred to reply packets so that the replies follow the reverse route is magically transferred to reply packets so that the replies follow
taken by the request. That isn't the case; the replies may take a totally the reverse route taken by the request. That isn't the case; the replies
different route back to the client than was taken by the requests -- they may take a totally different route back to the client than was taken by
are totally independent.</p> the requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3> <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used. <p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC) Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
@ -930,9 +928,9 @@ are totally independent.</p>
</blockquote> </blockquote>
<div align="left"> <div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes (48 <p align="left">As you can see from the above output, the MAC is 6 bytes
bits) wide. A card's MAC is usually also printed on a label attached to (48 bits) wide. A card's MAC is usually also printed on a label attached
the card itself. </p> to the card itself. </p>
</div> </div>
<div align="left"> <div align="left">
@ -985,10 +983,10 @@ system (including your Windows system) using the 'arp' command:</p>
of us don't deal with these registrars but rather get our IP addresses of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p> from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many Public <p align="left">It's a fact of life that most of us can't afford as many
IP addresses as we have devices to assign them to so we end up making use Public IP addresses as we have devices to assign them to so we end up making
of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
for this purpose:</p> ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -998,8 +996,8 @@ for this purpose:</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses for understandable given that anyone can select any of these addresses
their private use.</p> for their private use.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1010,8 +1008,8 @@ their private use.</p>
<div align="left"> <div align="left">
<ul> <ul>
<li> <li>
<p align="left">As the IPv4 address space becomes depleted, more and more <p align="left">As the IPv4 address space becomes depleted, more and
organizations (including ISPs) are beginning to use RFC 1918 addresses more organizations (including ISPs) are beginning to use RFC 1918 addresses
in their infrastructure. </p> in their infrastructure. </p>
</li> </li>
<li> <li>
@ -1035,9 +1033,10 @@ their private use.</p>
<div align="left"> <div align="left">
<p align="left">The choice of how to set up your network depends primarily <p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities on how many Public IP addresses you have vs. how many addressable
you have in your network. Regardless of how many addresses you have, entities you have in your network. Regardless of how many addresses
your ISP will handle that set of addresses in one of two ways:</p> you have, your ISP will handle that set of addresses in one of two
ways:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1084,13 +1083,13 @@ change them appropriately:<br>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet <p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address - 192.0.2.79 and that your firewall's external IP address is 192.0.2.65.
is 192.0.2.65. Your ISP has also told you that you should use a netmask Your ISP has also told you that you should use a netmask of 255.255.255.0
of 255.255.255.0 (so your /28 is part of a larger /24). With this many (so your /28 is part of a larger /24). With this many IP addresses,
IP addresses, you are able to subnet your /28 into two /29's and set you are able to subnet your /28 into two /29's and set up your network
up your network as shown in the following diagram.</p> as shown in the following diagram.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1100,10 +1099,10 @@ change them appropriately:<br>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local <p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ
be configured to 192.0.2.66 and the default gateway for hosts in the local would be configured to 192.0.2.66 and the default gateway for hosts in
network would be 192.0.2.73.</p> the local network would be 192.0.2.73.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1139,13 +1138,13 @@ of 256 would be justified because of the simplicity of the setup.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of the <p align="left">It is this rather unexpected ARP behavior on the part of
Linux Kernel that prompts the warning earlier in this guide regarding the the Linux Kernel that prompts the warning earlier in this guide regarding
connecting of multiple firewall/router interfaces to the same hub or switch. the connecting of multiple firewall/router interfaces to the same hub
When an ARP request for one of the firewall/router's IP addresses is sent or switch. When an ARP request for one of the firewall/router's IP addresses
by another system connected to the hub/switch, all of the firewall's is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then a interfaces that connect to the hub/switch can respond! It is then
race as to which "here-is" response reaches the sender first.</p> a race as to which "here-is" response reaches the sender first.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1153,22 +1152,22 @@ by another system connected to the hub/switch, all of the firewall's
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you have the above situation but it is non-routed, you <p align="left">If you have the above situation but it is non-routed,
can configure your network exactly as described above with one additional you can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall interfaces twist; simply specify the "proxyarp" option on all three firewall
in the /etc/shorewall/interfaces file.</p> interfaces in the /etc/shorewall/interfaces file.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Most of us don't have the luxury of having enough public IP <p align="left">Most of us don't have the luxury of having enough public
addresses to set up our networks as shown in the preceding example (even IP addresses to set up our networks as shown in the preceding example
if the setup is routed). </p> (even if the setup is routed). </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP <p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to use has assigned you IP addresses 192.0.2.176-180 and has told you to
netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p> use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1200,8 +1199,8 @@ this problem.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Often a combination of these techniques is used. Each of these <p align="left">Often a combination of these techniques is used. Each of
will be discussed in the sections that follow.</p> these will be discussed in the sections that follow.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1212,11 +1211,11 @@ this problem.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC <p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates 1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP addresses rewrites the IP header in the request to use one of your public IP
as the source address. When <b>B</b> responds and the response is received addresses as the source address. When <b>B</b> responds and the response
by the firewall, the firewall changes the destination address back is received by the firewall, the firewall changes the destination address
to the RFC 1918 address of <b>A</b> and forwards the response back to back to the RFC 1918 address of <b>A</b> and forwards the response back
<b>A.</b></p> to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1274,10 +1273,11 @@ local interface).</div>
<div align="left"> <div align="left">
<p align="left">This example used the normal technique of assigning the same <p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have to If you wanted to use a different IP address, you would either have
use your distributions network configuration tools to add that IP address to use your distributions network configuration tools to add that IP
to the external interface or you could set ADD_SNAT_ALIASES=Yes in address to the external interface or you could set ADD_SNAT_ALIASES=Yes
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p> in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1295,8 +1295,8 @@ local interface).</div>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
     Suppose that your daughter wants to run a web server on      Suppose that your daughter wants to run a web server on
her system "Local 3". You could allow connections to the internet her system "Local 3". You could allow connections to the internet to
to her server by adding the following entry in <a her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p> href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div> </div>
@ -1334,15 +1334,15 @@ to her server by adding the following entry in <a
to access your daughter's server, she can connect to <a to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When to 192.168.201.4 (your daughter's system) and forward the request.
your daughter's server responds, the firewall will rewrite the source When your daughter's server responds, the firewall will rewrite the
address back to 192.0.2.176 and send the response back to <b>A.</b></p> source address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This example used the firewall's external IP address for DNAT. <p align="left">This example used the firewall's external IP address for
You can use another of your public IP addresses but Shorewall will not DNAT. You can use another of your public IP addresses but Shorewall will
add that address to the firewall's external interface for you.</p> not add that address to the firewall's external interface for you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1356,8 +1356,8 @@ add that address to the firewall's external interface for you.</p>
<div align="left"> <div align="left">
<ul> <ul>
<li> <li>
<p align="left">A host <b>H </b>behind your firewall is assigned one of <p align="left">A host <b>H </b>behind your firewall is assigned one
your public IP addresses (<b>A)</b> and is assigned the same netmask of your public IP addresses (<b>A)</b> and is assigned the same netmask
<b>(M) </b>as the firewall's external interface. </p> <b>(M) </b>as the firewall's external interface. </p>
</li> </li>
<li> <li>
@ -1365,9 +1365,9 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask
</p> </p>
</li> </li>
<li> <li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address <p align="left">When <b>H</b> issues an ARP "who has" request for an
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
respond (with the MAC if the firewall interface to <b>H</b>). </p> will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li> </li>
</ul> </ul>
@ -1387,8 +1387,8 @@ respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to <div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be sure on the firewall. That address and netmask isn't relevant - just be
it doesn't overlap another subnet that you've defined.</div> sure it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div> <div align="left">  </div>
@ -1442,6 +1442,7 @@ rather than behind it.<br>
(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface (192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
(eth0 in this example) of the firewall.</b></font><br> (eth0 in this example) of the firewall.</b></font><br>
</p> </p>
<div align="left"> </div> <div align="left"> </div>
</div> </div>
@ -1463,26 +1464,27 @@ rather than behind it.<br>
Illustrated, Vol 1</i> reveals that a <br> Illustrated, Vol 1</i> reveals that a <br>
<br> <br>
"gratuitous" ARP packet should cause the ISP's router to refresh their "gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
the MAC address for its own IP; in addition to ensuring that the IP address MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br> isn't a duplicate,...<br>
<br> <br>
"if the host sending the gratuitous ARP has just changed its hardware "if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br> cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br> <br>
Which is, of course, exactly what you want to do when you switch a Which is, of course, exactly what you want to do when you switch
host from being exposed to the Internet to behind Shorewall using proxy a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br> Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br> <br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly     <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br> proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br>
<br> <br>
Stevens goes on to mention that not all systems respond correctly Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the to gratuitous ARPs, but googling for "arping -U" seems to support the idea
idea that it works most of the time.<br> that it works most of the time.<br>
<br> <br>
</li> </li>
<li>You can call your ISP and ask them to purge the stale ARP <li>You can call your ISP and ask them to purge the stale ARP
@ -1518,11 +1520,11 @@ cache entry but many either can't or won't purge individual entries.</li>
<div align="left"> <div align="left">
<p align="left">Notice that the source MAC address in the echo request is <p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this different from the destination MAC address in the echo reply!! In
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
was the MAC address of DMZ 1. In other words, the gateway's ARP cache 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
still associates 192.0.2.177 with the NIC in DMZ 1 rather than with gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
the firewall's eth0.</p> 1 rather than with the firewall's eth0.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1533,9 +1535,9 @@ the firewall's eth0.</p>
<p align="left">With static NAT, you assign local systems RFC 1918 addresses <p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination Translation) occurs and on incoming connections DNAT (Destination Network
Network Address Translation) occurs. Let's go back to our earlier example Address Translation) occurs. Let's go back to our earlier example involving
involving your daughter's web server running on system Local 3.</p> your daughter's web server running on system Local 3.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1574,8 +1576,8 @@ connections. This is done with the following entry in /etc/shorewall/masq:
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Suppose now that you have decided to give your daughter her     Suppose now that you have decided to give your daughter
own IP address (192.0.2.179) for both inbound and outbound connections. her own IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <a You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p> href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div> </div>
@ -1816,8 +1818,8 @@ way to allow connection requests through your firewall is to use ACCEPT
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would need <p align="left">If you run a public DNS server on 192.0.2.177, you would
to add the following rules:</p> need to add the following rules:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1949,10 +1951,10 @@ way to allow connection requests through your firewall is to use ACCEPT
</div> </div>
<div align="left"> <div align="left">
<p align="left">The above discussion reflects my personal preference for using <p align="left">The above discussion reflects my personal preference for
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
prefer to use NAT only in cases where a system that is part of an RFC 1918 I prefer to use NAT only in cases where a system that is part of an RFC
subnet needs to have it's own public IP. </p> 1918 subnet needs to have it's own public IP. </p>
</div> </div>
<div align="left"> <div align="left">
@ -1960,20 +1962,21 @@ subnet needs to have it's own public IP.
height="13"> height="13">
    If you haven't already, it would be a good idea to browse     If you haven't already, it would be a good idea to browse
through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
just to see if there is anything there that might be of interest. You just to see if there is anything there that might be of interest.
might also want to look at the other configuration files that you You might also want to look at the other configuration files that
haven't touched yet just to get a feel for the other things that Shorewall you haven't touched yet just to get a feel for the other things that
can do.</p> Shorewall can do.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">In case you haven't been keeping score, here's the final set <p align="left">In case you haven't been keeping score, here's the final
of configuration files for our sample network. Only those that were modified set of configuration files for our sample network. Only those that were
from the original installation are shown.</p> modified from the original installation are shown.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very site-specific).</p> <p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</p>
</div> </div>
<div align="left"> <div align="left">
@ -2353,21 +2356,21 @@ can do.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in this <p align="left">Given the collection of RFC 1918 and public addresses in
setup, it only makes sense to have separate internal and external DNS this setup, it only makes sense to have separate internal and external
servers. You can combine the two into a single BIND 9 server using <i>Views. DNS servers. You can combine the two into a single BIND 9 server using
</i> If you are not interested in Bind 9 views, you can <a <i>Views. </i> If you are not interested in Bind 9 views, you can <a
href="#StartingAndStopping">go to the next section</a>.</p> href="#StartingAndStopping">go to the next section</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two <p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the DMZ systems named www.foobar.net and mail.foobar.net and you want
three local systems named "winken.foobar.net, blinken.foobar.net and the three local systems named "winken.foobar.net, blinken.foobar.net
nod.foobar.net. You want your firewall to be known as firewall.foobar.net and nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and it's interface to the local network to be know as gateway.foobar.net externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server and its interface to the dmz as dmz.foobar.net. Let's have the DNS
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p> server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div> </div>
<div align="left"> <div align="left">
@ -2493,8 +2496,8 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped,
is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -2504,23 +2507,23 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    Edit the /etc/shorewall/routestopped file and configure those     Edit the /etc/shorewall/routestopped file and configure
systems that you want to be able to access the firewall when it is those systems that you want to be able to access the firewall when
stopped.</p> it is stopped.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i> an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 3/21/2003 - <a <p align="left"><font size="2">Last updated 5/3/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
@ -2535,5 +2538,6 @@ stopped.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

342
STABLE/documentation/sourceforge_index.htm
View File

@ -2,9 +2,11 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -14,26 +16,27 @@
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font </a></i></font><font color="#ffffff">Shorewall 1.4 -
size="4">"<i>iptables made easy"</i></font></font><br> <font size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff"> <a target="_top" href="1.3/index.html"><font
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br> color="#ffffff"> </font></a><a target="_top"
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
color="#ffffff"><small><small><small>Shorewall 1.2 Site here<br>
</small></small></small></font></a> </small></small></small></font></a>
</h1> </h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -41,177 +44,226 @@
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a>
based firewall that can be used on a dedicated firewall (iptables) based firewall that can be used on
system, a multi-function gateway/router/server or on a dedicated firewall system, a multi-function gateway/router/server
a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under it
the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program This
is distributed in the hope that it will program is distributed in the hope that
be useful, but WITHOUT ANY WARRANTY; without it will be useful, but WITHOUT ANY WARRANTY;
even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE.
GNU General Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You should have You
received a copy of the GNU General Public should have received a copy of the GNU
License along with this program; if General Public License along with
not, write to the Free Software Foundation, this program; if not, write to the Free Software
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
on a floppy, CD or compact flash) distribution If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
called <i>Bering</i> that features If you want to use the documentation that you find here, it is best if you
Shorewall-1.3.14 and Kernel-2.4.20. You can uninstall what you have and install a setup that matches the documentation
find their work at: <a on this site. See the <a href="two-interface.htm">Two-interface QuickStart
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> Guide</a> for details.<br>
<b>Congratulations
to Jacques and Eric on the recent release of Bering <h2>Getting Started with Shorewall</h2>
1.1!!! <br> New to Shorewall? Start by selecting the <a
</b> href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
<p><b>    Problems Corrected:</b></p> </ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (<a
href="http://www.fireparse.com">http://www.fireparse.com</a>) by setting
LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is
best viewed using Internet Explorer (although Konqueror also seems to
work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
<p><b></b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol> </ol>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br> <td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
@ -222,27 +274,35 @@ Issues</a>' for information about how this new option may affect your configurat
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%"
style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a <p align="center"><font size="4" color="#ffffff">Shorewall is free but
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's if you try it and find it useful, please consider making a donation
Foundation.</font></a> Thanks!</font></p> to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br> <br>
</p>
</body> </body>
</html> </html>

98
STABLE/documentation/standalone.htm
View File

@ -45,28 +45,29 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on if this package is installed by the presence of an <b>ip</b> program
your firewall system. As root, you can use the 'which' command to check on your firewall system. As root, you can use the 'which' command to
for this program:</p> check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself <p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk, you copy a configuration file from your Windows hard drive to a floppy
you must run dos2unix against the copy before using it with Shorewall.</p> disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
of dos2unix</a></li> Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
@ -77,21 +78,21 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of /etc/shorewall -- for simple setups, you only need to deal with a few
these as described in this guide. After you have <a of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
to /etc/shorewall (they will replace files with the same names that were (they will replace files with the same names that were placed in /etc/shorewall
placed in /etc/shorewall during Shorewall installation)</b>.</p> during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one set of <i>zones.</i> In the one-interface sample configuration, only
zone is defined:</p> one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -130,10 +131,10 @@ placed in /etc/shorewall during Shorewall installation)</b>.</p>
matches the connection request then the first policy in /etc/shorewall/policy matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP  that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has <p>The /etc/shorewall/policy file included with the one-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -191,21 +192,21 @@ your firewall</li>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol "Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
a <b>ppp0</b>. If you connect via a regular modem, your External Interface Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
will also be <b>ppp0</b>. If you connect using ISDN, your external interface External Interface will also be <b>ppp0</b>. If you connect using ISDN,
will be<b> ippp0.</b></p> your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that
external interface is <b>eth0</b>. If your configuration is different, the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that
specified for the interface. Some hints:</p> are specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
@ -214,8 +215,8 @@ your firewall</li>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the
list. </p> option list. </p>
</li> </li>
</ul> </ul>
@ -234,15 +235,15 @@ your firewall</li>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though,
are assigning these addresses then using <i>Network Address Translation ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address      Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
@ -284,8 +285,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <p align="left">Example - You want to run a Web Server and a POP3 Server
your firewall system:</p> on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -333,8 +334,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you
shell access to your firewall from the internet, use SSH:</p> want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -395,8 +396,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped,
is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -406,9 +407,9 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
@ -418,7 +419,8 @@ Also, I don't recommend using "shorewall restart"; it is better to create
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

118
STABLE/documentation/standalone_fr.html
View File

@ -30,24 +30,24 @@
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
exacte du texte, mais plutôt à en faire une version française intelligible traduction exacte du texte, mais plutôt à en faire une version française
par tous (et par moi). Les termes techniques sont la plupart du temps conservés intelligible par tous (et par moi). Les termes techniques sont la plupart
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver du temps conservés sous leur forme originale et mis entre parenthèses car
dans le reste des documentations ainsi que dans les fichiers de configuration. vous pouvez les retrouver dans le reste des documentations ainsi que dans
N?hésitez pas à me contacter afin d?améliorer ce document <a les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son (merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
formidable outil et sa disponibilité)</i><i>.</i></small></p> Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse) <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
utilisation la plus courante :</p> la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
@ -57,8 +57,8 @@ rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
@ -73,15 +73,15 @@ la configuration sont recommand
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option devez les sauver comme des fichiers Unix si votre éditeur supporte cette
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. option sinon vous devez les faire passer par dos2unix avant d'essayer de
De la même manière, si vous copiez un fichier de configuration depuis votre les utiliser. De la même manière, si vous copiez un fichier de configuration
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
copie avant de l'utiliser avec Shorewall.</p> sur la copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
@ -95,18 +95,18 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant (Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p> installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique <i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
interface, une seule zone est définie :</p> une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -126,15 +126,15 @@ interface, une seule zone est d
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone <li>Vous exprimez les politiques par défaut pour les connexions d'une
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -143,11 +143,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première Si aucune des règles dans ce fichier ne correspondent, alors la première politique
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
politique est REJECT ou DROP la requête est alors comparée par rapport aux est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p> a les politiques suivantes :</p>
@ -198,8 +197,8 @@ a les politiques suivantes :</p>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li> <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
votre firewall</li> vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li> de cette politique).</li>
@ -216,15 +215,15 @@ simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p> sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre L'exemple de configuration de Shorewall pour une interface suppose que
interface externe est <b>eth0</b>. Si votre configuration est différente, votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
@ -232,12 +231,12 @@ sp
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-". vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p> </p>
</li> </li>
<li> <li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p> de la liste d'option. </p>
</li> </li>
@ -248,15 +247,15 @@ de la liste d'option. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les paquets car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
@ -310,8 +309,8 @@ vers votre firewall, le format g
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
serveur POP3 sur votre système de firewall :</p> POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
@ -417,16 +416,16 @@ d
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système La <a href="Install.htm">procédure d'installation </a> configure votre
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9 système pour lancer Shorewall au boot du système, mais au début avec la version
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br> paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
@ -441,14 +440,14 @@ de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
@ -465,5 +464,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

277
STABLE/documentation/support.htm
View File

@ -2,19 +2,14 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
@ -23,54 +18,45 @@
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are
of sources of Shorewall information. Please try these before you a number of sources of Shorewall information. Please try these before
post. you post.
<ul> <ul>
<li>More than half of the questions posted <li>Shorewall versions earlier
on the support list have answers directly accessible from the that 1.3.0 are no longer supported.<br>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li> </li>
<li> The <a <li>More than half of the questions posted on the support
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li> </li>
<li>
<li> The <a The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has solutions
href="troubleshoot.htm">Troubleshooting</a> Information contains to more than 20 common problems. </li>
a number of tips to help you solve common problems. <li> The
</li> <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help
<li> The <a you solve common problems. </li>
href="errata.htm"> Errata</a> has links to download updated <li> The
components. </li> <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> The Site and Mailing <li> The Site
List Archives search facility can locate documents and posts and Mailing List Archives search facility can locate documents
about similar problems: </li> and posts about similar problems: </li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2> <h2>Site and Mailing List Archive Search</h2>
<blockquote> <blockquote>
@ -96,45 +82,48 @@ Index</a><br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" value="htdig"><input </font><input type="hidden" name="config"
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing value="htdig"><input type="hidden" name="restrict" value=""><font
List Archives: size="-1"> Include Mailing List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"><br> value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what
in your message. Do not leave out any information that appears is posted in your message. Do not leave out any information
to be correct, or was mentioned in a previous post. There have that appears to be correct, or was mentioned in a previous
been countless posts by people who were sure that some part of their post. There have been countless posts by people who were sure
configuration was correct when it actually contained a small error. that some part of their configuration was correct when it actually
We tend to be skeptics where detail is lacking.<br> contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're
<strong>free</strong> technical support. Any help we offer asking for <strong>free</strong> technical support.
is an act of generosity, not an obligation. Try to make it easy Any help we offer is an act of generosity, not an obligation.
for us to help you. Follow good, courteous practices in writing and Try to make it easy for us to help you. Follow good, courteous
formatting your e-mail. Provide details that we need if you expect good practices in writing and formatting your e-mail. Provide details that
answers. <em>Exact quoting </em> of error messages, log entries, we need if you expect good answers. <em>Exact quoting </em> of
command output, and other output is better than a paraphrase or summary.<br> error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li>
don't describe your environment and then ask us to send Please don't describe your environment and then ask us
you custom configuration files. We're here to answer to send you custom configuration files. We're here
your questions but we can't do your job for you.<br> to answer your questions but we can't do your
job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
@ -144,71 +133,53 @@ command output, and other output is better than a paraphrase or summary.<br
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are <li>the exact version of Shorewall
running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall
version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are
running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr
show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route
show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li>If your kernel is modularized,
output from<br> the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br>
</li> </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul> </ul>
@ -224,20 +195,33 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the
Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul> </ul>
<li>As a general <li>As
matter, please <strong>do not edit the diagnostic information</strong> a general matter, please <strong>do not edit the diagnostic
in an attempt to conceal your IP address, netmask, nameserver information</strong> in an attempt to conceal your IP address,
addresses, domain name, etc. These aren't secrets, and concealing netmask, nameserver addresses, domain name, etc. These aren't
them often misleads us (and 80% of the time, a hacker could derive secrets, and concealing them often misleads us (and 80% of the time,
them anyway from information contained in the SMTP headers of your a hacker could derive them anyway from information contained in
post).<br> the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
@ -247,100 +231,89 @@ post).<br>
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration
(especially the /etc/shorewall/hosts file if you have files (especially the /etc/shorewall/hosts file if
modified that file) that you think are relevant. If you have modified that file) that you think are relevant.
you include /etc/shorewall/rules, please include /etc/shorewall/policy If you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a color="#009900"><b>shorewall start</b></font>", include a trace
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> (See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post <li><b>The list server limits posts to 120kb so don't
GIFs of your network layout, etc. to the Mailing post GIFs of your network layout, etc. to
List -- your post will be rejected.</b></li> the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> <blockquote> A growing number of MTAs serving list subscribers are
A growing number of MTAs serving list subscribers are rejecting rejecting all HTML traffic. At least one MTA has gone so far as to
all HTML traffic. At least one MTA has gone so far as to blacklist blacklist shorewall.net "for continuous abuse" because it has been
shorewall.net "for continuous abuse" because it has been my policy my policy to allow HTML in list posts!!<br>
to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian I think that blocking all HTML is
way to control spam and that the ultimate losers here are not a Draconian way to control spam and that the ultimate losers
the spammers but the list subscribers whose MTAs are bouncing here are not the spammers but the list subscribers whose MTAs
all shorewall.net mail. As one list subscriber wrote to me privately are bouncing all shorewall.net mail. As one list subscriber wrote
"These e-mail admin's need to get a <i>(expletive deleted)</i> life to me privately "These e-mail admin's need to get a <i>(expletive
instead of trying to rid the planet of HTML based e-mail". Nevertheless, deleted)</i> life instead of trying to rid the planet of HTML based
to allow subscribers to receive list posts as must as possible, I have e-mail". Nevertheless, to allow subscribers to receive list posts
now configured the list server at shorewall.net to strip all HTML as must as possible, I have now configured the list server at shorewall.net
from outgoing posts.<br> to strip all HTML from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <b>If you have a <u>quick</u> question about
<blockquote> capabilities or where to find something, you may use the</b> <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <u><b>DO NOT POST THE OUTPUT OF "shorewall status" TO THE FORUM;
I WON'T LOOK AT IT.</b></u> <b>If you need to supply "shorewall status"
output, use the appropriate mailing list below.</b><br>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a
Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an Multi Network Firewall (MNF) and you have not purchased an
MNF license from MandrakeSoft then you can post non MNF-specific MNF license from MandrakeSoft then you can post non MNF-specific
Shorewall questions to the </b><a Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br> list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>.<br> list</a> .</p>
To Subscribe to the mailing list go to <a
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 5/12/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> <br>
<br> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

269
STABLE/documentation/three-interface.htm
View File

@ -31,7 +31,7 @@
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
with DMZ is a fairly straight-forward task if you understand the with DMZ is a fairly straight-forward task if you understand the
basics and follow the documentation.</p> basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
@ -55,9 +55,9 @@ local network.</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b>
on your firewall system. As root, you can use the 'which' command to program on your firewall system. As root, you can use the 'which'
check for this program:</p> command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -74,15 +74,16 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly, or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy if you copy a configuration file from your Windows hard drive to a
disk, you must run dos2unix against the copy before using it with Shorewall.</p> floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
@ -91,21 +92,21 @@ tell if this package is installed by the presence of an <b>ip</b> program
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a /etc/shorewall -- for simple setups, you will only need to deal with
few of these as described in this guide. After you have <a a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same the files to /etc/shorewall (the files will replace files with the
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p> same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration
and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, set of <i>zones.</i> In the three-interface sample configuration,
the following zone names are used:</p> the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -140,7 +141,7 @@ the following zone names are used:</p>
<ul> <ul>
<li>You express your default policy for connections from <li>You express your default policy for connections from
one zone to another zone in the<a one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in <li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -149,9 +150,9 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample <p>The /etc/shorewall/policy file included with the three-interface sample
@ -235,8 +236,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and     At this point, edit your /etc/shorewall/policy file
make any changes that you wish.</p> and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
@ -245,58 +246,59 @@ firewall to the internet (if you uncomment the additional policy)</li>
</p> </p>
<p align="left">The firewall has three network interfaces. Where Internet <p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External
will be the ethernet adapter that is connected to that "Modem" (e.g., Interface</i> will be the ethernet adapter that is connected to
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
via a regular modem, your External Interface will also be <b>ppp0</b>. via a regular modem, your External Interface will also be <b>ppp0</b>.
If you connect using ISDN, you external interface will be <b>ippp0.</b></p> If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0     If your external interface is <b>ppp0</b> or <b>ippp0
</b>then you will want to set CLAMPMSS=yes in <a </b>then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only computers will be connected to the same switch (note: If you have
a single local system, you can connect the firewall directly to the only a single local system, you can connect the firewall directly to
computer using a <i>cross-over </i> cable).</p> the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the only a single DMZ system, you can connect the firewall directly to
computer using a <i>cross-over </i> cable).</p> the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same </b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect hub or switch (even for testing). It won't work the way that you
it to and you will end up confused and believing that Shorewall doesn't expect it to and you will end up confused and believing that Shorewall
work at all.</p> doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    The Shorewall three-interface sample configuration assumes     The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is that the external interface is <b>eth0, </b>the local interface is
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list file accordingly. While you are there, you may wish to review the
of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-".
</p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from
option list. </p> the option list. </p>
</li> </li>
</ul> </ul>
@ -306,14 +308,14 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
your connection when you dial in (standard modem) or establish your PPP establishing your connection when you dial in (standard modem) or establish
connection. In rare cases, your ISP may assign you a<i> static</i> IP your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access the is assigned, it will be shared by all of your systems when you access
Internet. You will have to assign your own addresses for your internal network the Internet. You will have to assign your own addresses for your internal
(the local and DMZ Interfaces on your firewall plus your other computers). network (the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left"> <div align="left">
@ -323,24 +325,24 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    Before starting Shorewall, you should look at the IP     Before starting Shorewall, you should look at the
address of your external interface and if it is one of the above IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p> interface's entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">You will want to assign your local addresses from one <i> <p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from by "/24". The "24" refers to the number of consecutive "1" bits
the left of the subnet mask. </p> from the left of the subnet mask. </p>
</div> </div>
<div align="left"> <div align="left">
@ -377,7 +379,7 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<div align="left"> <div align="left">
<p align="left">It is conventional to assign the internal interface either <p align="left">It is conventional to assign the internal interface either
the first usable address in the subnet (10.10.10.1 in the above the first usable address in the subnet (10.10.10.1 in the above
example) or the last usable address (10.10.10.254).</p> example) or the last usable address (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
@ -390,18 +392,18 @@ example) or the last usable address (10.10.10.254).</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (Local Computers 1 &amp; 2) should     Your local computers (Local Computers 1 &amp; 2)
be configured with their<i> default gateway</i> set to the IP address should be configured with their<i> default gateway</i> set to the
of the firewall's internal interface and your DMZ computers ( DMZ IP address of the firewall's internal interface and your DMZ computers
Computers 1 &amp; 2) should be configured with their default gateway ( DMZ Computers 1 &amp; 2) should be configured with their default
set to the IP address of the firewall's DMZ interface.   </p> gateway set to the IP address of the firewall's DMZ interface.   </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas What Everyone Needs to Know about Addressing &amp; Routing",</i>
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -417,33 +419,33 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 your external interface an RFC 1918 address. If that address is in the
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
local network and if it is in the 10.10.11.0/24 subnet then you will need subnet for your local network and if it is in the 10.10.11.0/24 subnet then
to select a different RFC 1918 subnet for your DMZ.</b><br> you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
</p> </p>
<p align="left">IP Masquerading (SNAT)</p> <p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When
of your local systems (let's assume local computer 1) sends a connection one of your local systems (let's assume local computer 1) sends a
request to an internet host, the firewall must perform <i>Network Address connection request to an internet host, the firewall must perform
Translation </i>(NAT). The firewall rewrites the source address in the <i>Network Address Translation </i>(NAT). The firewall rewrites the
packet to be the address of the firewall's external interface; in other source address in the packet to be the address of the firewall's external
words, the firewall makes it look as if the firewall itself is initiating interface; in other words, the firewall makes it look as if the firewall
the connection.  This is necessary so that the destination host will itself is initiating the connection.  This is necessary so that the
be able to route return packets back to the firewall (remember that destination host will be able to route return packets back to the firewall
packets whose destination address is reserved by RFC 1918 can't be routed (remember that packets whose destination address is reserved by RFC
accross the internet). When the firewall receives a return packet, it 1918 can't be routed accross the internet). When the firewall receives
rewrites the destination address back to 10.10.10.1 and forwards the a return packet, it rewrites the destination address back to 10.10.10.1
packet on to local computer 1. </p> and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to
IP Masquerading</i> and you will also see the term <i>Source Network Address as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Translation </i>(SNAT) used. Shorewall follows the convention used with Address Translation </i>(SNAT) used. Shorewall follows the convention used
Netfilter:</p> with Netfilter:</p>
<ul> <ul>
<li> <li>
@ -465,24 +467,24 @@ packet on to local computer 1. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, your     If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
you do not need to modify the file provided with the sample. Otherwise, then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p> edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in the     If your external IP is static, you can enter it in the
third column in the /etc/shorewall/masq entry if you like although third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes <br> your static IP in column 3 makes <br>
processing outgoing packets a little more efficient.<br> processing outgoing packets a little more efficient.<br>
</p> </p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change file to ensure that the following are set correctly; if they are not,
them appropriately:<br> change them appropriately:<br>
</p> </p>
<ul> <ul>
@ -496,12 +498,12 @@ your static IP in column 3 makes <br>
<p align="left">One of your goals will be to run one or more servers on your <p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them. is not possible for clients on the internet to connect directly to
It is rather necessary for those clients to address their connection them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your address of your server and forwards the packet to that server. When
server responds, the firewall automatically performs SNAT to rewrite your server responds, the firewall automatically performs SNAT to
the source address in the response.</p> rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -538,8 +540,8 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
</table> </table>
</blockquote> </blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be <p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
the same as <i>&lt;port&gt;</i>.</p> be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p> TCP port 80 to that system:</p>
@ -586,7 +588,7 @@ the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local <li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li> systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the 80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000 (e.g., connect to <a following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li> external IP).</li>
@ -621,8 +623,8 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote> </blockquote>
<p>If you want to be able to access your server from the local network using <p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can your external address, then if you have a static external IP you
replace the loc-&gt;dmz rule above with:</p> can replace the loc-&gt;dmz rule above with:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -693,20 +695,20 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote> </blockquote>
<p>If you want to access your server from the DMZ using your external IP <p>If you want to access your server from the DMZ using your external IP
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your     At this point, add the DNAT and ACCEPT rules for your
servers. </p> servers. </p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will will be automatically configured (e.g., the /etc/resolv.conf file
be written). Alternatively, your ISP may have given you the IP address will be written). Alternatively, your ISP may have given you the IP
of a pair of DNS <i> name servers</i> for you to manually configure as address of a pair of DNS <i> name servers</i> for you to manually configure
your primary and secondary name servers. It is <u>your</u> responsibility as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one to configure the resolver in your internal systems. You can take one
of two approaches:</p> of two approaches:</p>
@ -717,23 +719,23 @@ servers. </p>
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file. -- the name servers are given in "nameserver" records in that file.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
server (which also requires the 'bind' RPM) and for Bering users, name server (which also requires the 'bind' RPM) and for Bering
there is dnscache.lrp. If you take this approach, you configure your users, there is dnscache.lrp. If you take this approach, you configure
internal systems to use the caching name server as their primary (and your internal systems to use the caching name server as their primary
only) name server. You use the internal IP address of the firewall (10.10.10.254 (and only) name server. You use the internal IP address of the firewall
in the example above) for the name server address if you choose to (10.10.10.254 in the example above) for the name server address if
run the name server on your firewall. To allow your local systems to you choose to run the name server on your firewall. To allow your local
talk to your caching name server, you must open port 53 (both UDP systems to talk to your caching name server, you must open port 53
and TCP) from the local network to the server; you do that by adding (both UDP and TCP) from the local network to the server; you do that
the rules in /etc/shorewall/rules. </p> by adding the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -900,8 +902,8 @@ the rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing removed if you commented out the line in /etc/shorewall/policy
all connections from the firewall to the internet.</p> allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1041,8 +1043,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1080,7 +1082,7 @@ uses, look <a href="ports.htm">here</a>.</p>
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)" <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36"> width="49" height="36">
    Bering users will want to add the following two rules to be compatible     Bering users will want to add the following two rules to be compatible
with Jacques's Shorewall configuration.<br> with Jacques's Shorewall configuration.<br>
</p> </p>
<div align="left"> <div align="left">
@ -1140,7 +1142,7 @@ with Jacques's Shorewall configuration.<br>
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall have completed configuration of your firewall, you can enable Shorewall
@ -1159,8 +1161,8 @@ startup by removing the file /etc/shorewall/startup_disabled.<br>
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p> your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
@ -1169,8 +1171,8 @@ your Netfilter configuration, use "shorewall clear".</p>
    The three-interface sample assumes that you want to enable     The three-interface sample assumes that you want to enable
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
when Shorewall is stopped. If these two interfaces don't connect when Shorewall is stopped. If these two interfaces don't connect
to your local network and DMZ or if you want to enable a different to your local network and DMZ or if you want to enable a different
set of hosts, modify /etc/shorewall/routestopped accordingly.</p> set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1178,9 +1180,9 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> create an <i><a href="configuration_file_basics.htm#Configs">alternate
and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1205,5 +1207,6 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

490
STABLE/documentation/three-interface_fr.html
View File

@ -32,31 +32,31 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française traduction exacte du texte, mais plutôt à en faire une version française intelligible
intelligible par tous (et par moi). Les termes techniques sont la plupart par tous (et par moi). Les termes techniques sont la plupart du temps conservés
du temps conservés sous leur forme originale et mis entre parenthèses car sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
vous pouvez les retrouver dans le reste des documentations ainsi que dans dans le reste des documentations ainsi que dans les fichiers de configuration.
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer N?hésitez pas à me contacter afin d?améliorer ce document <a
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p> son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br> <p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau Mettre en place un système linux en tant que firewall pour un petit réseau
contenant une DMZ est une chose assez simple à réaliser si vous comprenez contenant une DMZ est une chose assez simple à réaliser si vous comprenez
les bases et suivez cette documentation.</p> les bases et suivez cette documentation.</p>
<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités <p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans
une de ses utilisations les plus populaire :</p> une de ses utilisations les plus populaire :</p>
<ul> <ul>
<li>Un système Linux utilisé en tant que firewall/routeur pour un petit <li>Un système Linux utilisé en tant que firewall/routeur pour un petit
réseau local.</li> réseau local.</li>
<li>Une seule adresse IP publique.</li> <li>Une seule adresse IP publique.</li>
<li>Une DMZ connectée sur une interface Ethernet séparée.</li> <li>Une DMZ connectée sur une interface Ethernet séparée.</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay, <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay,
RTC, ...</li> RTC, ...</li>
</ul> </ul>
@ -66,33 +66,33 @@ RTC, ...</li>
height="635"> height="635">
</p> </p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
pouvez voir si le paquet est installé en vérifiant la présence du programme Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant vous familiariser avec ce qu'il va se passer, et de revenir au début en
le changements dans votre configuration. Les points où, les changements dans effectuant le changements dans votre configuration. Les points où, les changements
la configuration sont recommandées, sont signalés par une <img dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> border="0" src="images/BD21298_.gif" width="13" height="13">
</p> </p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur offre cette option devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
avant de l'utiliser avec Shorewall.</p> copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -102,22 +102,22 @@ of dos2unix</a></li>
alt=""> alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom nom déjà existant dans /etc/shorewall installés lors de l'installation de
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p> Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de <p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
des fichiers contient des instructions de configuration détaillées et des des fichiers contient des instructions de configuration détaillées et des
entrées par défaut.</p> entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces, <i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces,
trois zones sont définies :</p> trois zones sont définies :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -144,30 +144,31 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p> <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone - <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p> - par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique Si aucune des règles dans ce fichier ne correspondent, alors la première
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues politique est REJECT ou DROP la requête est alors comparée par rapport aux
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p> sample a les politiques suivantes :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -212,8 +213,8 @@ sample a les politiques suivantes :</p>
<blockquote> <blockquote>
<p>Dans l'archive three-interface, la ligne suivante est existante mais <p>Dans l'archive three-interface, la ligne suivante est existante mais
elle est commentée. Si vous souhaitez que votre système de firewall puisse elle est commentée. Si vous souhaitez que votre système de firewall puisse
avoir un accès complet aux serveurs sur Internet, décommentez la.</p> avoir un accès complet aux serveurs sur Internet, décommentez la.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
@ -253,7 +254,7 @@ votre firewall et vers Internet (si vous decommentez la politique pr
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
A ce point, éditez votre /etc/shorewall/policy et faites y les changements A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désire</p> que vous désire</p>
<h2 align="left">Les Interfaces Réseau</h2> <h2 align="left">Les Interfaces Réseau</h2>
@ -262,56 +263,56 @@ que vous d
</p> </p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion <p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur (non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris votre interface extérieure sera aussi ppp0. Si votre connexion passe par
(ISDN), votre interface extérieure sera ippp0<b>.</b></p> Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
Si votre interface vers l'extérieur est ppp0 ou ippp0 alors vous mettrez Si votre interface vers l'extérieur est ppp0 ou ippp0 alors vous mettrez
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet <p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul
ordinateur en local, vous pouvez le connecter directement au firewall par ordinateur en local, vous pouvez le connecter directement au firewall par
un <i>câble croisé</i>).</p> un <i>câble croisé</i>).</p>
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet <p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez appartenant à la DMZ seront connectés à ce même switch (note : si vous
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
firewall par un <i>câble croisé</i>).</p> au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub </b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas
ce soit shorewall qui ne marche pas.</p> que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que L'exemple de configuration de Shorewall pour trois interfaces suppose
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère, </b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
spécifiées pour les interfaces. Quelques trucs :</p> options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0, vous pouvez <p align="left">Si votre interface externe est ppp0 ou ippp0, vous pouvez
remplacer le "detect" dans la seconde colonne par un "-". </p> remplacer le "detect" dans la seconde colonne par un "-". </p>
</li> </li>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
d'option. </p> liste d'option. </p>
</li> </li>
</ul> </ul>
@ -319,18 +320,19 @@ d'option. </p>
<h2 align="left">Adresses IP</h2> <h2 align="left">Adresses IP</h2>
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au <p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address). Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre (modem standard) ou établissez votre connexion PPP. Dans de rares cas ,
provider peu vous assigner une adresse statique (staticIP address); cela signifie votre provider peu vous assigner une adresse statique (staticIP address);
que vous configurez votre interface externe sur votre firewall afin d'utiliser cela signifie que vous configurez votre interface externe sur votre firewall
cette adresse de manière permanente. Une fois votre adresse externe assignée, afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
devrez assigner vos propres adresses à votre réseau local (votre interface à Internet. Vous devrez assigner vos propres adresses à votre réseau local
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve (votre interface interne sur le firewall ainsi que les autres ordinateurs).
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p> La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -340,23 +342,23 @@ plusieurs plages d'IP (Private IP address ranges)
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Vous devrez assigner les adresses locales à un sous-réseau <p align="left">Vous devrez assigner les adresses locales à un sous-réseau
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre (<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255 réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i> est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain en utilisant la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par InterDomain Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie suivie par "/24". Le "24" se réfère au nombre de bits "1" consécutifs dans
gauche du masque de sous-réseau. </p> la partie gauche du masque de sous-réseau. </p>
</div> </div>
<div align="left"> <div align="left">
@ -391,104 +393,105 @@ gauche du masque de sous-r
</div> </div>
<div align="left"> <div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première <p align="left">Il est de convention d'assigner à l'interface interne la
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent) première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
ou la dernière utilisable (10.10.10.254).</p> précédent) ou la dernière utilisable (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les <p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors ils peuvent communiquer directement. Pour communiquer avec des systèmes
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
(routeur).</p> le gateway (routeur).</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant être configurés avec leur passerelle par défaut (<i>default gateway)</i>
sur l'adresse IP de l'interface DMZ du firewall. </p> pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div> </div>
<p align="left">Cette courte description ne fait que survoler les concepts <p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: What l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A. What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre <p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
réseau comme montrer ci-dessous :</p> réseau comme montrer ci-dessous :</p>
<p align="center"> <img border="0" src="images/dmz2.png" width="721" <p align="center"> <img border="0" src="images/dmz2.png" width="721"
height="635"> height="635">
</p> </p>
<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs <p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs
en local sera 10.10.10.254.</p> en local sera 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées <p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918. les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
remplace par l'adresse de l'interface externe du firewall; en d'autres mots, et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
le firewall fait croire que c'est lui même qui initie la connexion. Ceci mots, le firewall fait croire que c'est lui même qui initie la connexion.
est nécessaire afin que l'hôte de destination soit capable de renvoyer les Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés de destination, une adresse réservée par la RFC 1918 ne pourront pas être
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p> 1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP <p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
Masquerading mais vous verrez aussi le terme de Source Network Address Translation l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p> Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul> <ul>
<li> <li>
<p align="left">Masquerade désigne le cas ou vous laissez votre firewall <p align="left">Masquerade désigne le cas ou vous laissez votre firewall
détecter automatiquement l'adresse de l'interface externe. </p> détecter automatiquement l'adresse de l'interface externe. </p>
</li> </li>
<li> <li>
<p align="left">SNAT désigne le cas où vous spécifiez explicitement l'adresse <p align="left">SNAT désigne le cas où vous spécifiez explicitement l'adresse
source des paquets sortant de votre réseau local. </p> source des paquets sortant de votre réseau local. </p>
</li> </li>
</ul> </ul>
<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configuré <p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configuré
avec des entrés dans le fichier /etc/shorewall/masq.</p> avec des entrés dans le fichier /etc/shorewall/masq.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
Si votre interface externe est <b>eth0</b>, votre interface locale <b>eth1</b> Si votre interface externe est <b>eth0</b>, votre interface locale <b>eth1</b>
et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier
le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq
et changez le en conséquence.</p> et changez le en conséquence.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
Si votre IP externe est statique, vous pouvez la mettre dans la troisième Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des mettre votre IP statique dans la troisième colonne permet un traitement
paquets sortant un peu plus efficace.<br> des paquets sortant un peu plus efficace.<br>
</p> </p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
Si vous utilisez les paquets Debian, vérifiez que votre fichier de configuration Si vous utilisez les paquets Debian, vérifiez que votre fichier de configuration
shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas
faite les changements nécessaires :<br> faite les changements nécessaires :<br>
</p> </p>
<ul> <ul>
@ -501,19 +504,20 @@ faite les changements n
<h2 align="left">Port Forwarding (DNAT)</h2> <h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">Un de nos buts est de, peut être, faire tourner un ou plusieurs <p align="left">Un de nos buts est de, peut être, faire tourner un ou plusieurs
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur, de connexion au firewall qui ré écrit l'adresse de destination de votre
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p> le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant Address Translation(DNAT). Vous configurez le port forwarding en utilisant
les règles DNAT dans le fichier /etc/shorewall/rules.</p> les règles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme générale d'une simple règle de port forwarding dans /etc/shorewall/rules <p>La forme générale d'une simple règle de port forwarding dans /etc/shorewall/rules
est :</p> est :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -531,7 +535,8 @@ est :</p>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td> <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
@ -545,11 +550,11 @@ est :</p>
</blockquote> </blockquote>
<p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est supposé <p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est supposé
être le même que <i>&lt;port&gt;</i>.</p> être le même que <i>&lt;port&gt;</i>.</p>
<p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et vous <p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et vous
voulez faire passer les paquets entrant en TCP sur le port 80 à ce système voulez faire passer les paquets entrant en TCP sur le port 80 à ce système
:</p> :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -591,12 +596,13 @@ voulez faire passer les paquets entrant en TCP sur le port 80
<ul> <ul>
<li>Lorsque vous vous connectez à votre serveur à partir de votre réseau <li>Lorsque vous vous connectez à votre serveur à partir de votre réseau
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li> local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a href="http://w.x.y.z:5000"> sur le port 5000 (c.a.d., connectez vous à <a
http://w.x.y.z:5000</a> où w.x.y.z est votre IP externe).</li> href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li>
</ul> </ul>
@ -629,10 +635,10 @@ http://w.x.y.z:5000</a> o
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis <p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
le réseau local en utilisant votre adresse externe, et si vous avez une adresse depuis le réseau local en utilisant votre adresse externe, et si vous avez
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
par :</p> précédente par :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -662,9 +668,9 @@ par :</p>
</blockquote> </blockquote>
<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre <p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
interface externe est en route avant de lancer Shorewall et vous devez suivre interface externe est en route avant de lancer Shorewall et vous devez suivre
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>) les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>)
:</p> :</p>
<ol> <ol>
<li>Insérez ce qui suit dans /etc/shorewall/params :<br> <li>Insérez ce qui suit dans /etc/shorewall/params :<br>
@ -703,8 +709,8 @@ les
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse <p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p> A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -712,45 +718,46 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur <p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
a été écrit). Il arrive que votre provider vous donne une paire d'adresse fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
IP pour les DNS (name servers) afin que vous configuriez manuellement votre donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
serveur de nom primaire et secondaire. La manière dont le DNS est configuré manuellement votre serveur de nom primaire et secondaire. La manière dont
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une le DNS est configuré sur votre firewall est de votre responsabilité. Vous
de ses deux façons :</p> pouvez procéder d'une de ses deux façons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser <p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les les noms de serveurs de votre provider. Si votre fournisseur vous donne
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
web, vous pouvez configurer votre système interne afin de les utiliser. Si site web, vous pouvez configurer votre système interne afin de les utiliser.
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p> "nameserver" dans ce fichier. </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
Vous pouvez installer/configurer un cache dns (Caching Name Server) sur Vous pouvez installer/configurer un cache dns (Caching Name Server) sur
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul votre système interne pour utiliser le firewall lui même comme étant le
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall seul serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom
de faire tourner le serveur de nom sur votre firewall. Pour permettre à vos si vous décidez de faire tourner le serveur de nom sur votre firewall. Pour
systèmes locaux de discuter avec votre serveur cache de nom, vous devez ouvrir permettre à vos systèmes locaux de discuter avec votre serveur cache de
le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous ferez nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le
ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. </p> réseau local; vous ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules.
</p>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<p align="left">Si vous faites tourner le serveur de nom sur le firewall <p align="left">Si vous faites tourner le serveur de nom sur le firewall
: :
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
@ -885,7 +892,7 @@ ceci en ajoutant les r
<div align="left"> <div align="left">
<p align="left">L'exemple pour trois interfaces contient les règles suivantes <p align="left">L'exemple pour trois interfaces contient les règles suivantes
:</p> :</p>
</div> </div>
<div align="left"> <div align="left">
@ -932,8 +939,8 @@ ceci en ajoutant les r
<div align="left"> <div align="left">
<p align="left">Ces règles permettent l'accès DNS depuis votre firewall et <p align="left">Ces règles permettent l'accès DNS depuis votre firewall et
peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy
autorisant toutes les connexions depuis votre firewall et vers Internet.</p> autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -984,13 +991,13 @@ autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
<div align="left"> <div align="left">
<p align="left">Cette règle permet de faire fonctionner une serveur SSH sur <p align="left">Cette règle permet de faire fonctionner une serveur SSH sur
le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion
à partir de votre réseau local.</p> à partir de votre réseau local.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous désirez permettre d'autres connexions entre vos systèmes, <p align="left">Si vous désirez permettre d'autres connexions entre vos systèmes,
la forme générale est :</p> la forme générale est :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1026,7 +1033,7 @@ la forme g
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur DNS disponible <p align="left">Exemple - Vous voulez faire tourner un serveur DNS disponible
pour le publique sur votre firewall :</p> pour le publique sur votre firewall :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1069,20 +1076,20 @@ pour le publique sur votre firewall :</p>
<div align="left"> <div align="left">
<p align="left">Ces deux règles seront, bien sur, ajoutées aux règles décrites <p align="left">Ces deux règles seront, bien sur, ajoutées aux règles décrites
dans "Vous pouvez installer/configurer un cache dns (Caching Name Server) dans "Vous pouvez installer/configurer un cache dns (Caching Name Server)
sur votre firewall ou dans la DMZ".</p> sur votre firewall ou dans la DMZ".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application <p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p> particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet <p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login depuis ou vers l'Internet car il utilise du texte en clair (même pour le
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
depuis Internet, utilisez SSH :</p> firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1120,7 +1127,7 @@ depuis Internet, utilisez SSH :</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p> désirées.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1130,49 +1137,49 @@ d
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre système La <a href="Install.htm">procédure d'installation</a> configure votre
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9 système pour lancer Shorewall au boot du système, mais au début avec la
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
avec que la configuration soit finie. Une fois que vous en avez fini avec lancer Shorewall avec que la configuration soit finie. Une fois que vous
la configuration du firewall, vous pouvez permettre le lancement de Shorewall en avez fini avec la configuration du firewall, vous pouvez permettre le
en supprimant le fichier /etc/shorewall/startup_disabled.<br> lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer <p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
/etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br> /etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall <p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
routage est autorisé sur les hôtes qui possèdent une entrée dans <a le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p> de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple pour trois interfaces suppose que vous voulez permettre le routage L'exemple pour trois interfaces suppose que vous voulez permettre le routage
depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) lorsque depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) lorsque
Shorewall est arrêté. Si ces deux interfaces ne sont pas connectées Shorewall est arrêté. Si ces deux interfaces ne sont pas connectées
à votre réseau local et votre DMZ, ou si vous voulez permettre un ensemble à votre réseau local et votre DMZ, ou si vous voulez permettre un ensemble
d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p> d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet, <p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée) pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
href="configuration_file_basics.htm#Configs">alternative</a></i>et de la href="configuration_file_basics.htm#Configs">alternative</a></i>et de la
tester en utilisant la commande <a tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div> </div>
@ -1180,7 +1187,8 @@ tester en utilisant la commande <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p> M. Eastep</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

71
STABLE/documentation/troubleshoot.htm
View File

@ -18,7 +18,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle">
@ -50,9 +49,8 @@
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you <li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it where the error message you saw is generated -- If you are using Shorewall
will not be near the end of the log because after startup errors, Shorewall 1.4.0 or later, you should find the message near the end of the log.</li>
goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the <li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li> <a href="support.htm">support page</a>.</li>
@ -73,13 +71,12 @@
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is actually
actually an ill-conceived network setup. Here are several popular snafus: an ill-conceived network setup. Here are several popular snafus: </p>
</p>
<ul> <ul>
<li>Port Forwarding where client and server are in <li>Port Forwarding where client and server are
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the <li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that external subnet, thinking that Shorewall will suddenly believe that
the system is in the 'net' zone.</li> the system is in the 'net' zone.</li>
@ -114,16 +111,14 @@ the event that you forget to remove them later.</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being generated
generated (be sure to restart shorewall after clearing these variables).</p> (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font> </font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
@ -151,8 +146,8 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
</p> </p>
<h3 align="left">'Ping' Problems?</h3> <h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping Either can't ping when you think you should be able to or are able to
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br> href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
@ -160,27 +155,26 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT <li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that: or FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that <li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected to <li>the source and destination hosts are both connected
the same interface and you don't have a policy or rule for the to the same interface and you don't have a policy or rule for
source zone to or from the destination zone.</li> the source zone to or from the destination zone.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want type 8 ("ping") requests to be sent between zones. If you want pings
pings to be allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination
icmp    echo-request<br> zone&gt;    icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you The ramifications of this can be subtle. For example, if
have the following in /etc/shorewall/nat:<br> you have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
@ -190,20 +184,20 @@ and the zone containing 10.1.1.2, the ping requests will be dropped.
<li>If you specify "routefilter" for an interface, that <li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li> interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems <li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to usually need to be configured with their default gateway set to the
the IP address of their nearest firewall interface. One often overlooked IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So routing between them must be set up <u>in both directions.</u> So when
when setting up routing between <b>A</b> and<b> B</b>, be sure to setting up routing between <b>A</b> and<b> B</b>, be sure to verify
verify that the route from <b>B</b> back to <b>A</b> is defined.</li> that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have <li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is <li>Shorewall requires the "ip" program. That program
generally included in the "iproute" package which should be included is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -219,15 +213,12 @@ add all external addresses to be use with NAT unless you have set <a
<p>See the<a href="support.htm"> support page.<br> <p>See the<a href="support.htm"> support page.<br>
</a></p> </a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p> <p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

296
STABLE/documentation/two-interface.htm
View File

@ -30,8 +30,8 @@
</table> </table>
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and is a fairly straight-forward task if you understand the basics
follow the documentation.</p> and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
@ -39,7 +39,7 @@
<ul> <ul>
<li>Linux system used as a firewall/router for a small <li>Linux system used as a firewall/router for a small
local network.</li> local network.</li>
<li>Single public IP address.</li> <li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, <li>Internet connection through cable modem, DSL, ISDN,
Frame Relay, dial-up ...</li> Frame Relay, dial-up ...</li>
@ -59,8 +59,8 @@ local network.</li>
</b></p> </b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake <p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use Internet Connection Sharing is strange and is apt to confuse you if you
the rest of this documentation (it has two local zones; "loc" and "masq" use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -70,37 +70,37 @@ instructions in this Guide.</b><br>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b>
on your firewall system. As root, you can use the 'which' command program on your firewall system. As root, you can use the 'which'
to check for this program:</p> command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself <p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your
changes. Points at which configuration changes are recommended are configuration changes. Points at which configuration changes are
flagged with <img border="0" src="images/BD21298_.gif" width="13" recommended are flagged with <img border="0"
height="13"> src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are . Configuration notes that are unique to LEAF/Bering are
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
height="36"> width="49" height="36">
</p> </p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows
you must save them as Unix files if your editor supports that option system, you must save them as Unix files if your editor supports
or you must run them through dos2unix before trying to use them. Similarly, that option or you must run them through dos2unix before trying to
if you copy a configuration file from your Windows hard drive to a use them. Similarly, if you copy a configuration file from your Windows
floppy disk, you must run dos2unix against the copy before using it with hard drive to a floppy disk, you must run dos2unix against the copy
Shorewall.</p> before using it with Shorewall.</p>
<ul> <ul>
<li><a <li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li> dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
@ -112,18 +112,17 @@ Shorewall.</p>
directory /etc/shorewall -- for simple setups, you will only need to directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
the files to /etc/shorewall (these files will replace files with /etc/shorewall (these files will replace files with the same name).</b></p>
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration
instructions and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, the set of <i>zones.</i> In the two-interface sample configuration,
following zone names are used:</p> the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -154,23 +153,23 @@ instructions and default entries.</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from <li>You express your default policy for connections
one zone to another zone in the<a from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in <li>You define exceptions to those default policies
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or that matches the request is applied. If that policy is REJECT
DROP  the request is first checked against the rules in /etc/shorewall/common or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has <p>The /etc/shorewall/policy file included with the two-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -244,14 +243,14 @@ the following policies:</p>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the <li>optionally accept all connection requests from the
firewall to the internet (if you uncomment the additional policy)</li> firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make     At this point, edit your /etc/shorewall/policy and
any changes that you wish.</p> make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
@ -259,9 +258,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635"> height="635">
</p> </p>
<p align="left">The firewall has two network interfaces. Where Internet <p align="left">The firewall has two network interfaces. Where Internet connectivity
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> is through a cable or DSL "Modem", the <i>External Interface</i> will be
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -277,9 +276,9 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other (eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you have computers will be connected to the same hub/switch (note: If you
only a single internal system, you can connect the firewall directly have only a single internal system, you can connect the firewall
to the computer using a <i>cross-over </i> cable).</p> directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
@ -292,8 +291,8 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes     The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have to is <b>eth1</b>. If your configuration is different, you will have
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
@ -306,7 +305,7 @@ list of options that are specified for the interfaces. Some hints:</p>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from or if you have a static IP address, you can remove "dhcp" from
the option list. </p> the option list. </p>
</li> </li>
</ul> </ul>
@ -314,17 +313,18 @@ the option list. </p>
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
a single <i> Public</i> IP address. This address may be assigned via you a single <i> Public</i> IP address. This address may be assigned
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
establishing your connection when you dial in (standard modem) or establish of establishing your connection when you dial in (standard modem) or
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> establish your PPP connection. In rare cases, your ISP may assign you
IP address; that means that you configure your firewall's external interface a<i> static</i> IP address; that means that you configure your firewall's
to use that address permanently.<i> </i>However your external address external interface to use that address permanently.<i> </i>However
is assigned, it will be shared by all of your systems when you access the your external address is assigned, it will be shared by all of your systems
Internet. You will have to assign your own addresses in your internal when you access the Internet. You will have to assign your own addresses
network (the Internal Interface on your firewall plus your other computers). in your internal network (the Internal Interface on your firewall plus
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -334,23 +334,23 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    Before starting Shorewall, you should look at the     Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above IP address of your external interface and if it is one of the
ranges, you should remove the 'norfc1918' option from the external above ranges, you should remove the 'norfc1918' option from the
interface's entry in /etc/shorewall/interfaces.</p> external interface's entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">You will want to assign your addresses from the same <i> <p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed </i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1" by "/24". The "24" refers to the number of consecutive leading "1"
bits from the left of the subnet mask. </p> bits from the left of the subnet mask. </p>
</div> </div>
<div align="left"> <div align="left">
@ -400,17 +400,17 @@ bits from the left of the subnet mask. </p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (computer 1 and computer 2 in     Your local computers (computer 1 and computer 2
the above diagram) should be configured with their<i> default gateway</i> in the above diagram) should be configured with their<i> default
to be the IP address of the firewall's internal interface.<i>      gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p> </i> </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP
What Everyone Needs to Know about Addressing &amp; Routing",</i> Fundamentals: What Everyone Needs to Know about Addressing &amp;
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -424,34 +424,34 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 assign your external interface an RFC 1918 address. If that address is
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
local network.</b><br> 1918 subnet for your local network.</b><br>
</p> </p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers
forward packets which have an RFC-1918 destination address. When one don't forward packets which have an RFC-1918 destination address.
of your local systems (let's assume computer 1) sends a connection When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address request to an internet host, the firewall must perform <i>Network
Translation </i>(NAT). The firewall rewrites the source address in Address Translation </i>(NAT). The firewall rewrites the source address
the packet to be the address of the firewall's external interface; in in the packet to be the address of the firewall's external interface;
other words, the firewall makes it look as if the firewall itself is in other words, the firewall makes it look as if the firewall itself
initiating the connection.  This is necessary so that the destination is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response be routed across the internet so the remote host can't address its response
to computer 1). When the firewall receives a return packet, it rewrites to computer 1). When the firewall receives a return packet, it rewrites
the destination address back to 10.10.10.1 and forwards the packet on the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p> to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to
IP Masquerading</i> but you will also see the term <i>Source Network Address as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Translation </i>(SNAT) used. Shorewall follows the convention used with Address Translation </i>(SNAT) used. Shorewall follows the convention used
Netfilter:</p> with Netfilter:</p>
<ul> <ul>
<li> <li>
@ -468,8 +468,9 @@ to computer 1. </p>
</ul> </ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with <p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading entries in the /etc/shorewall/masq file. You will normally use
if your external IP is dynamic and SNAT if the IP is static.</p> Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
@ -491,7 +492,7 @@ the third column in the /etc/shorewall/masq entry if you like although
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not,
change them appropriately:<br> change them appropriately:<br>
</p> </p>
<ul> <ul>
@ -505,16 +506,16 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly to it is not possible for clients on the internet to connect directly
them. It is rather necessary for those clients to address their connection to them. It is rather necessary for those clients to address their
requests to the firewall who rewrites the destination address to the connection requests to the firewall who rewrites the destination address
address of your server and forwards the packet to that server. When to the address of your server and forwards the packet to that server.
your server responds, the firewall automatically performs SNAT to rewrite When your server responds, the firewall automatically performs SNAT
the source address in the response.</p> to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p> port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules <p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p> is:</p>
@ -581,13 +582,13 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul> <ul>
<li>You must test the above rule from a client outside <li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on of your local network (i.e., don't test from a browser running
computers 1 or 2 or on the firewall). If you want to be able to on computers 1 or 2 or on the firewall). If you want to be able
access your web server using the IP address of your external interface, to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to
80. If you have problems connecting to your web server, try the port 80. If you have problems connecting to your web server, try
following rule and try connecting to port 5000.</li> the following rule and try connecting to port 5000.</li>
</ul> </ul>
@ -619,29 +620,30 @@ following rule and try connecting to port 5000.</li>
</blockquote> </blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"> <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any     At this point, modify /etc/shorewall/rules to add
DNAT rules that you require.</p> any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS)
will be automatically configured (e.g., the /etc/resolv.conf file resolver will be automatically configured (e.g., the /etc/resolv.conf
will be written). Alternatively, your ISP may have given you the IP file will be written). Alternatively, your ISP may have given you
address of a pair of DNS <i> name servers</i> for you to manually configure the IP address of a pair of DNS <i> name servers</i> for you to manually
as your primary and secondary name servers. Regardless of how DNS gets configure as your primary and secondary name servers. Regardless of
configured on your firewall, it is <u>your</u> responsibility to configure how DNS gets configured on your firewall, it is <u>your</u> responsibility
the resolver in your internal systems. You can take one of two approaches:</p> to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can
your internal systems to use those addresses. If that information configure your internal systems to use those addresses. If that
isn't available, look in /etc/resolv.conf on your firewall system information isn't available, look in /etc/resolv.conf on your firewall
-- the name servers are given in "nameserver" records in that file. system -- the name servers are given in "nameserver" records in that
</p> file. </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -652,10 +654,10 @@ as your primary and secondary name servers. Regardless of how DNS gets
is dnscache.lrp. If you take this approach, you configure your internal is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254 server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your in the example above) for the name server address. To allow your local
local systems to talk to your caching name server, you must open port systems to talk to your caching name server, you must open port 53
53 (both UDP and TCP) from the local network to the firewall; you (both UDP and TCP) from the local network to the firewall; you do
do that by adding the following rules in /etc/shorewall/rules. </p> that by adding the following rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -744,8 +746,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing removed if you uncommented the line in /etc/shorewall/policy
all connections from the firewall to the internet.</p> allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -821,8 +823,7 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server on your firewall <p align="left">Example - You want to run a Web Server on your firewall system:</p>
system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -866,7 +867,7 @@ system:</p>
<div align="left"> <div align="left">
<p align="left">Those two rules would of course be in addition to the rules <p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on listed above under "You can configure a Caching Name Server on
your firewall"</p> your firewall"</p>
</div> </div>
<div align="left"> <div align="left">
@ -876,8 +877,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -961,7 +962,7 @@ uses, look <a href="ports.htm">here</a>.</p>
<p align="left"><br> <p align="left"><br>
<img border="0" src="images/BD21298_.gif" width="13" height="13"> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    Now edit your /etc/shorewall/rules file to add or     Now edit your /etc/shorewall/rules file to add or
delete other connections as required.</p> delete other connections as required.</p>
</div> </div>
<div align="left"> <div align="left">
@ -974,8 +975,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you won't try to start Shorewall before configuration is complete. Once
have completed configuration of your firewall, you can enable Shorewall you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
@ -991,28 +992,28 @@ delete other connections as required.</p>
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from command. If you want to totally remove any trace of Shorewall
your Netfilter configuration, use "shorewall clear".</p> from your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is routing to/from <b>eth1 </b>(the local network) when Shorewall
stopped. If your local network isn't connected to <b>eth1</b> or if you is stopped. If your local network isn't connected to <b>eth1</b> or
wish to enable access to/from other hosts, change /etc/shorewall/routestopped if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless
have added an entry for the IP address that you are connected from you have added an entry for the IP address that you are connected
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1025,5 +1026,6 @@ configuration</a></i> and test it using the <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

240
STABLE/documentation/two-interface_fr.html
View File

@ -39,16 +39,16 @@
<p align="left"><br> <p align="left"><br>
<small><i><u>Notes du traducteur</u> :<br> <small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou mon Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne me mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
&agrave; en faire une version fran&ccedil;aise intelligible par tous (et plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
par moi). Les termes techniques sont la plupart du temps conserv&eacute;s par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi (merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi
qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br> qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br>
<br> <br>
</i></p> </i></p>
@ -57,8 +57,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p> les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p> son utilisation la plus courante :</p>
<ul> <ul>
@ -80,7 +80,7 @@ ISDN, "Frame Relay", RTC ... </p>
<p align="center"><img src="images/basics.png" name="Image1" <p align="center"><img src="images/basics.png" name="Image1"
align="bottom" width="444" height="635" border="0"> align="bottom" width="444" height="635" border="0">
</p> </p>
<p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus r&eacute;cent, <p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus r&eacute;cent,
vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
@ -91,8 +91,8 @@ guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i> <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant </i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
Sous root, utilisez la commande 'which' pour rechercher le programme :</p> root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -102,13 +102,13 @@ en effectuant le changements dans votre configuration. Les points o&ugrave;,
les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s
par une <img src="images/BD21298_.gif" name="Image2" align="bottom" par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
width="13" height="13" border="0"> width="13" height="13" border="0">
.</p> .</p>
<p><img src="images/j0213519.gif" name="Image3" align="bottom" <p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0"> width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
si votre &eacute;diteur offre cette option sinon vous devez les faire passer votre &eacute;diteur offre cette option sinon vous devez les faire passer
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re, par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
@ -131,15 +131,14 @@ of dos2unix</a> </p>
<p><img src="images/BD21298_.gif" name="Image4" align="bottom" <p><img src="images/BD21298_.gif" name="Image4" align="bottom"
width="13" height="13" border="0"> width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans &nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>, dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
t&eacute;l&eacute; chargez<b> le <a Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
sample</a>, un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
vers /etc/shorewall (ces fichiers remplaceront les fichiers de m&ecirc;me (ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
nom).</b></p>
<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers, <p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
@ -205,11 +204,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te <p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules. est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p> r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface) <p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p> a les politiques suivantes:</p>
@ -292,9 +291,9 @@ a les politiques suivantes:</p>
</dd> </dd>
</dl> </dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante <blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote> la ligne.</blockquote>
<a name="AutoNumber31"></a> <a name="AutoNumber31"></a>
<dl> <dl>
@ -366,14 +365,14 @@ comment&eacute; la politique additionnelle) </p>
<p><img src="images/BD21298_.gif" name="Image5" align="bottom" <p><img src="images/BD21298_.gif" name="Image5" align="bottom"
width="13" height="13" border="0"> width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy &nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy
et faite les changements que vous d&eacute;sirez.</p> et faite les changements que vous d&eacute;sirez.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
<p align="center"><img src="images/basics.png" name="Image6" <p align="center"><img src="images/basics.png" name="Image6"
align="bottom" width="444" height="635" border="0"> align="bottom" width="444" height="635" border="0">
</p> </p>
<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la <p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
@ -381,14 +380,14 @@ modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External Interfac
sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp; sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp;
<u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol <u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol
over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP), over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
(e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre (e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p> par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p>
<p align="left"><img src="images/BD21298_1.gif" name="Image7" <p align="left"><img src="images/BD21298_1.gif" name="Image7"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b> &nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b>
ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p> href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p>
@ -399,23 +398,23 @@ autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
<p align="left"><b><u><img src="images/j0213519.gif" name="Image8" <p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
align="bottom" width="60" height="60" border="0"> align="bottom" width="60" height="60" border="0">
</u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me </u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me
hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
pas que ce soit shorewall qui ne marche pas.</p> pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image9" <p align="left"><img src="images/BD21298_.gif" name="Image9"
align="left" width="13" height="13" border="0"> align="left" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces &nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>. suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence. <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence.
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
qui sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p> sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
<ul> <ul>
<li> <li>
<p align="left">Si votre interface vers l'ext&eacute;rieur est <b>ppp0</b> <p align="left">Si votre interface vers l'ext&eacute;rieur est <b>ppp0</b>
ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde colonne ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde colonne
par un "-". </p> par un "-". </p>
</li> </li>
<li> <li>
@ -431,24 +430,24 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au <p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i> address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau &agrave; Internet. Vous devrez assigner vos propres adresses dans votre
local (votre interface interne sur le firewall &nbsp;ainsi que les autres r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
address ranges) &agrave; cette fin :</p> d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
<p align="left"><img src="images/BD21298_.gif" name="Image10" <p align="left"><img src="images/BD21298_.gif" name="Image10"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse &nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse
IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes, IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes,
vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface
externe dans le fichier /etc/shorewall/interfaces.</p> externe dans le fichier /etc/shorewall/interfaces.</p>
@ -456,11 +455,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau <p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer (<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
sous-r&eacute;seau est d&eacute;crit en utilisant <a est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -523,23 +522,23 @@ des paquets &agrave; travers le gateway (routeur).</p>
<p align="left"><img src="images/BD21298_1.gif" name="Image11" <p align="left"><img src="images/BD21298_1.gif" name="Image11"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 2 &nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle 2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
interne du firewall.</p> l'interface interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more regarding subnetting and routing. If you are interested in learning more about
about IP addressing and routing, I highly recommend <i>"IP Fundamentals: IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A. Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> 1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute; <p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p> votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="center"><img src="images/basics1.png" name="Image12" <p align="center"><img src="images/basics1.png" name="Image12"
align="bottom" width="444" height="635" border="0"> align="bottom" width="444" height="635" border="0">
</p> </p>
<p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1 et <p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1 et
2 devrait &ecirc;tre 10.10.10.254.</p> 2 devrait &ecirc;tre 10.10.10.254.</p>
@ -548,32 +547,32 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont <p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>. par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots, remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion. le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, 1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
vers l'ordinateur 1. </p> l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est <p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;. terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p> Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe.
externe. </p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
@ -590,25 +589,25 @@ SNAT si elle est statique.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image13" <p align="left"><img src="images/BD21298_.gif" name="Image13"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>, &nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par colonne par le nom de votre interface externe, et la seconde colonne par le
le nom de votre interface interne.</p> nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14" <p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre &nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez, dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br> colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br> <br>
<img src="images/BD21298_.gif" name="Image15" align="bottom" width="13" <img src="images/BD21298_.gif" name="Image15" align="bottom"
height="13" border="0"> width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez que &nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez
votre fichier de configuration shorewall.conf contient bien les valeurs suivantes, que votre fichier de configuration shorewall.conf contient bien les valeurs
si elles n'y sont pas faite les changements n&eacute;cessaires:</p> suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<ul> <ul>
<li> <li>
@ -630,11 +629,11 @@ ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
&eacute;crit l'adresse de destination de votre serveur, et fait passer le &eacute;crit l'adresse de destination de votre serveur, et fait passer le
paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
dans la r&eacute;ponse.</p> dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i> <p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p> port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding <p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p> dans /etc/shorewall/rules est:</p>
@ -761,8 +760,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<li> <li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 (c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou
ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall, &agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p> regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li> </li>
@ -833,7 +832,7 @@ suivante et connectez vous sur le port 5000. </p>
<p><img src="images/BD21298_.gif" name="Image16" align="bottom" <p><img src="images/BD21298_.gif" name="Image16" align="bottom"
width="13" height="13" border="0"> width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter &nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter
les r&egrave;gles DNAT dont vous avez besoin.</p> les r&egrave;gles DNAT dont vous avez besoin.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
@ -846,13 +845,13 @@ arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
(name servers)</i> afin que vous configuriez manuellement votre serveur de (name servers)</i> afin que vous configuriez manuellement votre serveur de
nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute; nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez
proc&eacute;der d'une de ses deux fa&ccedil;ons :</p> proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne <p align="left">Vous pouvez configurer votre syst&egrave;me interne pour
pour utiliser les noms de serveurs de votre provider. Si votre fournisseur utiliser les noms de serveurs de votre provider. Si votre fournisseur vous
vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin
de les utiliser. Si cette information n' est pas disponible, regardez dans de les utiliser. Si cette information n' est pas disponible, regardez dans
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s /etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s
@ -870,7 +869,7 @@ votre syst&egrave;me interne pour utiliser le firewall lui m&ecirc;me comme
IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur
de nom. Pour permettre &agrave; vos syst&egrave;mes locaux de discuter avec de nom. Pour permettre &agrave; vos syst&egrave;mes locaux de discuter avec
votre serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP) votre serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP)
sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant
les r&egrave;gles suivantes dans /etc/shorewall/rules. </p> les r&egrave;gles suivantes dans /etc/shorewall/rules. </p>
</li> </li>
@ -1039,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; <p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
toutes les connexions depuis le firewall vers Internet.</p> connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p> <p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a> <a name="AutoNumber45"></a>
@ -1103,12 +1102,11 @@ toutes les connexions depuis le firewall vers Internet.</p>
</dl> </dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un <p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
r&eacute;seau local.</p> local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre <p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
:</p>
<a name="AutoNumber46"></a> <a name="AutoNumber46"></a>
<dl> <dl>
<dd> <dd>
@ -1249,15 +1247,15 @@ firewall :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter <p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p> configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application <p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p> particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre <p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p> sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a> <a name="AutoNumber48"></a>
@ -1319,22 +1317,22 @@ sur votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><img src="images/BD21298_.gif" name="Image18" <p align="left"><img src="images/BD21298_.gif" name="Image18"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules &nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules
pour ajouter ou supprimer les connexions voulues.</p> pour ajouter ou supprimer les connexions voulues.</p>
<h2 align="left">Lancer et Arr&ecirc;ter votre Firewall</h2> <h2 align="left">Lancer et Arr&ecirc;ter votre Firewall</h2>
<p align="left"><img src="images/BD21298_2.gif" name="Image19" <p align="left"><img src="images/BD21298_2.gif" name="Image19"
alt="Arrow" align="bottom" width="13" height="13" border="0"> alt="Arrow" align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a> &nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a>
configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me, configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p> le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p> paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall <p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;, start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1346,12 +1344,11 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20" <p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez &nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave; <p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop" votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1360,7 +1357,7 @@ IP depuis laquelle vous &ecirc;tes connect&eacute; dans<a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De
plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux
de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration
alternative</i></a> et de l'essayer en utilisant la commande<a alternative</i></a> et de l'essayer en utilisant la commande<a
href="starting_and_stopping_shorewall.htm">"shorewall try".</a></p> href="starting_and_stopping_shorewall.htm">"shorewall try".</a></p>
<p align="left"><font size="2">Last updated 12/20/2002 - <a <p align="left"><font size="2">Last updated 12/20/2002 - <a
@ -1376,5 +1373,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

186
STABLE/documentation/upgrade_issues.htm
View File

@ -34,54 +34,59 @@
<p>It is important that you read all of the sections on this page where the <p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running.<br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers <p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
be a host address) accessed through a particular interface.<br> a host address) accessed through a particular interface.<br>
</p> </p>
<p>Examples:<br> <p>Examples:<br>
    <br>     <br>
    eth0:0.0.0.0/0<br>     eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>     eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>     eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p> </p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.2</h3> <h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous, group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br> there are two cases covered in this documentation where it can occur:<br>
<ol> <ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li> <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent <li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li> proxy in your local zone.</a></li>
</ol> </ol>
If you have either of these cases, you will want to review the current documentation If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br> and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself zone is accepted by default. Previously, traffic from a zone to itself was
was treated just like any other traffic; any matching rules were applied treated just like any other traffic; any matching rules were applied followed
followed by enforcement of the appropriate policy. With 1.4.1 and later by enforcement of the appropriate policy. With 1.4.1 and later versions,
versions, unless you have explicit rules for traffic from Z to Z or you unless you have explicit rules for traffic from Z to Z or you have an explicit
have an explicit Z to Z policy (where "Z" is some zone) then traffic between Z to Z policy (where "Z" is some zone) then traffic between the groups
the groups in zone Z will be accepted. If you do have one or more explicit in zone Z will be accepted. If you do have one or more explicit rules for
rules for Z to Z or if you have an explicit Z to Z policy then the behavior Z to Z or if you have an explicit Z to Z policy then the behavior is as it
is as it was in prior versions.</li> was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
two interfaces to the same zone, that policy can be removed and traffic between two interfaces to the same zone, that policy can be removed and
between the interfaces will traverse fewer rules than previously.</li> traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li> rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has <li>If you are currently relying on a implicit policy (one that has
@ -94,59 +99,36 @@ between the interfaces will traverse fewer rules than previously.</li>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules <li> Sometimes, you want two separate zones on one interface but you
to deal with traffic from a given group back to itself. The <i>multi</i> don't want Shorewall to set up any infrastructure to handle traffic between
interface option is no longer available so if you want to route traffic between them. </li>
two subnetworks on the same interface then either:</li>
</ul> </ul>
<blockquote>Example:<br>
<blockquote> <blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with Shorewall involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction.  and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br> package ('ip' utility).</b><br>
@ -172,19 +154,20 @@ traffic between z1 and z2 by using the new NONE policy:<br>
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li> are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is <li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
<li value="6">Late-arriving DNS replies are now dropped by default; ALLOWRELATED=Yes.</li>
there is no need for your own /etc/shorewall/common file simply to avoid <li value="6">Late-arriving DNS replies are now dropped by
logging these packets.</li> default; there is no need for your own /etc/shorewall/common file simply
to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file <li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -205,8 +188,8 @@ have been moved to /usr/share/shorewall.</li>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported. <li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same  Shorewall will generate rules for sending packets back out the same interface
interface that they arrived on in two cases:</li> that they arrived on in two cases:</li>
</ul> </ul>
@ -219,11 +202,11 @@ not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone
or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same word. Exception: if the source zone and destination zone are the same then
then the rule must be explicit - it must name the zone in both the SOURCE the rule must be explicit - it must name the zone in both the SOURCE and
and DESTINATION columns.</li> DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
@ -232,9 +215,9 @@ and DESTINATION columns.</li>
<img src="images/BD21298_3.gif" alt="" width="13" <img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
     Beginning in version 1.3.14, Shorewall treats entries in      Beginning in version 1.3.14, Shorewall treats entries in
<a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
change involves entries with an <b>interface name</b> in the <b>SUBNET</b> change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br> (second) <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -282,11 +265,11 @@ follows:<br>
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf used (If the option is not set in your /etc/shorewall/shorewall.conf then
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the old
old handling indefinitely so I urge current users to migrate to using handling indefinitely so I urge current users to migrate to using the
the new handling as soon as possible. See the <a href="ping.html">'Ping' new handling as soon as possible. See the <a href="ping.html">'Ping' handling
handling documentation</a> for details.<br> documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
@ -315,8 +298,8 @@ handling documentation</a> for details.<br>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this rules in their /etc/shorewall/icmpdef file (creating this file
file if necessary):</p> if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -328,10 +311,10 @@ file if necessary):</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p> <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a <li>Be sure you have
backup -- you will need to transcribe a backup -- you will need to transcribe
any Shorewall configuration changes any Shorewall configuration changes
that you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
@ -357,8 +340,8 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions
and 1.3.7</p> 1.3.6 and 1.3.7</p>
<ol> <ol>
<li> <li>
@ -378,7 +361,7 @@ non-SYN packets after takeover.<br>
<br> <br>
<font face="Courier">run_iptables -A common <font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
to rebuild connection<br> to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
@ -389,7 +372,7 @@ to rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p> supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
@ -422,16 +405,17 @@ supported. </p>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall' <p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 4/13/2003 - <a href="support.htm">Tom
</p> Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.2 VERSION=1.4.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.2 VERSION=1.4.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

93
STABLE/releasenotes.txt
View File

@ -2,89 +2,20 @@ This is a minor release of Shorewall.
Problems Corrected: Problems Corrected:
1) TCP connection requests rejected out of the common chain are now 1) There were several cases where Shorewall would fail to remove a
properly rejected with TCP RST; previously, some of these requests temporary directory from /tmp. These cases have been corrected.
were rejeced with an ICMP port-unreachable response.
2) 'traceroute -I' from behind the firewall previously timed out on the 2) The rules for allowing all traffic via the loopback interface have
first hop (e.g., to the firewall). This has been worked around. been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.
New Features: New Features:
1) Where an entry in the/etc/shorewall/hosts file specifies a 1) IPV6-IPV4 (6to4) tunnels are now supported in the
particular host or network, Shorewall now creates an intermediate /etc/shorewall/tunnels file.
chain for handling input from the related zone. This can
substantially reduce the number of rules traversed by connections
requests from such zones.
2) Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the
contents of the named file to be logically included into the file
containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored.
3) Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that
such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on
individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from
(zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues' for information about how this new option
may affect your configuration.
2) Shorewall can now be easily integrated with fireparse
(http://www.fireparse.com) by setting LOGMARKER="fp=" in
/etc/shorewall/shorewall.conf. Note: You may not use ULOG
with fireparse unless you modify fireparse.

16
STABLE/shorewall
View File

@ -134,6 +134,8 @@ get_config() {
fi fi
[ -n "$FW" ] || FW=fw [ -n "$FW" ] || FW=fw
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
} }
# #
@ -259,9 +261,9 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1" [ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \ grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \
sed s/" kernel:"// | \ sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \ sed s/" $host $LOGMARKER"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \ sed 's/MAC=.*SRC=/SRC=/' | \
tail $options tail $options
@ -732,27 +734,27 @@ case "$1" in
timeout=30 timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then
echo " HITS IP DATE" echo " HITS IP DATE"
echo " ---- --------------- ------" echo " ---- --------------- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS IP PORT" echo " HITS IP PORT"
echo " ---- --------------- -----" echo " ---- --------------- -----"
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS DATE" echo " HITS DATE"
echo " ---- ------" echo " ---- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`

9
STABLE/shorewall.conf
View File

@ -54,6 +54,15 @@
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
#
# LOG MARKER
#
# Used to identify Shorewall log messages. If you are using fireparse, you must
# set this to "fp=Shorewall:". You may not use the ULOG level with fireparse and
# you must not embed white space in the LOGMARKER value.
LOGMARKER="Shorewall:"
# #
# LOG RATE LIMITING # LOG RATE LIMITING
# #

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.2 %define version 1.4.3
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3-1
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net> * Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1 - Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net> * Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/tunnels
View File

@ -10,7 +10,7 @@
# The columns are: # The columns are:
# #
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "pptpclient", "pptpserver" or "openvpn". # "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
# #
# If type is "openvpn", it may optionally be followed # If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no # by ":" and the port number used by the tunnel. if no

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.2 VERSION=1.4.3
usage() # $1 = exit status usage() # $1 = exit status
{ {